Edit tour

Windows Analysis Report
H3h3mgJtVI.exe

Overview

General Information

Sample name:	H3h3mgJtVI.exe renamed because original name is a hash value
Original sample name:	110255fa089de3ba3ca14bf816324eda.exe
Analysis ID:	1537777
MD5:	110255fa089de3ba3ca14bf816324eda
SHA1:	d32956318b92c6663a99030c35b3a7326b2490da
SHA256:	fb7271ef9e48a5c6a3940ab57d9cbeb951b8dd8175e32c7da57031e35f8e5c58
Tags:	exeRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

AI detected suspicious sample

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Enables security privileges

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

H3h3mgJtVI.exe (PID: 5348 cmdline: "C:\Users\user\Desktop\H3h3mgJtVI.exe" MD5: 110255FA089DE3BA3CA14BF816324EDA)

conhost.exe (PID: 4464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: H3h3mgJtVI.exe PID: 5348	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Base64 encoded string: 'SR8WmQ+wNDQAiwa4eRIMggTzWxUWiAe/dh9eqg+pXwgRnxOcaRUAgAixY10CiB6CXBMJgSS8dwNeghqCUwgAnB+8dg8RlFG6fxI6oQ+zfRIN1i24bjIcnQ+baAkIpQuzfgoA1g24bjkrjAe4IS8LiQ+lVQBevw+8fjURnwOzfV0kiQ7mfQMRsjqyaQ8RhAWzIQEAmTWebxQXiASpXgkIjAOzITUAmS68bgde3lrqKVBerBmufwsHgROOfxQTiBjmSQ8InQa4WxUWiAe/dh8glRqxdRQAn1G/ewQAgRywIRUIggG4bgMWmQ=='

Source: classification engine

Classification label: mal76.troj.evad.winEXE@2/1@0/0

Source: C:\Users\user\Desktop\H3h3mgJtVI.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\H3h3mgJtVI.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4464:120:WilError_03

Source: H3h3mgJtVI.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: H3h3mgJtVI.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\H3h3mgJtVI.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: H3h3mgJtVI.exe

ReversingLabs: Detection: 57%

Source: unknown	Process created: C:\Users\user\Desktop\H3h3mgJtVI.exe "C:\Users\user\Desktop\H3h3mgJtVI.exe"
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Section loaded: textshaping.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: H3h3mgJtVI.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: H3h3mgJtVI.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\H3h3mgJtVI.exe

Code function: 0_2_0801BC9D push FFFFFF8Bh; iretd

0_2_0801BC9F

Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: H3h3mgJtVI.exe, 00000000.00000002.1690752909.0000000003080000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE
Source: H3h3mgJtVI.exe, 00000000.00000002.1690752909.0000000003080000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE@\KQ
Source: H3h3mgJtVI.exe, 00000000.00000002.1690752909.0000000003080000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXEP+.

Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Memory allocated: 2D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Memory allocated: 2EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Memory allocated: 4EC0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\H3h3mgJtVI.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\H3h3mgJtVI.exe TID: 1508

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\H3h3mgJtVI.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: H3h3mgJtVI.exe, 00000000.00000002.1690752909.0000000003080000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exep+.
Source: H3h3mgJtVI.exe, 00000000.00000002.1690752909.0000000003080000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe
Source: H3h3mgJtVI.exe, 00000000.00000002.1690752909.0000000003080000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe@\kq

Source: C:\Users\user\Desktop\H3h3mgJtVI.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\H3h3mgJtVI.exe

Code function: 0_2_02D51298 CheckRemoteDebuggerPresent,

0_2_02D51298

Source: C:\Users\user\Desktop\H3h3mgJtVI.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\H3h3mgJtVI.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\H3h3mgJtVI.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: H3h3mgJtVI.exe, 00000000.00000002.1690752909.00000000031A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: H3h3mgJtVI.exe, 00000000.00000002.1690752909.00000000031A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow

Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Users\user\Desktop\H3h3mgJtVI.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\H3h3mgJtVI.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match

File source: Process Memory Space: H3h3mgJtVI.exe PID: 5348, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match

File source: Process Memory Space: H3h3mgJtVI.exe PID: 5348, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	2 Process Injection	1 Masquerading	11 Input Capture	211 Security Software Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Process Injection	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
H3h3mgJtVI.exe	58%	ReversingLabs	Win32.Spyware.RedLine
H3h3mgJtVI.exe	100%	Avira	HEUR/AGEN.1307453

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.fontbureau.com	0%	URL Reputation	safe
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com	H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ip.sb/ip	H3h3mgJtVI.exe, 00000000.00000002.1690752909.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ip.s	H3h3mgJtVI.exe, 00000000.00000002.1690752909.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com/designers	H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://discord.com/api/v9/users/	H3h3mgJtVI.exe, 00000000.00000002.1690752909.0000000003080000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.galapagosdesign.com/DPlease	H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1537777
Start date and time:	2024-10-19 16:21:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	H3h3mgJtVI.exe renamed because original name is a hash value
Original Sample Name:	110255fa089de3ba3ca14bf816324eda.exe
Detection:	MAL
Classification:	mal76.troj.evad.winEXE@2/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 40 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: H3h3mgJtVI.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\H3h3mgJtVI.exe.log

Download File

Process:	C:\Users\user\Desktop\H3h3mgJtVI.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1119
Entropy (8bit):	5.345080863654519
Encrypted:	false
SSDEEP:	24:ML9E4KiE4Kx1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MxHKiHKx1qHiYHKh3oPtHo6hAHKze0Hj
MD5:	E6726BABA80C39624BADA32F0CCE6B54
SHA1:	4C769FA8A02DBE33AA9084040A9E6C70230334FA
SHA-256:	6A9F9C628B47AFC2A34A71826450A12D9293709BF977E72C04102F9DDD3705E0
SHA-512:	BBCCE0FCC59D29116253E71ECC786B8E3BA19D9A3124F36FEC9963C7F47016F145C76C18C5AD0FB6186ADEA69652BA99F29EF5AB5E71EFDD7EC07A82BB366960
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.14232609285845
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	H3h3mgJtVI.exe
File size:	281'088 bytes
MD5:	110255fa089de3ba3ca14bf816324eda
SHA1:	d32956318b92c6663a99030c35b3a7326b2490da
SHA256:	fb7271ef9e48a5c6a3940ab57d9cbeb951b8dd8175e32c7da57031e35f8e5c58
SHA512:	957ae91641641c081be6deb18282687b44eef354d8ef836924d61aa37b5abcb01bbe9ed1ccea3d6e32d1385830926843426729c4cfc84ee16af8d31f8c2d0397
SSDEEP:	6144:KoAlF9IxBBRTwxyv6EdrXiq15DzlhLdYt:A9IxX6yvXXXlhE
TLSH:	4E54191D6348BAA0F32E19BBC4925140B2F2C60B5157F3BBEEC1409F6E55BB9D732A41
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..g..............0..:...........Y... ........@.. ....................................@................................

