Edit tour

Windows Analysis Report
LiquidText Installer.exe

Overview

General Information

Sample name:	LiquidText Installer.exe
Analysis ID:	1501320
MD5:	9ab59b8d383a6ab6c131c5e96b4d68de
SHA1:	22192dab0ce673ae164d0fb25cf3a015c3e9c37c
SHA256:	967552d901dbdcc34498c2e57a61bc2846400f90726d951d4075ade86e4af545
Infos:

Detection

Score:	4
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

LiquidText Installer.exe (PID: 4760 cmdline: "C:\Users\user\Desktop\LiquidText Installer.exe" MD5: 9AB59B8D383A6AB6C131C5E96B4D68DE)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Users\user\Desktop\LiquidText Installer.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\LiquidText Installer.exe.log

Jump to behavior

Source: LiquidText Installer.exe

Static PE information: certificate valid

Source: LiquidText Installer.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\_work\1\s\src\StoreInstaller\obj\Release\net472\StoreInstaller.pdb source: LiquidText Installer.exe
Source:	Binary string: D:\a\_work\1\s\src\StoreInstaller\obj\Release\net472\StoreInstaller.pdbSHA256Oy source: LiquidText Installer.exe

Source: LiquidText Installer.exe, 00000000.00000002.2494440349.0000017E5F713000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/StoreInstaller;component/Resources/StoreAppList.Light.png
Source: LiquidText Installer.exe, 00000000.00000002.2494440349.0000017E5FA55000.00000004.00000800.00020000.00000000.sdmp, LiquidText Installer.exe, 00000000.00000002.2494440349.0000017E5F81C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://e12564.dspb.akamaiedge.net
Source: LiquidText Installer.exe, 00000000.00000002.2494440349.0000017E5F7F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://e16646.g.akamaiedge.net
Source: LiquidText Installer.exe, 00000000.00000002.2494440349.0000017E5F713000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Resources/StoreAppList.Light.png
Source: LiquidText Installer.exe, 00000000.00000002.2494440349.0000017E5F713000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/resources/storeapplist.light.png
Source: LiquidText Installer.exe, 00000000.00000002.2494440349.0000017E5FA55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org
Source: LiquidText Installer.exe, 00000000.00000002.2494440349.0000017E5F68E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: LiquidText Installer.exe, 00000000.00000002.2494440349.0000017E5FA55000.00000004.00000800.00020000.00000000.sdmp, LiquidText Installer.exe, 00000000.00000002.2494440349.0000017E5F8EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.UniversalStore.DisplayCatalog.Contracts.Version7.R
Source: LiquidText Installer.exe, 00000000.00000002.2494440349.0000017E5F68E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/StoreInstaller.Models
Source: LiquidText Installer.exe, 00000000.00000002.2494440349.0000017E5F7AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: LiquidText Installer.exe, 00000000.00000002.2494440349.0000017E5F68E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.oh

Source: C:\Users\user\Desktop\LiquidText Installer.exe	Code function: 0_2_00007FF848E841ED	0_2_00007FF848E841ED
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Code function: 0_2_00007FF848E946CE	0_2_00007FF848E946CE
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Code function: 0_2_00007FF848EB6672	0_2_00007FF848EB6672
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Code function: 0_2_00007FF848E901BD	0_2_00007FF848E901BD
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Code function: 0_2_00007FF848E81A15	0_2_00007FF848E81A15
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Code function: 0_2_00007FF848F940A8	0_2_00007FF848F940A8
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Code function: 0_2_00007FF848F90CBC	0_2_00007FF848F90CBC
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Code function: 0_2_00007FF848F91B50	0_2_00007FF848F91B50
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Code function: 0_2_00007FF848F977E0	0_2_00007FF848F977E0

Source: LiquidText Installer.exe

Binary or memory string: OriginalFilenameStoreInstaller.exe@ vs LiquidText Installer.exe

Source: classification engine

Classification label: clean4.winEXE@1/5@0/0

Source: C:\Users\user\Desktop\LiquidText Installer.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WPF8517.tmp

Jump to behavior

Source: C:\Users\user\Desktop\LiquidText Installer.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{f6bec8ba-58ff-4dfc-9981-2ec5ebd23734}-9N9Z9NSV47FL

Source: C:\Users\user\Desktop\LiquidText Installer.exe

File created: C:\Users\user\AppData\Local\Temp\Tmp816B.tmp

Jump to behavior

Source: LiquidText Installer.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: LiquidText Installer.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\LiquidText Installer.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LiquidText Installer.exe	String found in binary or memory: Expired)UnknownInstallerType%ProductUnavailableECompatibilityArchitectureCheckFail1CompatibilityOSCheckFail)InstallationStarting-InstallationInProgress%InstallationPaused=InstallationDownloadingPercent+InstallState.CanceledGInstallationDownloadProgressDetails
Source: LiquidText Installer.exe	String found in binary or memory: 0.0-InstallState.Completed
Source: LiquidText Installer.exe	String found in binary or memory: I-install
Source: LiquidText Installer.exe	String found in binary or memory: )Gusto mo bang kanselahin ang pag-install?
Source: LiquidText Installer.exe	String found in binary or memory: Nakumpleto ang pag-install
Source: LiquidText Installer.exe	String found in binary or memory: Ini-install
Source: LiquidText Installer.exe	String found in binary or memory: &Naka-install ang pinakabagong bersyon.
Source: LiquidText Installer.exe	String found in binary or memory: ella l-installazzjoni?
Source: LiquidText Installer.exe	String found in binary or memory: L-installazzjoni tlestiet

Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: esdsip.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: ncryptprov.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: msctfui.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: windowscodecsext.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: icm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: windows.applicationmodel.store.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: webservices.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: installservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: rometadata.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: windows.web.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: twinui.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Section loaded: inputhost.dll	Jump to behavior

Source: C:\Users\user\Desktop\LiquidText Installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\LiquidText Installer.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: LiquidText Installer.exe

Static PE information: certificate valid

Source: initial sample

Static PE information: Valid certificate with Microsoft Issuer

Source: LiquidText Installer.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: LiquidText Installer.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: LiquidText Installer.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\_work\1\s\src\StoreInstaller\obj\Release\net472\StoreInstaller.pdb source: LiquidText Installer.exe
Source:	Binary string: D:\a\_work\1\s\src\StoreInstaller\obj\Release\net472\StoreInstaller.pdbSHA256Oy source: LiquidText Installer.exe

Source: LiquidText Installer.exe

Static PE information: 0xC2ABFCEE [Fri Jun 30 12:28:30 2073 UTC]

Source: LiquidText Installer.exe

Static PE information: real checksum: 0xe0df9 should be: 0xe0d26

Source: C:\Users\user\Desktop\LiquidText Installer.exe	Code function: 0_2_00007FF848D6D2A5 pushad ; iretd	0_2_00007FF848D6D2A6
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Code function: 0_2_00007FF848E8E468 pushad ; ret	0_2_00007FF848E8E4E1
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Code function: 0_2_00007FF848E955B8 push eax; ret	0_2_00007FF848E95851
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Code function: 0_2_00007FF848E95598 push eax; ret	0_2_00007FF848E95851
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Code function: 0_2_00007FF848E99E8C push eax; ret	0_2_00007FF848E99EA4
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Code function: 0_2_00007FF848E957D8 push eax; ret	0_2_00007FF848E95851
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Code function: 0_2_00007FF848E957B8 push eax; ret	0_2_00007FF848E95851
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Code function: 0_2_00007FF848E8201D push esi; ret	0_2_00007FF848E82022
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Code function: 0_2_00007FF848F96048 pushad ; ret	0_2_00007FF848F9612D

Source: LiquidText Installer.exe

Static PE information: section name: .text entropy: 6.809768386929733

Source: C:\Users\user\Desktop\LiquidText Installer.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\LiquidText Installer.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\LiquidText Installer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\LiquidText Installer.exe	Memory allocated: 17E5D8E0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Memory allocated: 17E77420000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\LiquidText Installer.exe

Code function: 0_2_00007FF848F977E0 rdtsc

0_2_00007FF848F977E0

Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 598771	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 598645	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 598517	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 598405	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 598293	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 597957	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 597602	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 597496	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 597384	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 597277	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 597160	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 597033	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 596670	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 596557	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 596333	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 596206	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 595967	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 595856	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 595441	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 595105	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 594994	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 594884	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 594772	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 594671	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 594549	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 594437	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 594215	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 594104	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 594000	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 593880	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 593766	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 593656	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 593547	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 593432	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 593328	Jump to behavior