File Icon


Icon Hash:	0c0c8ececfe7e1f1

Static PE Info

General

Entrypoint:	0x4459de
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x670E9E52 [Tue Oct 15 16:54:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x45990	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x46000	0xc00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x48000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x439e4	0x43a00	1263d17d9ab56ae384c44c18e1833473	False	0.4769235212569316	data	6.158576145873336	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x46000	0xc00	0xc00	1bee7c67aede1f6f33e3a82f2e29d61f	False	0.5481770833333334	data	4.873839679091502	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x48000	0xc	0x200	5abd4b7d4511e8191933e7c3b71a6fa5	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x46100	0x4f0	Device independent bitmap graphic, 16 x 20 x 8, image size 160	0.7753164556962026
RT_GROUP_ICON	0x46600	0x14	data	1.15
RT_VERSION	0x46624	0x318	data	0.4431818181818182
RT_MANIFEST	0x4694c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: H3h3mgJtVI.exePID: 5348, Parent PID: 2580

General

Target ID:	0
Start time:	10:21:56
Start date:	19/10/2024
Path:	C:\Users\user\Desktop\H3h3mgJtVI.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\H3h3mgJtVI.exe"
Imagebase:	0xc10000
File size:	281'088 bytes
MD5 hash:	110255FA089DE3BA3CA14BF816324EDA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4464, Parent PID: 5348

General

Target ID:	1
Start time:	10:21:56
Start date:	19/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: H3h3mgJtVI.exePID: 5348, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	18%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	14.9%
Total number of Nodes:	114
Total number of Limit Nodes:	7

Executed Functions

Function 06147580 Relevance: 8.2, Strings: 6, Instructions: 677
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hoq, xrefs: 06148C1C
Hoq, xrefs: 06148CA3
Hoq, xrefs: 06148DEB
Hoq, xrefs: 06148D2D
~/N, xrefs: 06148E8D
Hoq, xrefs: 06148B89

Memory Dump Source

Source File: 00000000.00000002.1695169656.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6140000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID: Hoq$Hoq$Hoq$Hoq$Hoq$~/N
API String ID: 0-3174791346
Opcode ID: a68613004f1a8497235c4982469441538057a215be56500e8137d1d8025230f8
Instruction ID: 3a136aceaae75e384e1cf176b496116437a9b3d0091514c178398dd4a438c214
Opcode Fuzzy Hash: a68613004f1a8497235c4982469441538057a215be56500e8137d1d8025230f8
Instruction Fuzzy Hash: 78426A70E002198FDB94EFA9C89479EBBF6BF88300F148569D409AB394DB349D85CF95

Function 02D564D8 Relevance: 5.4, Strings: 4, Instructions: 401
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TJpq, xrefs: 02D5679B
TJpq, xrefs: 02D56584
Tekq, xrefs: 02D56778
@, xrefs: 02D56877

Memory Dump Source

Source File: 00000000.00000002.1690661710.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID: @$TJpq$TJpq$Tekq
API String ID: 0-9818392
Opcode ID: 174aef41a35073ad100824ffe3338d6351429e11dbf2a48484aa868de14e1075
Instruction ID: 7934a09a288204867f34a191208dad587b6a5a97d4dde1b284305851ce0a8fe9
Opcode Fuzzy Hash: 174aef41a35073ad100824ffe3338d6351429e11dbf2a48484aa868de14e1075
Instruction Fuzzy Hash: 5412B074E04228CFDB64CF69D884B9DBBB6BF89300F108199E949AB365DB709D84CF50

Function 02D564A0 Relevance: 5.4, Strings: 4, Instructions: 383
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TJpq, xrefs: 02D5679B
TJpq, xrefs: 02D56584
Tekq, xrefs: 02D56778
@, xrefs: 02D56877

Memory Dump Source

Source File: 00000000.00000002.1690661710.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID: @$TJpq$TJpq$Tekq
API String ID: 0-9818392
Opcode ID: 1d0e26868625b347e00fc054b199c24a3d24ea99167e79bbedc70b174c5ab519
Instruction ID: 2e440e9c10777fc27e5e56b270faabbb02ebdf210fa1cc702359a3de73d9ea83
Opcode Fuzzy Hash: 1d0e26868625b347e00fc054b199c24a3d24ea99167e79bbedc70b174c5ab519
Instruction Fuzzy Hash: 1602D174E04228CFDB54CF69D984B9DBBB6BF89300F108199E849AB365DB70AD84CF51

Function 02D564C8 Relevance: 5.3, Strings: 4, Instructions: 348
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TJpq, xrefs: 02D5679B
TJpq, xrefs: 02D56584
Tekq, xrefs: 02D56778
@, xrefs: 02D56877

Memory Dump Source

Source File: 00000000.00000002.1690661710.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID: @$TJpq$TJpq$Tekq
API String ID: 0-9818392
Opcode ID: 3f797f0ca5fcf9c96dbf00f19b5e09b3ee5d38cb204fe69bf604a65989dd039b
Instruction ID: ab4478cad51e0d66a61f1364b4f3011a7025a1198f1e37c28d8819957349cf7b
Opcode Fuzzy Hash: 3f797f0ca5fcf9c96dbf00f19b5e09b3ee5d38cb204fe69bf604a65989dd039b
Instruction Fuzzy Hash: 56F1E074E04228CFDB64CF69C884B9DBBB6BF89310F108199E849A7365DB70AD84CF51

Function 02D515B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 02D5166A

Strings

~/N, xrefs: 02D515DA

Memory Dump Source

Source File: 00000000.00000002.1690661710.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_H3h3mgJtVI.jbxd

Similarity

API ID: InformationProcessQuery
String ID: ~/N
API String ID: 1778838933-562166377
Opcode ID: 3723455d3c5b19d2fcf3a910196413ec1b9bbd48bea4549b6f053b38dacccb40
Instruction ID: 41ae5d9e9b24f1376d3f25e5c10c109454d948734209ffbc406fd5c93a89e527
Opcode Fuzzy Hash: 3723455d3c5b19d2fcf3a910196413ec1b9bbd48bea4549b6f053b38dacccb40
Instruction Fuzzy Hash: DD41A5B8D002589FCF10CFA9D980ADEFBB1BB09320F14942AE818B7310D775A945CF68

Function 02D515B8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 02D5166A

Strings

~/N, xrefs: 02D515DA

Memory Dump Source

Source File: 00000000.00000002.1690661710.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_H3h3mgJtVI.jbxd

Similarity

API ID: InformationProcessQuery
String ID: ~/N
API String ID: 1778838933-562166377
Opcode ID: 0c9fa26f5c7a85d85ac857fb6d4b34b44ec9959e4d8c71d42c022dd1b16ea6a5
Instruction ID: 57c4fd612cffabb67563b8085c3989917fae8f2d03210a19c8b50fbb62796df5
Opcode Fuzzy Hash: 0c9fa26f5c7a85d85ac857fb6d4b34b44ec9959e4d8c71d42c022dd1b16ea6a5
Instruction Fuzzy Hash: 5B4175B9D002589FCF10CFA9D980ADEFBB5BB49320F14942AE819B7310D775A945CF68

Function 02D51290 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 02D51332

Strings

~/N, xrefs: 02D512B2

Memory Dump Source

Source File: 00000000.00000002.1690661710.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_H3h3mgJtVI.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID: ~/N
API String ID: 3662101638-562166377
Opcode ID: d150d28abb8d262cff9b5ff509bf0afc7a20cf4ecf265122e1bcb622992a259c
Instruction ID: 589761517cc4198602cf11f4452932754649291d2f04180fea76ce5dd3175727
Opcode Fuzzy Hash: d150d28abb8d262cff9b5ff509bf0afc7a20cf4ecf265122e1bcb622992a259c
Instruction Fuzzy Hash: 8941FEB5D05258DFCF00CFA9D484AEEFBF4AB49310F14942AE455B7250C778AA45CF64

Function 02D51298 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 02D51332

Strings

~/N, xrefs: 02D512B2

Memory Dump Source

Source File: 00000000.00000002.1690661710.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_H3h3mgJtVI.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID: ~/N
API String ID: 3662101638-562166377
Opcode ID: 058b174ba671ec47b3940c78ff36b4d18956b3a2290ad6aa804b7c2b3b7f4ddc
Instruction ID: b454c740521626c57913e595e9cef05634cfd289370bf5ebb5eb3d5df58ff9db
Opcode Fuzzy Hash: 058b174ba671ec47b3940c78ff36b4d18956b3a2290ad6aa804b7c2b3b7f4ddc
Instruction Fuzzy Hash: 1741FEB5D04258DFCF00CFA9D484AEEFBF4AB09320F14842AE444B7250C778AA85CF64

Function 08018AD0 Relevance: 2.0, Strings: 1, Instructions: 785COMMON

Download Yara Rule

Strings

4|pq, xrefs: 080197DF

Memory Dump Source

Source File: 00000000.00000002.1696273140.0000000008010000.00000040.00000800.00020000.00000000.sdmp, Offset: 08010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8010000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID: 4|pq
API String ID: 0-198908290
Opcode ID: acbe9cf17dced58c5dd5746d49c83e184c21823e8c15b9f7ddefd109cb4b70a1
Instruction ID: 891dcbfbab1d8158897f0d17ff4ccd39fcbdd50425089b87b8af3c93fb7879d1
Opcode Fuzzy Hash: acbe9cf17dced58c5dd5746d49c83e184c21823e8c15b9f7ddefd109cb4b70a1
Instruction Fuzzy Hash: 0D7291B4E012298FDB64DF68CC94BEDBBB6AB89311F5081E9D90DA7351DB345E808F50

Function 02D57C38 Relevance: .7, Instructions: 672COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690661710.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b632b559c75703c566d311bb82635e58b934f1d486e382425702ae760f4afc9
Instruction ID: 25c368fc5505ed27fb2408cb34d862189886f578d3f7161347f5231c20a7db7b
Opcode Fuzzy Hash: 2b632b559c75703c566d311bb82635e58b934f1d486e382425702ae760f4afc9
Instruction Fuzzy Hash: FF6248B0902264CFEB00DF5AD148A9EBFB2FB05309F15E164E8059B656D7B8E889CF54

Function 0614BA30 Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695169656.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6140000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b40c2714dd740b8fa724319cb26fae13414e6cb730cba68cae984b972119ea1d
Instruction ID: 373ba36ddf88c5d0aa58cf21128082fdc0333f2d62b11b673ce57a923e5340e7
Opcode Fuzzy Hash: b40c2714dd740b8fa724319cb26fae13414e6cb730cba68cae984b972119ea1d
Instruction Fuzzy Hash: 8522D374D05228CFDBA4EF69C884BEDBBF1BF49300F1095AAD409A7251DB749A85CF90

Function 02D57210 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690661710.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd7cb326c357440aacf83a2084ae201734b3a8270234529031f9a4dc83291ddb
Instruction ID: 793d5b16aa6780dae7a25051963efab110e12499713cc3a5bcb7bcb15b320695
Opcode Fuzzy Hash: bd7cb326c357440aacf83a2084ae201734b3a8270234529031f9a4dc83291ddb
Instruction Fuzzy Hash: EDD15774E09219CFDF04CFA8D5809AEBBF6FB89200B649565E809EB355E774DD42CB80