Source: C:\Users\user\Desktop\LiquidText Installer.exe	Window / User API: threadDelayed 7889			Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Window / User API: threadDelayed 1883			Jump to behavior

Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -23058430092136925s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5520	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -598771s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -598645s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -598517s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -598405s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -598293s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -597957s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -597828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -597602s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -597496s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -597384s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -597277s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -597160s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -597033s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -596906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -596781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -596670s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -596557s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -596333s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -596206s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -596078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -595967s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -595856s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -595719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -595441s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -595105s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -594994s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -594884s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -594772s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -594671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -594549s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -594437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -594328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -594215s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -594104s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -594000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -593880s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -593766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -593656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -593547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -593432s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe TID: 5604	Thread sleep time: -593328s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 598771	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 598645	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 598517	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 598405	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 598293	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 597957	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 597602	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 597496	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 597384	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 597277	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 597160	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 597033	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 596670	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 596557	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 596333	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 596206	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 595967	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 595856	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 595441	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 595105	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 594994	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 594884	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 594772	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 594671	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 594549	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 594437	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 594215	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 594104	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 594000	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 593880	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 593766	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 593656	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 593547	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 593432	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Thread delayed: delay time: 593328	Jump to behavior

Source: LiquidText Installer.exe, 00000000.00000002.2500441740.0000017E7BD53000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\LiquidText Installer.exe

Code function: 0_2_00007FF848F977E0 rdtsc

0_2_00007FF848F977E0

Source: C:\Users\user\Desktop\LiquidText Installer.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\LiquidText Installer.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\LiquidText Installer.exe	Queries volume information: C:\Users\user\Desktop\LiquidText Installer.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Queries volume information: C:\Windows\System32\WinMetadata\Windows.Globalization.winmd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Controls.Ribbon\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Controls.Ribbon.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.InteropServices.WindowsRuntime\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.InteropServices.WindowsRuntime.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WPF8517.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Queries volume information: C:\Windows\System32\WinMetadata\Windows.Data.winmd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WPFFFD4.tmp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LiquidText Installer.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\LiquidText Installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	32 Virtualization/Sandbox Evasion	Security Account Manager	32 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://schemas.datacontract.org/2004/07/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://foo/Resources/StoreAppList.Light.png	0%	Avira URL Cloud	safe
http://foo/bar/resources/storeapplist.light.png	0%	Avira URL Cloud	safe
http://defaultcontainer/StoreInstaller;component/Resources/StoreAppList.Light.png	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/Microsoft.UniversalStore.DisplayCatalog.Contracts.Version7.R	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/StoreInstaller.Models	0%	Avira URL Cloud	safe
http://www.w3.oh	0%	Avira URL Cloud	safe
http://schemas.datacontract.org	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.datacontract.org/2004/07/StoreInstaller.Models	LiquidText Installer.exe, 00000000.00000002.2494440349.0000017E5F68E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/Resources/StoreAppList.Light.png	LiquidText Installer.exe, 00000000.00000002.2494440349.0000017E5F713000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://defaultcontainer/StoreInstaller;component/Resources/StoreAppList.Light.png	LiquidText Installer.exe, 00000000.00000002.2494440349.0000017E5F713000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.datacontract.org	LiquidText Installer.exe, 00000000.00000002.2494440349.0000017E5FA55000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.datacontract.org/2004/07/	LiquidText Installer.exe, 00000000.00000002.2494440349.0000017E5F68E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	LiquidText Installer.exe, 00000000.00000002.2494440349.0000017E5F7AB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.datacontract.org/2004/07/Microsoft.UniversalStore.DisplayCatalog.Contracts.Version7.R	LiquidText Installer.exe, 00000000.00000002.2494440349.0000017E5FA55000.00000004.00000800.00020000.00000000.sdmp, LiquidText Installer.exe, 00000000.00000002.2494440349.0000017E5F8EB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/bar/resources/storeapplist.light.png	LiquidText Installer.exe, 00000000.00000002.2494440349.0000017E5F713000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3.oh	LiquidText Installer.exe, 00000000.00000002.2494440349.0000017E5F68E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1501320
Start date and time:	2024-08-29 18:33:35 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LiquidText Installer.exe
Detection:	CLEAN
Classification:	clean4.winEXE@1/5@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 62% Number of executed functions: 39 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.29, 88.221.169.124, 20.82.228.9
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, data-edge.smartscreen.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, nav.smartscreen.microsoft.com, storesdk.dsx.mp.microsoft.com.edgekey.net, e12564.dspb.akamaiedge.net, rp-consumer-prod-displaycatalog-geomap.trafficmanager.net, ocsp.digicert.com, login.live.com, displaycatalog.mp.microsoft.com, storeedgefd.dsx.mp.microsoft.com, fs.microsoft.com, ctldl.windowsupdate.com, da.xboxservices.com, purchase.mp.microsoft.com, fe3cr.delivery.mp.microsoft.com, licensing.mp.microsoft.com, browser.events.data.microsoft.com, storesdk.dsx.mp.microsoft.com, store-images.s-microsoft.com, e16646.g.akamaiedge.net, neus2c-displaycatalog.frontdoor.bigcatalog.commerce.microsoft.com, storesdk.xbetservices.akadns.net, www.microsoft.com, livetileedge.dsx.mp.microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: LiquidText Installer.exe

Simulations

Behavior and APIs

Time	Type	Description
12:34:30	API Interceptor	3808x Sleep call for process: LiquidText Installer.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\LiquidText Installer.exe.log

Download File

Process:	C:\Users\user\Desktop\LiquidText Installer.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	4123
Entropy (8bit):	5.367551725214397
Encrypted:	false
SSDEEP:	96:iqbYqGSI6ou/fmOYqSqtzHeqKksvoqdqZ4UqqIKXWWTvqnqtY:iqbYqGcn/uHqXtzHeqKksvoqdqZrqqlm
MD5:	98EAF0107CE35D6B8105EB6A028BD758
SHA1:	CC14B15DC9D0C75F0E50F4DAA08508AADC530F06
SHA-256:	AE1F300DBA5C185450FB806D7BEB4DF8B0B8CE1CE7160E7BE3964814D41DBD75
SHA-512:	CE0126E0EEEE849EDCADA4B930EC2BC700B1BEE64BC7635633991711D390AA914758D80A7E7648F30D843D064561153CB8CC29D2BB0B92075E3966CCFF12F5F4
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\WindowsBase\95a5c1baa004b986366d34856f0a5a75\WindowsBase.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\ef4e808cb158d79ab9a2b049f8fab733\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f#\

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WPF8517.tmp

Download File

Process:	C:\Users\user\Desktop\LiquidText Installer.exe
File Type:	PNG image data, 100 x 100, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12712
Entropy (8bit):	7.918649791578471
Encrypted:	false
SSDEEP:	384:KVDrMg5Cag0nKSoSnIxJ+AplLtfSc3md19aOAX:KVDrMg5Ca5qeSLtfS5TSX
MD5:	B3FCC431866A877C1E12C75CD797D430
SHA1:	4B44D7626DA58D207FCDEE18464AD9DE185D86E6
SHA-256:	7A248353396344A50E23A405E38E3226AF84AD51604D72E5B63BA8E4AC5A0BEC
SHA-512:	E4438893B5796F7B070E3F5A7F6D5FE19219CA4F00D702D25B51717ECC8A48902244276EC750E4631A93DB43616AFF8052DE204D425BD9C017CB5D89CB8918A3
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR...d...d.....p.T...oiCCPDisplay..H..WwT.w.~....F@AF...(.d..a...ATB. .._.D..RE..Q.u.].Z.....,.U..G...\|.$P......w..=...>oNN....+.E.!P.P1.....L!.>80..L..KJ.!.....{~f........&V.....TV..,.9.RI1@..t.D..v...I..`...0....{.A.._.@...7..0."......L.`..@X&.S.....+.r........?......).....L....[...\|.....>~.8.............Oi.....{k8...g......ZaIL".=..R....0..7r.Fw...R4x.RR..`...RqX..K..P...j.9..h...Y.WE'ks..J........^?...hs.......SB....e../......W&O..`.P............b.ub.....+SD.j...\&"Q.W....KU...~.?9J...]".O.....d...^.Yizl.,RYX.fv.].H..K.V.B......-...E&...h..$m.=B.$k....T%$k......4..e...a.B.!rP...... ..D@..y..M...H.....#......P...1..P..>.E5O7.B..e....x...A.dP.....j........A..P............W..E...a.(v.{.mA...t,.D..A...K..v.7...u.u.u....>A^.\|..ht@.UJ...'..i...... ..B.....E..!.H:.... .....R_L..Z..Kr.q..._f...x.....>.^s.T...\|Y_...R. .K$5..K...P'..T#..a..:C...?.......j..A.B.A......d(u........Y...D%..</_%.Q.d.h.d.`....;...)..L=7...0;.w..[ ...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WPFFFD4.tmp