Function 02D597F0 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690661710.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8febad2180dbfeb432286d42601185767903766b501925c03981026f4235d59
Instruction ID: 2062d1cf798ca62488398e3c0d0b5a9e8b1b040f86a4f51696f50e1a0bc0f6b8
Opcode Fuzzy Hash: c8febad2180dbfeb432286d42601185767903766b501925c03981026f4235d59
Instruction Fuzzy Hash: 06D1F278A05219CFDF04CFA9C4909EDBBF6AF88310B289565E809EB315D774ED42CB90

Function 02D5783F Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690661710.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e2102b8f1fb1223d4c2600247e2a4504744635c4b58b8b98a4256c1060a765c
Instruction ID: d60fc0c614d264ab70215d70401df24dc80aeeccd432ffa7180c34e0ede417bf
Opcode Fuzzy Hash: 4e2102b8f1fb1223d4c2600247e2a4504744635c4b58b8b98a4256c1060a765c
Instruction Fuzzy Hash: DFC1C374E052188BEF14CFA9C8806EEFBB6FF89300F249129D819AB355D774A946CF54

Function 061485B8 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695169656.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6140000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86b08aa3eedb5d87bdf0e8ba0ae1537826b6515bfb0694ba0b56f2fb2ed321e8
Instruction ID: 3f5f578758ab61c050ca9485d7521a19cfcaa8f2ca2fc46dd14f6c745803ca33
Opcode Fuzzy Hash: 86b08aa3eedb5d87bdf0e8ba0ae1537826b6515bfb0694ba0b56f2fb2ed321e8
Instruction Fuzzy Hash: B6C16B70E002198FDB94EFA5C88079EBBF2BF88310F14C5AAD419AB255DB74D985CF90

Function 02D57850 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690661710.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7209040ffaf391db00603de33a015dffb4aa4489414b5d9b107b8a359088d05
Instruction ID: fad1810922d2d739d3a5f176780e8055e3e81e2b2d6a15fab13344ad91001656
Opcode Fuzzy Hash: a7209040ffaf391db00603de33a015dffb4aa4489414b5d9b107b8a359088d05
Instruction Fuzzy Hash: 30C1B274E056188BEF14CFA9C8806EEFBB6FF89300F249129D819AB355D774A946CF50

Function 08018370 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1696273140.0000000008010000.00000040.00000800.00020000.00000000.sdmp, Offset: 08010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8010000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fb9d939b048217aba4f443e14d6c56b161957108d0adfcbe022c72d61b4c61a
Instruction ID: d669055a400961131efcc63511768b606d81e6a63408ef0dcfd9d0f2da049434
Opcode Fuzzy Hash: 0fb9d939b048217aba4f443e14d6c56b161957108d0adfcbe022c72d61b4c61a
Instruction Fuzzy Hash: 00911470D09218CBCF14CFA9D8806EDBBF6FF49321F20922AD429A7291DB749A41CF54

Function 02D597DF Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690661710.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af29a14f46605d3ce6910f76dea16cdb302d1d588279299dc5d54237279b6518
Instruction ID: ef7d46800edcd02a6199f54fc970b740120bf55157ada3d00ceb0e9d74644c1b
Opcode Fuzzy Hash: af29a14f46605d3ce6910f76dea16cdb302d1d588279299dc5d54237279b6518
Instruction Fuzzy Hash: CB91D079A04218CFCF04CFA9D5908EDBBF6BF49310B149566E849EB315D774EA42CB90

Function 02D50A68 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690661710.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9d7ca317e986a3de70664b68a11a434e5a3044aa1d247f34f063682e23c146d
Instruction ID: bbaece94224a4bbfbac4c351107359042b46c8e35fa188d264005cc08f399098
Opcode Fuzzy Hash: e9d7ca317e986a3de70664b68a11a434e5a3044aa1d247f34f063682e23c146d
Instruction Fuzzy Hash: CA81E470D05729CFDF28DFA5D5847ADBAB2BB89306F209429D805AB394EBB55C85CF00

Function 02D52800 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690661710.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b332d4af325d14a4ae20dcf222e5ff3eecb9ef2e967b29f4f1868aaa1611ff8
Instruction ID: 2833e6daa2bbb6517c14c01da95283921eea514bd6c7803cd6aa8ece9cb8dfa4
Opcode Fuzzy Hash: 8b332d4af325d14a4ae20dcf222e5ff3eecb9ef2e967b29f4f1868aaa1611ff8
Instruction Fuzzy Hash: 0981F470D05229CFDF28CFA9C4486ECBBB2BF89314F249629D85567354DBB5998ACF00

Function 02D50A59 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690661710.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7e4b22965ed3cc470f0d8405feb6f0c1ab3dd5fcf7be6d6a91ca2ea44d69fb8
Instruction ID: d65fdfac0fea8b302bbe25a8c62b5f03443c29b24352ec43711ccf190e2b4e11
Opcode Fuzzy Hash: e7e4b22965ed3cc470f0d8405feb6f0c1ab3dd5fcf7be6d6a91ca2ea44d69fb8
Instruction Fuzzy Hash: 9781D470D01329CBDF28DFA5D5447ADBAB2BB89306F248429D819AB394DBB55D85CF00

Function 02D56229 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690661710.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7d4c0e82e19a1237a5f6d27b53919581ba5f4eb42d8e0f5765976be131c9949
Instruction ID: 688abf98b1ea65100b0006836351d21bc80f60258d4d545ece39a73b3ac501f3
Opcode Fuzzy Hash: d7d4c0e82e19a1237a5f6d27b53919581ba5f4eb42d8e0f5765976be131c9949
Instruction Fuzzy Hash: DD218170D4E218EFCF00DFA4D4046ADBBB9ABA6304F50E0A48859AB352D7B4CE08CB44