Download File

Process:	C:\Users\user\Desktop\LiquidText Installer.exe
File Type:	PNG image data, 68 x 68, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	777
Entropy (8bit):	7.581516394833844
Encrypted:	false
SSDEEP:	24:+mQsOlh5Gn7KtkosCDKCIggagJUCVhdlEkPGq52c:+EmAvVCI5+8hdl9NT
MD5:	A5F45979E0C15389FDB29216EBB19BBF
SHA1:	7CD1E4338E4A0E40D79BDADB431D5F0AE9603DE6
SHA-256:	1B121A7E399FB053BF529883299B0BA0B958FA806CB0CD2B4D255BED58AA8492
SHA-512:	17267975D299B074B7167530ACF3B5C5A4D1D9AA7FF3040D39ACDB36FCE059CF246BEC7B83FBF35CFCA7AC75F00E7347DB6B79040AFE5C083B924552017083E6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR...D...D.....8.......pHYs...........~.....IDATx..KC1..._8.. ].t... ......b....IT....I-..C......A..AA.\|..4.M^^............J.(.2=..t.wF.$.266.J....^..V."@../ .w3..qY.U7:....P...WOo....aM.>.j..y./.... L..,...I^@\|a....b..q.:........%i.m4@._....X...........%..u.p..PX.9.XL..\|.H.@.?....\..xm..3...&..~...HREa........b. ...e.@\|$M........ {..,l-$D......i...2.MP....:.tk@#..T.!..a.bP.$..Z.......>@0... C...+...E.3%w..nX...G..;.(...C..I.d....l2U.t<.).....$...L<.......2.....I{.,...=..KA"..H..k. .-.......TR.?&lj.k....D.....?.... ].?g.._....9..S.c.R.....J..G..%..lb ..j6.....!...4..&S(...........A.....J...2@.k>@Z.......h-D.#....... ......... t...3$.`.............4..&.N..Lg...m..2t).J.B.P..".3!.bZV.5.A).2.+T_:R..T.0......c....s0P....IEND.B`.

C:\Users\user\AppData\Local\Temp\Tmp816B.tmp

Download File

Process:	C:\Users\user\Desktop\LiquidText Installer.exe
File Type:	ASCII text, with very long lines (1136), with no line terminators
Category:	dropped
Size (bytes):	1136
Entropy (8bit):	5.884313058724772
Encrypted:	false
SSDEEP:	24:QmeWUJxBiiAFaUlbJ2Hr1mI+Ic2iFerfnmj6BmKHnsZu:ZeX/ZkXgHr1m52iwrPvQInsZu
MD5:	A10F31FA140F2608FF150125F3687920
SHA1:	EC411CC7005AAA8E3775CF105FCD4E1239F8ED4B
SHA-256:	28C871238311D40287C51DC09AEE6510CAC5306329981777071600B1112286C6
SHA-512:	CF915FB34CD5ECFBD6B25171D6E0D3D09AF2597EDF29F9F24FA474685D4C5EC9BC742ADE9F29ABAC457DD645EE955B1914A635C90AF77C519D2ADA895E7ECF12
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MIIDUDCCAjigAwIBAgIQImsjBGfFTk6M7sZzNVcAwDANBgkqhkiG9w0BAQsFADAlMSMwIQYDVQQDExphdXRoLmluc3RhbGxlcnNlcnZpY2VzLmNvbTAeFw0yMzEwMjUyMzEzNDhaFw0yODEwMjUyMzIzNDhaMCUxIzAhBgNVBAMTGmF1dGguaW5zdGFsbGVyc2VydmljZXMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwnTHlqfx0MmiBSvhwkjmo2Y53B2ED6kyYgNgsSoX090DwL9g08Q2LnfEEFH+mif1Zv6jztT5QvWXjjroucDJQzZFBz/xbd1zilX80JFxD/8TIiKdmg73eXcrkSTsQUz97HwnpZbQDWbQJh/QxbvRIrJrcU2ADGsC5KBpRVXJ3t9m3TKNrfbAtKpPonso6+6GHvwUNTZUU9UgvDV3qGpDSniqumK3a1U9hphJJBb8us3o3538CM3tJAJ2w/bDGA/MOaTInkspZIQpecv16wkMWuLyHUxAaMDIO0tuIKxeIka0PaTAaZdw6BXofnNqwDD5JloOGm323JAR3pe+hJmSmQIDAQABo3wwejAOBgNVHQ8BAf8EBAMCBaAwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUL8Xv6MyxPZ8/T+cj4fEkfSpVzqEwHQYDVR0OBBYEFC/F7+jMsT2fP0/nI+HxJH0qVc6hMA0GCSqGSIb3DQEBCwUAA4IBAQASgm1VIK9vC88LPaCv7qPEd2TUtRrOi/VG2HkcpmBIKGoDeFa41jzKpO25iMg4MQhlXuljIYMDch8YpZETcFvBXHzfCF7Rc+kl/K5tFd8kHGMItiPuwZV/BfvL9Wu4gY4g1skfRpiemP1gZvlc1fZlEoYDqAIzODkRyXOd2nsa7zt8iGTdNujZ8A/IyQzGNeqtmt+bpNvKojkB

C:\Users\user\AppData\Local\Temp\Tmp8218.tmp

Download File

Process:	C:\Users\user\Desktop\LiquidText Installer.exe
File Type:	ASCII text, with very long lines (1136), with no line terminators
Category:	dropped
Size (bytes):	1136
Entropy (8bit):	5.884313058724772
Encrypted:	false
SSDEEP:	24:QmeWUJxBiiAFaUlbJ2Hr1mI+Ic2iFerfnmj6BmKHnsZu:ZeX/ZkXgHr1m52iwrPvQInsZu
MD5:	A10F31FA140F2608FF150125F3687920
SHA1:	EC411CC7005AAA8E3775CF105FCD4E1239F8ED4B
SHA-256:	28C871238311D40287C51DC09AEE6510CAC5306329981777071600B1112286C6
SHA-512:	CF915FB34CD5ECFBD6B25171D6E0D3D09AF2597EDF29F9F24FA474685D4C5EC9BC742ADE9F29ABAC457DD645EE955B1914A635C90AF77C519D2ADA895E7ECF12
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MIIDUDCCAjigAwIBAgIQImsjBGfFTk6M7sZzNVcAwDANBgkqhkiG9w0BAQsFADAlMSMwIQYDVQQDExphdXRoLmluc3RhbGxlcnNlcnZpY2VzLmNvbTAeFw0yMzEwMjUyMzEzNDhaFw0yODEwMjUyMzIzNDhaMCUxIzAhBgNVBAMTGmF1dGguaW5zdGFsbGVyc2VydmljZXMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwnTHlqfx0MmiBSvhwkjmo2Y53B2ED6kyYgNgsSoX090DwL9g08Q2LnfEEFH+mif1Zv6jztT5QvWXjjroucDJQzZFBz/xbd1zilX80JFxD/8TIiKdmg73eXcrkSTsQUz97HwnpZbQDWbQJh/QxbvRIrJrcU2ADGsC5KBpRVXJ3t9m3TKNrfbAtKpPonso6+6GHvwUNTZUU9UgvDV3qGpDSniqumK3a1U9hphJJBb8us3o3538CM3tJAJ2w/bDGA/MOaTInkspZIQpecv16wkMWuLyHUxAaMDIO0tuIKxeIka0PaTAaZdw6BXofnNqwDD5JloOGm323JAR3pe+hJmSmQIDAQABo3wwejAOBgNVHQ8BAf8EBAMCBaAwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUL8Xv6MyxPZ8/T+cj4fEkfSpVzqEwHQYDVR0OBBYEFC/F7+jMsT2fP0/nI+HxJH0qVc6hMA0GCSqGSIb3DQEBCwUAA4IBAQASgm1VIK9vC88LPaCv7qPEd2TUtRrOi/VG2HkcpmBIKGoDeFa41jzKpO25iMg4MQhlXuljIYMDch8YpZETcFvBXHzfCF7Rc+kl/K5tFd8kHGMItiPuwZV/BfvL9Wu4gY4g1skfRpiemP1gZvlc1fZlEoYDqAIzODkRyXOd2nsa7zt8iGTdNujZ8A/IyQzGNeqtmt+bpNvKojkB