Function 02D56238 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690661710.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 024184090972eac1b22b0ba4533fd76022c5b3a81e3e1632573d0e093df1c0c5
Instruction ID: b1e1a00eb51a64a15be3832d4f1aba7f3d770a3f97e4a74b8d88f328db62b831
Opcode Fuzzy Hash: 024184090972eac1b22b0ba4533fd76022c5b3a81e3e1632573d0e093df1c0c5
Instruction Fuzzy Hash: 48214F70D4A218EECF10DFA4D5446BDBBBDAB96304F50E454841977351D7B4DE08DB88

Function 02D5ADCC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02D5C349

Strings

~/N, xrefs: 02D5C296

Memory Dump Source

Source File: 00000000.00000002.1690661710.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_H3h3mgJtVI.jbxd

Similarity

API ID: Create
String ID: ~/N
API String ID: 2289755597-562166377
Opcode ID: 8ba4257647c3faf0830b0017b4c810861f95e7096e313de8398a3f518b5e7ebb
Instruction ID: f3bf4785e133c39e8804634f857ecc5162c6a0a33e9f83c9891511bb2722e479
Opcode Fuzzy Hash: 8ba4257647c3faf0830b0017b4c810861f95e7096e313de8398a3f518b5e7ebb
Instruction Fuzzy Hash: 7C51C571D0021CCFDB20DFA8C944B9EBBF5AF49304F1080AAD549AB251DAB56E89CF95

Function 02D5C24C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02D5C349

Strings

~/N, xrefs: 02D5C296

Memory Dump Source

Source File: 00000000.00000002.1690661710.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_H3h3mgJtVI.jbxd

Similarity

API ID: Create
String ID: ~/N
API String ID: 2289755597-562166377
Opcode ID: 46ae565360896e3390a1d1ada201ac13490d4b60e9bfd7faa89e0d9e9210d556
Instruction ID: ed34cb3961ea04ea68746c4be655b9752e6fc48afba93eb59e7a87a4b72d0e65
Opcode Fuzzy Hash: 46ae565360896e3390a1d1ada201ac13490d4b60e9bfd7faa89e0d9e9210d556
Instruction Fuzzy Hash: 9E51E5B1D0021CCFDB20CFA8C944B9EBBB5AF49304F1080AAD549AB251DB756A89CF91

Function 06149168 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 121
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageW.USER32(?,?,?,?), ref: 0614925B

Strings

~/N, xrefs: 061491DD

Memory Dump Source

Source File: 00000000.00000002.1695169656.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6140000_H3h3mgJtVI.jbxd

Similarity

API ID: MessageSend
String ID: ~/N
API String ID: 3850602802-562166377
Opcode ID: 99e8b38c901d0f59b3ebb66811b3a26634a8fc70455ec84968fae49a15f06819
Instruction ID: 66adb8f2c1f46466d652c501f1ce2498d558b9c7ef6969a22dcb51d8dce4b7f9
Opcode Fuzzy Hash: 99e8b38c901d0f59b3ebb66811b3a26634a8fc70455ec84968fae49a15f06819
Instruction Fuzzy Hash: C541EFB9E00218DFCB14CFA9D484A9EBBF5FF49310F10846AE819A7320D734A945CFA4

Function 0614A1A7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassInfoW.USER32(?,?,?), ref: 0614A2A0

Strings

~/N, xrefs: 0614A1ED

Memory Dump Source

Source File: 00000000.00000002.1695169656.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6140000_H3h3mgJtVI.jbxd

Similarity

API ID: ClassInfo
String ID: ~/N
API String ID: 3534257612-562166377
Opcode ID: f6b5532f87af8445c8158ff7fe76dd508cdce62d288b31eec5fbdc6210b0f62d
Instruction ID: 77358430d17620ccbe99641a30046422b659a647f65c4532908931cfba24ac38
Opcode Fuzzy Hash: f6b5532f87af8445c8158ff7fe76dd508cdce62d288b31eec5fbdc6210b0f62d
Instruction Fuzzy Hash: 465199B5D05259DFCB01CFAAC884ADDFBF0BF09310F15806AE858AB251D335A985CF95

Function 0614A1C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(?,?,?), ref: 0614A2A0

Strings

~/N, xrefs: 0614A1ED

Memory Dump Source

Source File: 00000000.00000002.1695169656.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6140000_H3h3mgJtVI.jbxd

Similarity

API ID: ClassInfo
String ID: ~/N
API String ID: 3534257612-562166377
Opcode ID: 8c4ce2202103befab934dd0b81297120bc065ca32f60b0e6da086afad8bf4933
Instruction ID: b485786103fdeee4c5e438cee670ac3b0514feb847d6815d867b5bf0c281b12d
Opcode Fuzzy Hash: 8c4ce2202103befab934dd0b81297120bc065ca32f60b0e6da086afad8bf4933
Instruction Fuzzy Hash: CD4177B4D00258DFCB10CFAAD584ADDFBF5BB49310F14802AE818BB214D375AA85CF54

Function 06143CA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,00000000,?), ref: 06147C93

Strings

~/N, xrefs: 06147C15

Memory Dump Source

Source File: 00000000.00000002.1695169656.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6140000_H3h3mgJtVI.jbxd

Similarity

API ID: MessagePost
String ID: ~/N
API String ID: 410705778-562166377
Opcode ID: d143ccee2de556402d23163e93068b784a027ae5e88e1bb71040968ebfb90584
Instruction ID: d722ae9666f7a082e3261b2444545723d45c2282d849b1bea0ad92d55862a954
Opcode Fuzzy Hash: d143ccee2de556402d23163e93068b784a027ae5e88e1bb71040968ebfb90584
Instruction Fuzzy Hash: BB3188B9D012589FCB10DFA9D984A9EFBF4AB09310F14902AE818BB310D735A945CF94

Function 06147BF3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,00000000,?), ref: 06147C93

Strings

~/N, xrefs: 06147C15

Memory Dump Source

Source File: 00000000.00000002.1695169656.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6140000_H3h3mgJtVI.jbxd

Similarity

API ID: MessagePost
String ID: ~/N
API String ID: 410705778-562166377
Opcode ID: 79fc080908a73d85bc1abc5da7d566129d76eca827c94831e64bddc1491357c8
Instruction ID: 7f88f821a997f431e1e210ea6a64be812536407bca34ad64c0c0e7143cc2ac12
Opcode Fuzzy Hash: 79fc080908a73d85bc1abc5da7d566129d76eca827c94831e64bddc1491357c8
Instruction Fuzzy Hash: 733167B9D00258EFCB10DFA9D984ADEFBF5AB49310F14902AE819BB310D335A945CF64

Function 061460D3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,?), ref: 06146176

Strings

~/N, xrefs: 061460FA

Memory Dump Source

Source File: 00000000.00000002.1695169656.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6140000_H3h3mgJtVI.jbxd

Similarity

API ID: TextWindow
String ID: ~/N
API String ID: 530164218-562166377
Opcode ID: 670cc996c76288679c676a5125cd3d7241267d85390a632a5cef87f31bd372dd
Instruction ID: 7f31d08b78e76a58a0ff9ab088f9f7bd3bd29d700c5168f822c11fc802a5ea9a
Opcode Fuzzy Hash: 670cc996c76288679c676a5125cd3d7241267d85390a632a5cef87f31bd372dd
Instruction Fuzzy Hash: 2B319AB5D012199FCB10CF99D984ADDFBF5BB49314F14906AE844B7321D334AA45CFA4

Function 061460D8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,?), ref: 06146176

Strings

~/N, xrefs: 061460FA

Memory Dump Source

Source File: 00000000.00000002.1695169656.0000000006140000.00000040.00000800.00020000.00000000.sdmp, Offset: 06140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6140000_H3h3mgJtVI.jbxd

Similarity

API ID: TextWindow
String ID: ~/N
API String ID: 530164218-562166377
Opcode ID: 1d1ea40083e66db417a3a4a5949f881af4d033f12324b4da62ae041e46c47487
Instruction ID: 0350bb933bab86292c746401a59c7a0b57d3ac449f2c6f0cff95575ea0bb04d0
Opcode Fuzzy Hash: 1d1ea40083e66db417a3a4a5949f881af4d033f12324b4da62ae041e46c47487
Instruction Fuzzy Hash: A43199B5D012199FCB10CFA9D984ADEFBF5BB49314F14906AE848B7221D334AA45CFA4

Function 08019B43 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE ref: 08019BB8

Strings

~/N, xrefs: 08019B62

Memory Dump Source

Source File: 00000000.00000002.1696273140.0000000008010000.00000040.00000800.00020000.00000000.sdmp, Offset: 08010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8010000_H3h3mgJtVI.jbxd

Similarity

API ID: ConsoleWindow
String ID: ~/N
API String ID: 2863861424-562166377
Opcode ID: dc98921f70af66e623d5105194940710df67c68acb2ef40ef50538630332feab
Instruction ID: 7a1459652608da17a49c1febb66a29a4b80f4561e66144f4ddfe50da0926b169
Opcode Fuzzy Hash: dc98921f70af66e623d5105194940710df67c68acb2ef40ef50538630332feab
Instruction Fuzzy Hash: 7221BBB5D01259CFCB14CFA9D684ADEFBF5AB48320F24942AD409B7350C735A945CFA4

Function 08019B48 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE ref: 08019BB8

Strings

~/N, xrefs: 08019B62

Memory Dump Source

Source File: 00000000.00000002.1696273140.0000000008010000.00000040.00000800.00020000.00000000.sdmp, Offset: 08010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8010000_H3h3mgJtVI.jbxd

Similarity

API ID: ConsoleWindow
String ID: ~/N
API String ID: 2863861424-562166377
Opcode ID: c3a6e0b87802d7610857ec99830272b37c23edd8b3f47945ff86531a7faaca40
Instruction ID: e8c79603b4d7da8b62c226a953ed2177b8b19c96e5e7fdf916135b986bf0c20b
Opcode Fuzzy Hash: c3a6e0b87802d7610857ec99830272b37c23edd8b3f47945ff86531a7faaca40
Instruction Fuzzy Hash: 5D21B9B4E012188FCB14CFA9D685ADEFBF5EB48320F24942AE409B7250C735A945CFA4

Function 0152D4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690403976.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_152d000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fb94ebb77044ba8b61321030cd60fa575a21004e432ac05f18062968ffc35a8
Instruction ID: 44df09d340c5c7e19297e1037adbf46ad495dd40cd602c69da7af0d1bed0d2c9
Opcode Fuzzy Hash: 5fb94ebb77044ba8b61321030cd60fa575a21004e432ac05f18062968ffc35a8
Instruction Fuzzy Hash: FE212872604200DFDB05DF58D9C4B1ABFB5FB89318F20C569E9094F296C376D456CAA1

Function 0153D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690436916.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_153d000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6662a30260b974f751d4a0d19212bf7fb4d077ba939b6b1139c708c8753aac98
Instruction ID: ffb9588e3a755a8dcdfad162c2efca8f69c5d8a2f202f59d1280f74eb6a71fe9
Opcode Fuzzy Hash: 6662a30260b974f751d4a0d19212bf7fb4d077ba939b6b1139c708c8753aac98
Instruction Fuzzy Hash: 76210471504200EFDB06DF98D9C0B2ABBB5FBC4324F60CA6DE9494F256C73AD446CA61

Function 0153D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690436916.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_153d000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 881b8932f37f6e8667b909674ecce8d8bf63ca3bc2db3668d9b85f3c1197474c
Instruction ID: bc344ef96fee4d5d22d1ade4760e43429e9e3b7255d0179291b869c053b0aae2
Opcode Fuzzy Hash: 881b8932f37f6e8667b909674ecce8d8bf63ca3bc2db3668d9b85f3c1197474c
Instruction Fuzzy Hash: 35210071604200DFCB15DFA8D984B2AFBB5FB84B14F60C969E84A4F256D33AD446CA61

Function 0153D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690436916.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_153d000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5fcfa2ed45cd286211e87f7be9ce6d9e3d36ee81a4e1cb6cbd127e38a9705e3
Instruction ID: 04ad2443435fe17a2a2653ba503ca2fdf0f0369fe616f47b66f3e508943c1721
Opcode Fuzzy Hash: f5fcfa2ed45cd286211e87f7be9ce6d9e3d36ee81a4e1cb6cbd127e38a9705e3
Instruction Fuzzy Hash: 8E217F755093808FDB02CF64D994715BF71FB86214F28C5DAD8498F2A7C33A980ACB62