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.892151745584676
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LiquidText Installer.exe
File size:	887'840 bytes
MD5:	9ab59b8d383a6ab6c131c5e96b4d68de
SHA1:	22192dab0ce673ae164d0fb25cf3a015c3e9c37c
SHA256:	967552d901dbdcc34498c2e57a61bc2846400f90726d951d4075ade86e4af545
SHA512:	b6491537e103f37529fa76b43e447e09beef0bf0304e95e4c5deb4e65cbbb1ccd7b8ae95e9ada8615faba6be54515afa25b64d47a91b830e37804ee43a074f5a
SSDEEP:	24576:uh2YBcrQm+2DR7BWYpWUo44kEOKBWppwF:UvOM07VZ5EOa+k
TLSH:	9F154C6123EC0439E7770B7ABD7B18511735BC385942E5AE0A8E263C18E2B5789F2737
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0......(........... ... ....@.. ....................................`................................

File Icon


Icon Hash:	136cb2b27171b24d

Static PE Info

General

Entrypoint:	0x4c0e1a
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xC2ABFCEE [Fri Jun 30 12:28:30 2073 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Microsoft Marketplace CA G 026, OU=EOC, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	07/08/2024 22:09:58 10/08/2024 22:09:58
Subject Chain	CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	DA4F8E77CBCCC7073945FD8813A14177
Thumbprint SHA-1:	B87BF925B2F005F71FD06A187C7945458EAA6F6F
Thumbprint SHA-256:	C3D08F5D79365578B49276DBD45D4362CA7A1CFEAB94B73F6425E8E7E31841A4
Serial:	330045F94DDCA9588216DC9E2D00010045F94D

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc0dc7	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc2000	0x12520	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xd1a00	0x7220
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc0cec	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbee20	0xbf000	c90d953cbcaef046e323bbd26e736bde	False	0.435125061354712	data	6.809768386929733	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc2000	0x12520	0x12600	1c09ed0bb710b875abcf80fded951bd7	False	0.9542676445578231	data	7.935534959106625	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd6000	0xc	0x200	2a5cbd3e673e328fbf0220018b870a96	False	0.041015625	data	0.07763316234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xc21e0	0xd5e7	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	1.0004748077941525
RT_ICON	0xcf7d8	0x1363	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	1.0022164013701391
RT_ICON	0xd0b4c	0xc9d	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced	1.0034066274388356
RT_ICON	0xd17fc	0x9da	PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced	1.0043616177636796
RT_ICON	0xd21e8	0x691	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	1.006543723973825
RT_ICON	0xd288c	0x490	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced	1.009417808219178
RT_ICON	0xd2d2c	0x396	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	1.0119825708061003
RT_ICON	0xd30d4	0x299	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	1.0165413533834586
RT_GROUP_ICON	0xd3380	0x76	data	0.7542372881355932
RT_VERSION	0xd3408	0x3e0	data	0.4324596774193548
RT_MANIFEST	0xd37f8	0xd21	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.3924427253793514

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: LiquidText Installer.exePID: 4760, Parent PID: 1028

General

Target ID:	0
Start time:	12:34:25
Start date:	29/08/2024
Path:	C:\Users\user\Desktop\LiquidText Installer.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\LiquidText Installer.exe"
Imagebase:	0x17e5d4e0000
File size:	887'840 bytes
MD5 hash:	9AB59B8D383A6AB6C131C5E96B4D68DE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: LiquidText Installer.exePID: 4760, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	16.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF848E946CE Relevance: 13.0, Strings: 10, Instructions: 524
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

'Do, xrefs: 00007FF848E948B0
x6Bo, xrefs: 00007FF848E9495B
x6Bo, xrefs: 00007FF848E948E0
'Do, xrefs: 00007FF848E94749
X[Bo, xrefs: 00007FF848E94700
'Do, xrefs: 00007FF848E94A10
x6Bo, xrefs: 00007FF848E94A40
x6Bo, xrefs: 00007FF848E947FB
'Do, xrefs: 00007FF848E947C7
'Do, xrefs: 00007FF848E94927

Memory Dump Source

Source File: 00000000.00000002.2501816750.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: X[Bo$x6Bo$x6Bo$x6Bo$x6Bo$'Do$'Do$'Do$'Do$'Do
API String ID: 0-2341873655
Opcode ID: 1c8b23e5f53a25aa2f3795ea588e38f8da7f4f94fbd4ec8307c08e016b105a6d
Instruction ID: a17115d963076a3659a860e6ff806e5ec319cab46c5f7f2f564bcdff833f8aa6
Opcode Fuzzy Hash: 1c8b23e5f53a25aa2f3795ea588e38f8da7f4f94fbd4ec8307c08e016b105a6d
Instruction Fuzzy Hash: 0E02287091D6894FE759E768841667ABBE1FF96348F0404BED089DB2D2DBB8AC05C306

Function 00007FF848EB6672 Relevance: 10.8, Strings: 8, Instructions: 779
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`SGo, xrefs: 00007FF848EB6800
x6Bo, xrefs: 00007FF848EB6B33
pSGo, xrefs: 00007FF848EB6890
[Bo, xrefs: 00007FF848EB6988
xSGo, xrefs: 00007FF848EB6C10
x6Bo, xrefs: 00007FF848EB69DA
hSGo, xrefs: 00007FF848EB6814
pSGo, xrefs: 00007FF848EB6B86

Memory Dump Source

Source File: 00000000.00000002.2501816750.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: [Bo$`SGo$hSGo$pSGo$pSGo$x6Bo$x6Bo$xSGo
API String ID: 0-1413590523
Opcode ID: 8e10323d8e7867f14a3aacb38d4a2db39953d34ecbf646119dd33bebe8a13f82
Instruction ID: baa88fb8a3838e5f144a2242dab867db711f8b378eedbef47a6584c110fd6277
Opcode Fuzzy Hash: 8e10323d8e7867f14a3aacb38d4a2db39953d34ecbf646119dd33bebe8a13f82
Instruction Fuzzy Hash: 1E42C371D0DA898FE799EB2888556A97BE0FF56340F0401FED08DDB1A2DF38A845C746

Function 00007FF848F91B50 Relevance: 8.9, Strings: 6, Instructions: 1423COMMON

Download Yara Rule

Strings

x6Bo, xrefs: 00007FF848F91CB9
P&Do, xrefs: 00007FF848F92191
H&Do, xrefs: 00007FF848F92145
x6Bo, xrefs: 00007FF848F92393
X&Do, xrefs: 00007FF848F921DD
@&Do, xrefs: 00007FF848F91CCB

Memory Dump Source

Source File: 00000000.00000002.2502398359.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f90000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: @&Do$H&Do$P&Do$X&Do$x6Bo$x6Bo
API String ID: 0-1456816284
Opcode ID: 0454a7da0913c63476eeb180357c5c1348808afc7164135803bb58d019a716c7
Instruction ID: eb16b8c8644d1714ba5305ba407b198e730a0cf89ad54e47168de032356f4cde
Opcode Fuzzy Hash: 0454a7da0913c63476eeb180357c5c1348808afc7164135803bb58d019a716c7
Instruction Fuzzy Hash: CD921530A0CA894FE799EB2C9455A757BE1EF56354F0401BED04EC72E3DE28AC86C785

Function 00007FF848F940A8 Relevance: 8.5, Strings: 6, Instructions: 1045
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@&Do, xrefs: 00007FF848F943FB
x6Bo, xrefs: 00007FF848F943E9
x6Bo, xrefs: 00007FF848F94166
@&Do, xrefs: 00007FF848F945F4
x6Bo, xrefs: 00007FF848F94606
@&Do, xrefs: 00007FF848F94154

Memory Dump Source

Source File: 00000000.00000002.2502398359.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f90000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: @&Do$@&Do$@&Do$x6Bo$x6Bo$x6Bo
API String ID: 0-29637834
Opcode ID: ec6f7e46877462eeef9d745c2ba21c95afc0d45ae03711acbae41554554aa36e
Instruction ID: 44566b0c68da31ac8ca747a62592b44b4854eacea899696f309f3cca09edea68
Opcode Fuzzy Hash: ec6f7e46877462eeef9d745c2ba21c95afc0d45ae03711acbae41554554aa36e
Instruction Fuzzy Hash: 5052F431A0CA894FE799A72C98196707BD1EF76354F0401FED08EC72E3DE19AC468795

Function 00007FF848E841ED Relevance: 6.8, Strings: 5, Instructions: 596
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ZBo, xrefs: 00007FF848E850D3
ZBo, xrefs: 00007FF848E85032
ZBo, xrefs: 00007FF848E850BB
ZBo, xrefs: 00007FF848E84FD4
L_H, xrefs: 00007FF848E85040

Memory Dump Source

Source File: 00000000.00000002.2501816750.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: L_H$ZBo$ZBo$ZBo$ZBo
API String ID: 0-691317972
Opcode ID: 518f5c9710f3562cad56b83b275300300246b37ae8b7bb478f4db62472d10bf6
Instruction ID: 392c365481069d4620497833a6cc7e1d8abd20fd9212a6b241dabf0d36e5d250
Opcode Fuzzy Hash: 518f5c9710f3562cad56b83b275300300246b37ae8b7bb478f4db62472d10bf6
Instruction Fuzzy Hash: B0223A61D0D6C94FE75AA7788812AADBFE0FF52384F4802FED089CB1D3DE2864098755

Function 00007FF848F90CBC Relevance: 6.1, Strings: 4, Instructions: 1068
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

x6Bo, xrefs: 00007FF848F91434
x6Bo, xrefs: 00007FF848F90D49
&<_H, xrefs: 00007FF848F916DF
&Do, xrefs: 00007FF848F91265

Memory Dump Source

Source File: 00000000.00000002.2502398359.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f90000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: &Do$&<_H$x6Bo$x6Bo
API String ID: 0-2145163841
Opcode ID: ec6eac8e0d235d0787d25e2bfabba98f9035f0de205d6a745cd7307d248a4039
Instruction ID: 55d5ba1cb789c2e36551129bebbf3886cc4042cddd305adb308d08b5b2dc18f4
Opcode Fuzzy Hash: ec6eac8e0d235d0787d25e2bfabba98f9035f0de205d6a745cd7307d248a4039
Instruction Fuzzy Hash: 2C622630A0DA894FE79AEB2884156757BE1EF56354F0801FED08ECB2E3DE28AC45C755

Function 00007FF848F977E0 Relevance: 5.7, Strings: 4, Instructions: 726
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@&Do, xrefs: 00007FF848F97AB4
x6Bo, xrefs: 00007FF848F978A6
x6Bo, xrefs: 00007FF848F97AC6
@&Do, xrefs: 00007FF848F97894

Memory Dump Source

Source File: 00000000.00000002.2502398359.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f90000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: @&Do$@&Do$x6Bo$x6Bo
API String ID: 0-1010489272
Opcode ID: 7ee342facbec4a364d9f683115c4b25fef17ed0c8b2e21279d6b2f11671a8f7a
Instruction ID: 5e42fdc39a3d1e1296c9d3192ea6e6c0ae1c2a64ca57fe18855628e8506efe6a
Opcode Fuzzy Hash: 7ee342facbec4a364d9f683115c4b25fef17ed0c8b2e21279d6b2f11671a8f7a
Instruction Fuzzy Hash: 0612F431A0CF8A5FE399AB2858196747BD1EF56264F1801FED08DC72E3DF19AC428785

Function 00007FF848F95741 Relevance: 7.0, Strings: 5, Instructions: 704
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

;_H, xrefs: 00007FF848F95BDF
@&Do, xrefs: 00007FF848F959F4
x6Bo, xrefs: 00007FF848F95A06
x6Bo, xrefs: 00007FF848F957E6
@&Do, xrefs: 00007FF848F957D4

Memory Dump Source

Source File: 00000000.00000002.2502398359.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f90000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: @&Do$@&Do$x6Bo$x6Bo$;_H
API String ID: 0-483666434
Opcode ID: 7cb6c6aae3fe15c70a52dfeb5cfe3809ed0cba3d93b78c86ef97743ba2980fca
Instruction ID: a4a765da36e833b1fe31a4fa47e95c98f5aa443b01d279513ba833e0127a391c
Opcode Fuzzy Hash: 7cb6c6aae3fe15c70a52dfeb5cfe3809ed0cba3d93b78c86ef97743ba2980fca
Instruction Fuzzy Hash: 42123731A0CA894FE359AB2898556703FD1EF5A364F1801FED08EC72E3DE19BC468795

Function 00007FF848F92DC9 Relevance: 3.0, Strings: 2, Instructions: 483COMMON

Download Yara Rule

Strings

x6Bo, xrefs: 00007FF848F92EBE
@&Do, xrefs: 00007FF848F92EAC

Memory Dump Source

Source File: 00000000.00000002.2502398359.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f90000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: @&Do$x6Bo
API String ID: 0-3943323974
Opcode ID: ecf0da8765e9ae62337ed2a0df2fdad4083c52b557dfe0dc4d9c7163216b91ca
Instruction ID: 676f4647657d6d7b10dedf1e00ee6ee9be1747a734cd79daf49e335ecbd0ebe0
Opcode Fuzzy Hash: ecf0da8765e9ae62337ed2a0df2fdad4083c52b557dfe0dc4d9c7163216b91ca
Instruction Fuzzy Hash: 4DD12631A0DA8A4FE35AA77C98596743BD1EF56254F0801FFD08DC72E3DE18AC068396

Function 00007FF848F94FC8 Relevance: 2.9, Strings: 2, Instructions: 437COMMON

Download Yara Rule

Strings

x6Bo, xrefs: 00007FF848F950A6
@&Do, xrefs: 00007FF848F95094

Memory Dump Source

Source File: 00000000.00000002.2502398359.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f90000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: @&Do$x6Bo
API String ID: 0-3943323974
Opcode ID: 525c9b22458d053c981aa24eba6bab110003614e16040dc117f4d1fedab32929
Instruction ID: 3c3dc09f418eba07f04ee023865632d6b6bf2472c4be4932c783832a87db8951
Opcode Fuzzy Hash: 525c9b22458d053c981aa24eba6bab110003614e16040dc117f4d1fedab32929
Instruction Fuzzy Hash: 40B13431A0CA8A4FE359A72898256707FD1EF5A254F0801FFD08EC72E3DA59AC468395

Function 00007FF848F91052 Relevance: 2.9, Strings: 2, Instructions: 426COMMON

Download Yara Rule

Strings

x6Bo, xrefs: 00007FF848F91434
&Do, xrefs: 00007FF848F91265

Memory Dump Source

Source File: 00000000.00000002.2502398359.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f90000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: &Do$x6Bo
API String ID: 0-3077167330
Opcode ID: 5408c6845fb42e142231d131eed66f883b4b76748ccb081970e86327bc0af69d
Instruction ID: 0b5b61914d891c2cfbf6474a6374804096820b6017a5d0a4d1e418638d1c2239
Opcode Fuzzy Hash: 5408c6845fb42e142231d131eed66f883b4b76748ccb081970e86327bc0af69d
Instruction Fuzzy Hash: A0D12870A0DE854FE396EB2884216B57BE1FF56390F0941FED08EC72D3DE28A8458765

Function 00007FF848F90ECA Relevance: 2.9, Strings: 2, Instructions: 360COMMON

Download Yara Rule

Strings

x6Bo, xrefs: 00007FF848F91434
&Do, xrefs: 00007FF848F91265

Memory Dump Source

Source File: 00000000.00000002.2502398359.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f90000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: &Do$x6Bo
API String ID: 0-3077167330
Opcode ID: 598cf8a8494763009960c5f2e9aee046718bd5039adf7190125b8404c1a4ae0d
Instruction ID: 2f4d65d754b6193a5889bdd65cba7410b349398b4c1abb92eee3f5baa9bd4da4
Opcode Fuzzy Hash: 598cf8a8494763009960c5f2e9aee046718bd5039adf7190125b8404c1a4ae0d
Instruction Fuzzy Hash: 8AC11430A0DB858FE796EB388454A757BE1EF56354F0901FAD08DCB2E3DA28AC85C751