Function 0152D4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690403976.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_152d000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 34aac66e6cb8b412a2e2640baf0b28a27da1f2c639da0662c1685c1e1c9d2120
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 7811E172504280CFDB02CF44D5C4B1ABF71FB85318F24C2A9D9090F256C33AD45ACBA1

Function 0153D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690436916.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_153d000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: b742ec0ec743d348554a2ce1baec808bcf9f89e56a284914929352eda09a5b21
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 0C11BB75504280DFDB02CF54C5C4B19BFB1FB84224F24C6AAE8494F296C33AD40ACB61

Non-executed Functions

Function 02D5A528 Relevance: 2.9, Strings: 2, Instructions: 363COMMON

Download Yara Rule

Strings

TJpq, xrefs: 02D5A574
Nvjq, xrefs: 02D5A913

Memory Dump Source

Source File: 00000000.00000002.1690661710.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID: Nvjq$TJpq
API String ID: 0-1891678360
Opcode ID: 17e0f411aa76781c106af4a3b71bbabe0ba4dbf8c985085fdf82d6ad2f167b52
Instruction ID: 46bc1418683159e3f93e4def19f3d74e341d3751bae517411f9eee78cf848743
Opcode Fuzzy Hash: 17e0f411aa76781c106af4a3b71bbabe0ba4dbf8c985085fdf82d6ad2f167b52
Instruction Fuzzy Hash: 18E1D478E042298FCB44CFA9C4809ADBBF6FF89300B6096A9D859EB355D774AD45CF40

Function 02D510D5 Relevance: 2.6, Strings: 2, Instructions: 117COMMON

Download Yara Rule

Strings

~/N, xrefs: 02D51102
~/N, xrefs: 02D51122

Memory Dump Source

Source File: 00000000.00000002.1690661710.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID: ~/N$~/N
API String ID: 0-150141707
Opcode ID: 2c4bbb22c7db691724c0fb803022ae63c25a8fce1f3fab08856a4da318685a52
Instruction ID: 2458c9e36492779bffda3e61b34959d0b27eb4bbb10ce8abf8418dff3a8b4385
Opcode Fuzzy Hash: 2c4bbb22c7db691724c0fb803022ae63c25a8fce1f3fab08856a4da318685a52
Instruction Fuzzy Hash: A241DFB4D003589FDF14CFA9D985BADBBF1BB09314F209129E819AB350D7B49885CF45

Function 02D510E0 Relevance: 2.6, Strings: 2, Instructions: 114COMMON

Download Yara Rule

Strings

~/N, xrefs: 02D51102
~/N, xrefs: 02D51122

Memory Dump Source

Source File: 00000000.00000002.1690661710.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID: ~/N$~/N
API String ID: 0-150141707
Opcode ID: 7502f50242bd408eb6afed3392d6fc264ee2970322f323c10ca73484fac168ea
Instruction ID: 58df5da73439305fe363a7d0aec94a33b5735263b3afccab1a20a537b909a578
Opcode Fuzzy Hash: 7502f50242bd408eb6afed3392d6fc264ee2970322f323c10ca73484fac168ea
Instruction Fuzzy Hash: C941DDB4D002589FDF10CFA9D985BAEBBF1BB0A314F209129E819AB350D7B49885CF45

Function 02D5A51B Relevance: 1.5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

TJpq, xrefs: 02D5A574

Memory Dump Source

Source File: 00000000.00000002.1690661710.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID: TJpq
API String ID: 0-270235555
Opcode ID: de3a31d00d70357477b2e26b5e71fd4b907da3e8ba8f9535c58b50acc98a19fc
Instruction ID: 66f1d34ebef614d61791f9117a2d1ab37474b2f627e731cc2c24791aa859ce7c
Opcode Fuzzy Hash: de3a31d00d70357477b2e26b5e71fd4b907da3e8ba8f9535c58b50acc98a19fc
Instruction Fuzzy Hash: E6710578E041298FDF04CEA9C8406AEB7B6FF89300F509A6AD81AEB354D7749D42CF40

Function 02D57C28 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690661710.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dd29e6697b9c2d1c7e3e9866bc49cda36832d71f55a7f250fab2f93de4084a2
Instruction ID: 9eaf3129d8e61dae19110c34467abd3e2b7003e8a650486c13725447adfcb208
Opcode Fuzzy Hash: 9dd29e6697b9c2d1c7e3e9866bc49cda36832d71f55a7f250fab2f93de4084a2
Instruction Fuzzy Hash: 88C155B0902214CFFB04DF6AD148A9EFFB6EB04305F15E068E4045F6A6DBB9A895CF54

Function 02D59100 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690661710.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94aab690e4481f110012eca6f834c074e2fd9008d90066126c4353574c97ae12
Instruction ID: 94ad3863155d7f7d2d27f6ebeabb4cb8359b09490102f5e240fb5501176d7d7e
Opcode Fuzzy Hash: 94aab690e4481f110012eca6f834c074e2fd9008d90066126c4353574c97ae12
Instruction Fuzzy Hash: ECB1F370D04129DBDB04CF9AD494AEEFBF6BF88300F54D165E805AB345D7B4A886CBA4

Function 02D59110 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690661710.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bee6db3e0cb4b76e04db3665363a62205348645f09c37b01b0c63dfc51ae39b
Instruction ID: 0399550a8e3d22bcd9b8fba8a1c28d56972b807f2ed6176849795880aee62ec0
Opcode Fuzzy Hash: 0bee6db3e0cb4b76e04db3665363a62205348645f09c37b01b0c63dfc51ae39b
Instruction Fuzzy Hash: B5B1F270D04229DBDB04CF9AD494AEEBBF6BF88304F54D115E805AB345D7B4A886CBA4