Function 00007FF848F94570 Relevance: 2.7, Strings: 2, Instructions: 168COMMON

Download Yara Rule

Strings

@&Do, xrefs: 00007FF848F945F4
x6Bo, xrefs: 00007FF848F94606

Memory Dump Source

Source File: 00000000.00000002.2502398359.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f90000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: @&Do$x6Bo
API String ID: 0-3943323974
Opcode ID: 8990d81bb95849a1eded0898fe4d2b2b42ab448f17293f82d9a26cd1c30aafb0
Instruction ID: a07c6f781c1067b286e665a90a54d1fad6400641e0e15d40c9ca2a99d68f835d
Opcode Fuzzy Hash: 8990d81bb95849a1eded0898fe4d2b2b42ab448f17293f82d9a26cd1c30aafb0
Instruction Fuzzy Hash: 2341F571F0C94E5FE29CA72C681657177C2EBAA754F1402BEE44DC37D3EE45AC02868A

Function 00007FF848F93F2E Relevance: 2.6, Strings: 2, Instructions: 145COMMON

Download Yara Rule

Strings

x6Bo, xrefs: 00007FF848F93F63
1Do, xrefs: 00007FF848F93F51

Memory Dump Source

Source File: 00000000.00000002.2502398359.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f90000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: 1Do$x6Bo
API String ID: 0-3239567568
Opcode ID: 570203c0446d03aa8cd761420b4f36586457d9aabb0bf6390bda8e42e4a76f3d
Instruction ID: 4e2b017fd3b2dc2912c0a86cd73c2f1788b78ba0143d713397ae2f1c88dd3e0a
Opcode Fuzzy Hash: 570203c0446d03aa8cd761420b4f36586457d9aabb0bf6390bda8e42e4a76f3d
Instruction Fuzzy Hash: 6541E672E1DA898FE39CE72C58162747BD1FF65258F1411BED04EC72E2DB1AAC05834A

Function 00007FF848F906CA Relevance: 2.6, Strings: 2, Instructions: 143COMMON

Download Yara Rule

Strings

x6Bo, xrefs: 00007FF848F907A4
x6Bo, xrefs: 00007FF848F906E3

Memory Dump Source

Source File: 00000000.00000002.2502398359.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f90000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: x6Bo$x6Bo
API String ID: 0-1636319133
Opcode ID: da2e6008acd244aeda3c9c2c384e11cf2a98e2698ec00ea374969d32c5990662
Instruction ID: 35ea5d2f1cb27418ff25d8b089a674c73a96c4f37c729879eb42ebc4167ebacc
Opcode Fuzzy Hash: da2e6008acd244aeda3c9c2c384e11cf2a98e2698ec00ea374969d32c5990662
Instruction Fuzzy Hash: 6641E572E1DA894FE399FB2C481AA743BD1EFA5354F1401BED48DC72E3DA189C01874A

Function 00007FF848F9486B Relevance: 2.6, Strings: 2, Instructions: 141COMMON

Download Yara Rule

Strings

(1Do, xrefs: 00007FF848F9488B
x6Bo, xrefs: 00007FF848F9489D

Memory Dump Source

Source File: 00000000.00000002.2502398359.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f90000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: (1Do$x6Bo
API String ID: 0-2060403400
Opcode ID: 299e5aacb90304a72383084661df1163c409c710d5f9f65c7db6f44e17472c48
Instruction ID: 05da124ca2ea750877372bdcf522ba524efaf15917acb440c87800cacfd6fd77
Opcode Fuzzy Hash: 299e5aacb90304a72383084661df1163c409c710d5f9f65c7db6f44e17472c48
Instruction Fuzzy Hash: B4412632E1DAC54FE39CEB2C54162B4BBD0FB75359F1401BEC48AC72D2DE1958468346

Function 00007FF848F949CE Relevance: 2.6, Strings: 2, Instructions: 135COMMON

Download Yara Rule

Strings

81Do, xrefs: 00007FF848F949F1
x6Bo, xrefs: 00007FF848F94A03

Memory Dump Source

Source File: 00000000.00000002.2502398359.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f90000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: 81Do$x6Bo
API String ID: 0-3591307449
Opcode ID: 1d0b21f22d45a090c8356250ad949142a8f80e057922587ead3d9e410d98af59
Instruction ID: e083b43e9fd8d9c9874ace5c67b13da035274a20f9c1ec4ba324c6c9e9e462d0
Opcode Fuzzy Hash: 1d0b21f22d45a090c8356250ad949142a8f80e057922587ead3d9e410d98af59
Instruction Fuzzy Hash: A241E272E1DA894FE399EF2C54162B47BD1FB7A254F0401BED08EC72D2EA195806874A

Function 00007FF848F9491B Relevance: 2.6, Strings: 2, Instructions: 107COMMON

Download Yara Rule

Strings

01Do, xrefs: 00007FF848F9493E
x6Bo, xrefs: 00007FF848F94950

Memory Dump Source

Source File: 00000000.00000002.2502398359.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f90000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: 01Do$x6Bo
API String ID: 0-1842848417
Opcode ID: d32aa8c3ca07d9099f33cda60811b2c875f12974868f29eed215e6f04ccff322
Instruction ID: c6dc099acdcff7ef4e79ba837985abaf24d644f7507aae7b911e6a325a0b89fb
Opcode Fuzzy Hash: d32aa8c3ca07d9099f33cda60811b2c875f12974868f29eed215e6f04ccff322
Instruction Fuzzy Hash: 1221D571B1CA894FE39CEB2C941A3B477C1FB6A355F0400BED08EC7292DA199C428746

Function 00007FF848F90BF4 Relevance: 2.6, Strings: 2, Instructions: 95COMMON

Download Yara Rule

Strings

x6Bo, xrefs: 00007FF848F90C1E
%Do, xrefs: 00007FF848F90C0C

Memory Dump Source

Source File: 00000000.00000002.2502398359.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f90000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: x6Bo$%Do
API String ID: 0-1708500522
Opcode ID: 0fe418c35253bb01209d5e25c2de711fcd7aef233481d5bd6d891346026625d5
Instruction ID: e26aa1be8aaef983523d52b5c0c38ce6d534fbf34c61380987a482db4592f462
Opcode Fuzzy Hash: 0fe418c35253bb01209d5e25c2de711fcd7aef233481d5bd6d891346026625d5
Instruction Fuzzy Hash: 9C21B671D0DA895FE399FB2848195747BD1EFA6644F0400FED489C72E3DA285C448319

Function 00007FF848F9612E Relevance: 2.6, Strings: 2, Instructions: 68COMMON

Download Yara Rule

Strings

x6Bo, xrefs: 00007FF848F96146
@&Do, xrefs: 00007FF848F96134

Memory Dump Source

Source File: 00000000.00000002.2502398359.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f90000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: @&Do$x6Bo
API String ID: 0-3943323974
Opcode ID: 6e59f9488651b70f8cc57e80a777a11ccfb3cc953e8498834b575e949500f069
Instruction ID: f92f8e1b89c539a60af7c7baccaed3a6eabbb4aefb5fe628ec57c5045126d9b9
Opcode Fuzzy Hash: 6e59f9488651b70f8cc57e80a777a11ccfb3cc953e8498834b575e949500f069
Instruction Fuzzy Hash: B011A771B1DA894FD39CE76C5456A747BD1EB59644F0401FFC08ACB2E3EA159C418386

Function 00007FF848F935F9 Relevance: 1.8, Strings: 1, Instructions: 573COMMON

Download Yara Rule

Strings

x6Bo, xrefs: 00007FF848F93753

Memory Dump Source

Source File: 00000000.00000002.2502398359.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f90000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: x6Bo
API String ID: 0-2959843075
Opcode ID: bcae45a391650bae09c9a9bca31506aed7b4da649169197148668c5eeae27cbb
Instruction ID: a7bcf2e92760ad13a8cf6962ec582e47ba9360b51a607ee9195457d151d47ad2
Opcode Fuzzy Hash: bcae45a391650bae09c9a9bca31506aed7b4da649169197148668c5eeae27cbb
Instruction Fuzzy Hash: 3EF1F331A0CA8A4FE759EB2C8459A757BE1EF56354F1401BED04EC72E3DE29AC42C781

Function 00007FF848F984DC Relevance: 1.7, Strings: 1, Instructions: 421COMMON

Download Yara Rule

Strings

x6Bo, xrefs: 00007FF848F98596

Memory Dump Source

Source File: 00000000.00000002.2502398359.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f90000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: x6Bo
API String ID: 0-2959843075
Opcode ID: a920f9ddd14624607f3e1dd10689f49afc8205e3025d7d07a369fefe4605f36e
Instruction ID: 168be7def9b5515df5b4c50aa24011cedc8f5982ade157aaaad4f5e4edb1e8d8
Opcode Fuzzy Hash: a920f9ddd14624607f3e1dd10689f49afc8205e3025d7d07a369fefe4605f36e
Instruction Fuzzy Hash: 62B13A31A1CA891FE759A72C98196713BD1EF56364F4801FFD08EC72E3DE18AC468B85

Function 00007FF848E80FA8 Relevance: 1.6, APIs: 1, Instructions: 127COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32 ref: 00007FF848E81062

Memory Dump Source

Source File: 00000000.00000002.2501816750.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_LiquidText Installer.jbxd

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: f507c65259ccddd2b6e1399ee85c6560a8f9f08e432e78aee74aa89b4cf62cfd
Instruction ID: 121d70e15098b44f93b1b475f88d18d6df918e288395910382bf9ad0976f265c
Opcode Fuzzy Hash: f507c65259ccddd2b6e1399ee85c6560a8f9f08e432e78aee74aa89b4cf62cfd
Instruction Fuzzy Hash: 7A31043190CB484FDB18EB98984A6F9BBE1FB55321F04426FD049D3292CF746846CB95

Function 00007FF848F933A0 Relevance: 1.5, Strings: 1, Instructions: 288COMMON

Download Yara Rule

Strings

x6Bo, xrefs: 00007FF848F93502

Memory Dump Source

Source File: 00000000.00000002.2502398359.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f90000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: x6Bo
API String ID: 0-2959843075
Opcode ID: c25eeb4e906035bbc0c3e4a0cc71d39b2aa1699a671f6ed4f3a4ed073e6b86cc
Instruction ID: 86b87df5377153a9700cf73d129b47fcde50c813da7ae9770575035caebe3735
Opcode Fuzzy Hash: c25eeb4e906035bbc0c3e4a0cc71d39b2aa1699a671f6ed4f3a4ed073e6b86cc
Instruction Fuzzy Hash: 89811231E0DA864FE39AE73C48166707BD1EF6A254F0901FED089C72E3DA59AC458386

Function 00007FF848F92BA0 Relevance: 1.5, Strings: 1, Instructions: 260COMMON

Download Yara Rule

Strings

x6Bo, xrefs: 00007FF848F92D08

Memory Dump Source

Source File: 00000000.00000002.2502398359.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f90000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: x6Bo
API String ID: 0-2959843075
Opcode ID: d3bb5ee30d2478703dfc9ebed389fb711ecfef2f7fe5d39dcc6ebdf944c354c4
Instruction ID: 65d8d0409152043fc1d58bb9279b31fb881498116f821a1e1a531b40763e31c1
Opcode Fuzzy Hash: d3bb5ee30d2478703dfc9ebed389fb711ecfef2f7fe5d39dcc6ebdf944c354c4
Instruction Fuzzy Hash: B8713631A0DA894FE34AAB7C88557703BD1EF56354F0801FED089CB2E3DA68AC468345

Function 00007FF848F93CA1 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

x6Bo, xrefs: 00007FF848F93CD6

Memory Dump Source

Source File: 00000000.00000002.2502398359.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f90000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: x6Bo
API String ID: 0-2959843075
Opcode ID: 3ae665a8bf180965f064f618d07cdc89b97c6e15950fd8ba8afd4b52fffe11db
Instruction ID: b4845a220d18b5c34fb5d8253afb8184454cc47bd7a232b24414e518d472744c
Opcode Fuzzy Hash: 3ae665a8bf180965f064f618d07cdc89b97c6e15950fd8ba8afd4b52fffe11db
Instruction Fuzzy Hash: 05412532F1DA8A4FE35DAB2C58262B4BBD1FB55264F0401BED08EC72E2DE1D5C028346

Function 00007FF848F93D54 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

x6Bo, xrefs: 00007FF848F93D89

Memory Dump Source

Source File: 00000000.00000002.2502398359.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f90000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: x6Bo
API String ID: 0-2959843075
Opcode ID: 15aac3259b1f1bf960ada3a4921878eacf7f6ade516c61f6d3e0cd1fa59b055a
Instruction ID: 1f1e52c7b477737ac5f51e2cb4b79ae75561b02fb203f7a6b8e9a2ade0064769
Opcode Fuzzy Hash: 15aac3259b1f1bf960ada3a4921878eacf7f6ade516c61f6d3e0cd1fa59b055a
Instruction Fuzzy Hash: 99412572F1DA894FE35DAB2C58266B47BD0FF69215F0401BED08EC72E2DE195C05834A

Function 00007FF848F963AB Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

x6Bo, xrefs: 00007FF848F963DD

Memory Dump Source

Source File: 00000000.00000002.2502398359.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f90000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: x6Bo
API String ID: 0-2959843075
Opcode ID: 050e64eacfc4ab6aec191ccc9a4db59e90553b59b13c2523d5fac322990af43c
Instruction ID: 860975ae8424e92b4bf342817438167fd8ab989db3cb09a9f9a606c8f441aaa0
Opcode Fuzzy Hash: 050e64eacfc4ab6aec191ccc9a4db59e90553b59b13c2523d5fac322990af43c
Instruction Fuzzy Hash: 6A410532E1CA894FE399E72C58666B4BBD1EB56254F0400BED08EC72D2DF1D6C45830A

Function 00007FF848F97267 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

x6Bo, xrefs: 00007FF848F97303

Memory Dump Source

Source File: 00000000.00000002.2502398359.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f90000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: x6Bo
API String ID: 0-2959843075
Opcode ID: 34e53dec52ee06415c3650ef9e18b560049a7907296d55e9d87fe922534b806b
Instruction ID: ef2d1aed51867dea7835ec56b49fc22ca7c607f5f5077294ff1fb16da78f0a72
Opcode Fuzzy Hash: 34e53dec52ee06415c3650ef9e18b560049a7907296d55e9d87fe922534b806b
Instruction Fuzzy Hash: 1E41D272D1DE864FE399EB3848595647BE0FF25254B1800FEE48DC72E2DB196801C719

Function 00007FF848F9082E Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

x6Bo, xrefs: 00007FF848F90857

Memory Dump Source

Source File: 00000000.00000002.2502398359.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f90000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: x6Bo
API String ID: 0-2959843075
Opcode ID: ce5e8fce527e1b31869403b0696a31da548f8610d28521f8c52e9ac5ddcb2e70
Instruction ID: b8b76333aa62cfb2a7a257fad8cf1a1433839c6a1b48552863b9ba30c52a28d8
Opcode Fuzzy Hash: ce5e8fce527e1b31869403b0696a31da548f8610d28521f8c52e9ac5ddcb2e70
Instruction Fuzzy Hash: 7D212672E0EB894FE399F72848196743BD0EF95254F1500FED489CB2E3DA585C008386

Function 00007FF848F97162 Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

x6Bo, xrefs: 00007FF848F9718E

Memory Dump Source

Source File: 00000000.00000002.2502398359.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f90000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: x6Bo
API String ID: 0-2959843075
Opcode ID: b21fad0c4ca6697bfb12546c44dcbed49ea99415d23b5618d31389377675ff3d
Instruction ID: 6ab5fa85b07e5cd7db392b0c640885ea10fb962449608c3af440400816d56b38
Opcode Fuzzy Hash: b21fad0c4ca6697bfb12546c44dcbed49ea99415d23b5618d31389377675ff3d
Instruction Fuzzy Hash: 1E21F272E0EE865FE359EB38845AAB47BE1FF15250B1800FED489C71E2EB196C41C349