Function 02D58C88 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690661710.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b4b96218c4a0cb4b128b6f2f9bee2335d993f6a6478804665ddde1147100b9d
Instruction ID: 7b5cd5df825c91c42a5780c6602d90c42e432f063a92ab4884ca700bc6e5862b
Opcode Fuzzy Hash: 6b4b96218c4a0cb4b128b6f2f9bee2335d993f6a6478804665ddde1147100b9d
Instruction Fuzzy Hash: BAA1CF70D04219DFDB04DF99C480AEEBBF6BF89304F149115D809AB355E7B0AA86CBA0

Function 02D59488 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690661710.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ba50953b5ebdef57bb7317de9b611a7a8e8eeb502b8c10d58a65b9b0b6b5eee
Instruction ID: b195c31d0efd350f3a81800416127adaab435a491e9fc11ec612367182557f19
Opcode Fuzzy Hash: 3ba50953b5ebdef57bb7317de9b611a7a8e8eeb502b8c10d58a65b9b0b6b5eee
Instruction Fuzzy Hash: 3B81E2B0D05269CBDF04CFA9C4906EDBBF6FB89300F10956AD815A7305D7B49946CF90

Function 02D59478 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1690661710.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d50000_H3h3mgJtVI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f500ec1e5c65e24a277a4aca239370f6878e4dd6433f00c32828a0645a3696
Instruction ID: d9607134ead49df5cab0f170be37ec4c7b04a78fa93b3421ded8b2d528867307
Opcode Fuzzy Hash: 13f500ec1e5c65e24a277a4aca239370f6878e4dd6433f00c32828a0645a3696
Instruction Fuzzy Hash: 0361EFB0D05219CBDF04CFAAC4906EEBBB6EB88300F24D46AD815A7305D7B4A956CF94

Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 4x nop then jmp 02D5626Eh	0_2_02D56238
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_02D51298
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 4x nop then jmp 02D57CA5h	0_2_02D57C38
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 4x nop then jmp 02D5626Eh	0_2_02D56229
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_02D51290
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_02D510D5
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_02D510E0
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 4x nop then jmp 02D57CA5h	0_2_02D57C28

Source: H3h3mgJtVI.exe, 00000000.00000002.1690752909.000000000301A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $kq3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\kq equals www.youtube.com (Youtube)
Source: H3h3mgJtVI.exe, 00000000.00000002.1690752909.000000000301A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: H3h3mgJtVI.exe, 00000000.00000002.1690752909.000000000301A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\kq equals www.youtube.com (Youtube)
Source: H3h3mgJtVI.exe, 00000000.00000002.1690752909.000000000301A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldbp+. equals www.youtube.com (Youtube)
Source: H3h3mgJtVI.exe, 00000000.00000002.1690752909.000000000301A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `,kq#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)

Source: H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: H3h3mgJtVI.exe, 00000000.00000002.1695386639.00000000073F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: H3h3mgJtVI.exe, 00000000.00000002.1690752909.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.s
Source: H3h3mgJtVI.exe, 00000000.00000002.1690752909.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: H3h3mgJtVI.exe, 00000000.00000002.1690752909.0000000003080000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/

Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 0_2_02D515B8 NtQueryInformationProcess,		0_2_02D515B8
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 0_2_02D515B2 NtQueryInformationProcess,		0_2_02D515B2

Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 0_2_02D564D8	0_2_02D564D8
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 0_2_02D50A68	0_2_02D50A68
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 0_2_02D52800	0_2_02D52800
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 0_2_02D57210	0_2_02D57210
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 0_2_02D597F0	0_2_02D597F0
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 0_2_02D57850	0_2_02D57850
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 0_2_02D57C38	0_2_02D57C38
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 0_2_02D564C8	0_2_02D564C8
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 0_2_02D564A0	0_2_02D564A0
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 0_2_02D5A51B	0_2_02D5A51B
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 0_2_02D5A528	0_2_02D5A528
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 0_2_02D50A59	0_2_02D50A59
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 0_2_02D58C88	0_2_02D58C88
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 0_2_02D59110	0_2_02D59110
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 0_2_02D59100	0_2_02D59100
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 0_2_02D597DF	0_2_02D597DF
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 0_2_02D59488	0_2_02D59488
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 0_2_02D59478	0_2_02D59478
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 0_2_02D5783F	0_2_02D5783F
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 0_2_02D57C28	0_2_02D57C28
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 0_2_06147580	0_2_06147580
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 0_2_0614BA30	0_2_0614BA30
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 0_2_061485B8	0_2_061485B8
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 0_2_08018AD0	0_2_08018AD0
Source: C:\Users\user\Desktop\H3h3mgJtVI.exe	Code function: 0_2_08018370	0_2_08018370

Source: H3h3mgJtVI.exe, 00000000.00000000.1676478915.0000000000C12000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCory.exe" vs H3h3mgJtVI.exe
Source: H3h3mgJtVI.exe, 00000000.00000002.1690037368.00000000012CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs H3h3mgJtVI.exe
Source: H3h3mgJtVI.exe	Binary or memory string: OriginalFilenameCory.exe" vs H3h3mgJtVI.exe

Source: H3h3mgJtVI.exe, -.cs	Cryptographic APIs: 'CreateDecryptor'
Source: H3h3mgJtVI.exe, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: H3h3mgJtVI.exe, -.cs	Cryptographic APIs: 'CreateDecryptor'

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report H3h3mgJtVI.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\H3h3mgJtVI.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: H3h3mgJtVI.exePID: 5348, Parent PID: 2580

Windows Analysis Report
H3h3mgJtVI.exe

Function 06147580 Relevance: 8.2, Strings: 6, Instructions: 677
COMMON

Function 02D564D8 Relevance: 5.4, Strings: 4, Instructions: 401
COMMON

Function 02D564A0 Relevance: 5.4, Strings: 4, Instructions: 383
COMMON

Function 02D564C8 Relevance: 5.3, Strings: 4, Instructions: 348
COMMON

Function 02D515B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106
nativeCOMMON

Function 02D515B8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104
nativeCOMMON

Function 02D5ADCC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 126
COMMON

Function 02D5C24C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 125
COMMON

Function 06149168 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 121
windowCOMMON

Function 0614A1A7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 115
COMMON