Function 00007FF848F90771 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

x6Bo, xrefs: 00007FF848F907A4

Memory Dump Source

Source File: 00000000.00000002.2502398359.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f90000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: x6Bo
API String ID: 0-2959843075
Opcode ID: 6b3b2f91327150c3c8af5664e0adf5acfd08d9104868a3d2dd6b3b5bde3285e5
Instruction ID: 9d0bed5213567fcea27a66d76290f589866005344f3fcd87a02dd8fe6df4ec88
Opcode Fuzzy Hash: 6b3b2f91327150c3c8af5664e0adf5acfd08d9104868a3d2dd6b3b5bde3285e5
Instruction Fuzzy Hash: C921F532E0DA854FE359E72C441A6747BE0EF66254F1801FED48DCB2E3DA185C05871A

Function 00007FF848F93AA8 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

x6Bo, xrefs: 00007FF848F93ABD

Memory Dump Source

Source File: 00000000.00000002.2502398359.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f90000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: x6Bo
API String ID: 0-2959843075
Opcode ID: 4c7b07960c1f7c4bdb2de2708769b3f1a88abeb019339554ac6e5e83069a2cde
Instruction ID: 9a570dc6acb097fee66cd0a08b2a22449a83a71f1b7df660a0312dcf82c91770
Opcode Fuzzy Hash: 4c7b07960c1f7c4bdb2de2708769b3f1a88abeb019339554ac6e5e83069a2cde
Instruction Fuzzy Hash: F121A172E0DA855FE358EB2C881A5B47BE1EF65354B1401BED08ACB2F2DA185C04C709

Function 00007FF848F972D9 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

x6Bo, xrefs: 00007FF848F97303

Memory Dump Source

Source File: 00000000.00000002.2502398359.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f90000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: x6Bo
API String ID: 0-2959843075
Opcode ID: af6f06728130155968c755a331ada289a43a7cac21c377a3bbdde81e59dba8ba
Instruction ID: e94f6d13e585b5cd23317184054ec497ae8942ca3e0491de678018a4e3894786
Opcode Fuzzy Hash: af6f06728130155968c755a331ada289a43a7cac21c377a3bbdde81e59dba8ba
Instruction Fuzzy Hash: 9F21A472E0CE865FE799EB284455A7477E1EF65384B1440BAD84DC72D2DB186C008715

Function 00007FF848F93B5C Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

x6Bo, xrefs: 00007FF848F93B70

Memory Dump Source

Source File: 00000000.00000002.2502398359.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f90000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: x6Bo
API String ID: 0-2959843075
Opcode ID: aa271cbdba92c788dc39c0c4ff288e81af32e104a8ee084a2bb0d102885d219d
Instruction ID: 1f5752ec47a8efb521e170656b02ddfe09199db406ac97f19518daf8b3eb5705
Opcode Fuzzy Hash: aa271cbdba92c788dc39c0c4ff288e81af32e104a8ee084a2bb0d102885d219d
Instruction Fuzzy Hash: 3A119371D0EA865FE399AB3C48565B47BE0FF15350B1410FED08AD72F6DA185C058346

Function 00007FF848F9738C Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

x6Bo, xrefs: 00007FF848F973B6

Memory Dump Source

Source File: 00000000.00000002.2502398359.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f90000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: x6Bo
API String ID: 0-2959843075
Opcode ID: f54ca7460b288537e24d1081b51d0d09fc6ee8764f999aa27855802134c9bfdb
Instruction ID: 2dc5946e100d62276e819c5e76b86e170809d33888d4216345b9a4ac683e862c
Opcode Fuzzy Hash: f54ca7460b288537e24d1081b51d0d09fc6ee8764f999aa27855802134c9bfdb
Instruction Fuzzy Hash: A3019271A0DA454FE39CDB2C945AA7477E1EF6A254B1000BFC08DCB3A2EA655C41C705

Function 00007FF848F96C37 Relevance: .5, Instructions: 533COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2502398359.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f90000_LiquidText Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd1557edbf7e23179f5b1a7431c03790556460044b6f683a4b04bbf661b5a777
Instruction ID: d5ce351d9133d940f63d685728be7fe87d0bbf4140d967475b3e66b67d720387
Opcode Fuzzy Hash: fd1557edbf7e23179f5b1a7431c03790556460044b6f683a4b04bbf661b5a777
Instruction Fuzzy Hash: 1BF1F330A0CA4A4FEB99EB2CD854A747BD1EF56354F0401BAE04EC72E3DE29AC45C785

Function 00007FF848D6E3B3 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2501488523.00007FF848D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848d6d000_LiquidText Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 036711324addaf4522f59713abba96d6d65c565d76f2c165a3cfa9821c6423a6
Instruction ID: 8c3c86b35a28caaf062261419e68602ac71a25d20790aae5d8a59053c13b8c8b
Opcode Fuzzy Hash: 036711324addaf4522f59713abba96d6d65c565d76f2c165a3cfa9821c6423a6
Instruction Fuzzy Hash: 3841C33180DBC44FD356DB389845A663FF0EF56251B1506EFE088CB1A7D625B84ACB92

Function 00007FF848F955A4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2502398359.00007FF848F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f90000_LiquidText Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b54895b79d0c644f409e774c637cd50703585187ff8e38f68b9292aa4075b1f4
Instruction ID: 05e1d4b7d11f864831dab1a0e929b901450664771cc5f9a9d92d8ec060f6d717
Opcode Fuzzy Hash: b54895b79d0c644f409e774c637cd50703585187ff8e38f68b9292aa4075b1f4
Instruction Fuzzy Hash: 8911BF31A0D98A8FEB85FB288869A247BE1EF55304B2801B9D44EC72D3CB18BC45C785

Non-executed Functions

Function 00007FF848E901BD Relevance: 3.7, Strings: 2, Instructions: 1208COMMON

Download Yara Rule

Strings

:L_^, xrefs: 00007FF848E90A01
@, xrefs: 00007FF848E90563

Memory Dump Source

Source File: 00000000.00000002.2501816750.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: :L_^$@
API String ID: 0-4216884312
Opcode ID: 2acce7a58a84ee6237d0f18770f9e9d774803ca4405e93581e4c687772660f91
Instruction ID: 5321f6335ed598c682727651e3cc934389dfb14a9ae84a4bf74037204f0baecb
Opcode Fuzzy Hash: 2acce7a58a84ee6237d0f18770f9e9d774803ca4405e93581e4c687772660f91
Instruction Fuzzy Hash: 37526B21A5D6C54FE31EBA6C5C520B47BD0FF82359F5801BED4CBC7193EA78A407868A

Function 00007FF848E81A15 Relevance: 2.8, Strings: 2, Instructions: 276COMMON

Download Yara Rule

Strings

)M_^, xrefs: 00007FF848E81B01
(M_^, xrefs: 00007FF848E81C01

Memory Dump Source

Source File: 00000000.00000002.2501816750.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e80000_LiquidText Installer.jbxd

Similarity

API ID:
String ID: (M_^$)M_^
API String ID: 0-2926074235
Opcode ID: 45c6212d711c085e5d52edee8aee82d8d774c43c1b6892223667661db9129fd2
Instruction ID: 7eaa8473714b9b31a1e2bf7b9d9ad5c3f344e9ac72aeb2cdf400072880c93f2c
Opcode Fuzzy Hash: 45c6212d711c085e5d52edee8aee82d8d774c43c1b6892223667661db9129fd2
Instruction Fuzzy Hash: 5881632390E7DA9FD7066A3C58A50E93FA0EF536A5B0D02F7C5D48F093EE1A584B8315

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LiquidText Installer.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\LiquidText Installer.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WPF8517.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WPFFFD4.tmp

C:\Users\user\AppData\Local\Temp\Tmp816B.tmp

C:\Users\user\AppData\Local\Temp\Tmp8218.tmp

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: LiquidText Installer.exePID: 4760, Parent PID: 1028

General

Chronological Activities

Disassembly

Windows Analysis Report
LiquidText Installer.exe

Function 00007FF848E946CE Relevance: 13.0, Strings: 10, Instructions: 524
COMMON

Function 00007FF848EB6672 Relevance: 10.8, Strings: 8, Instructions: 779
COMMON

Function 00007FF848F940A8 Relevance: 8.5, Strings: 6, Instructions: 1045
COMMON

Function 00007FF848E841ED Relevance: 6.8, Strings: 5, Instructions: 596
COMMON

Function 00007FF848F90CBC Relevance: 6.1, Strings: 4, Instructions: 1068
COMMON

Function 00007FF848F977E0 Relevance: 5.7, Strings: 4, Instructions: 726
COMMON

Function 00007FF848F95741 Relevance: 7.0, Strings: 5, Instructions: 704
COMMON