Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
lNf8XY8HLb.exe

Overview

General Information

Sample name:lNf8XY8HLb.exe
renamed because original name is a hash value
Original sample name:7637c65d7d91f91e0507ed92ca67d011.exe
Analysis ID:1545097
MD5:7637c65d7d91f91e0507ed92ca67d011
SHA1:7421f4ec388c0596be5df2cd07873b52fe94fe03
SHA256:d3d22f35f4571d498c8d6cb177cc260301652b9dd030ca431bd6bf2a4626f0c4
Tags:32exetrojan
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected RedLine Stealer
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • lNf8XY8HLb.exe (PID: 2548 cmdline: "C:\Users\user\Desktop\lNf8XY8HLb.exe" MD5: 7637C65D7D91F91E0507ED92CA67D011)
    • InstallUtil.exe (PID: 1432 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
      • conhost.exe (PID: 3852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "194.48.251.46/93.123.109.157"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.3374386867.0000000000702000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000002.00000002.3374386867.0000000000702000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000002.00000002.3374386867.0000000000702000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_f54632ebunknownunknown
      • 0x133ca:$a4: get_ScannedWallets
      • 0x12228:$a5: get_ScanTelegram
      • 0x1304e:$a6: get_ScanGeckoBrowsersPaths
      • 0x10e6a:$a7: <Processes>k__BackingField
      • 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
      • 0x1079e:$a9: <ScanFTP>k__BackingField
      00000000.00000002.2149289785.0000000005150000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000000.00000002.2132297348.0000000002A57000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 16 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          2.2.InstallUtil.exe.700000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            2.2.InstallUtil.exe.700000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              2.2.InstallUtil.exe.700000.0.unpackWindows_Trojan_RedLineStealer_f54632ebunknownunknown
              • 0x135ca:$a4: get_ScannedWallets
              • 0x12428:$a5: get_ScanTelegram
              • 0x1324e:$a6: get_ScanGeckoBrowsersPaths
              • 0x1106a:$a7: <Processes>k__BackingField
              • 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
              • 0x1099e:$a9: <ScanFTP>k__BackingField
              2.2.InstallUtil.exe.700000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
              • 0x1048a:$u7: RunPE
              • 0x13b41:$u8: DownloadAndEx
              • 0x9130:$pat14: , CommandLine:
              • 0x13079:$v2_1: ListOfProcesses
              • 0x1068b:$v2_2: get_ScanVPN
              • 0x1072e:$v2_2: get_ScanFTP
              • 0x1141e:$v2_2: get_ScanDiscord
              • 0x1240c:$v2_2: get_ScanSteam
              • 0x12428:$v2_2: get_ScanTelegram
              • 0x124ce:$v2_2: get_ScanScreen
              • 0x13216:$v2_2: get_ScanChromeBrowsersPaths
              • 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths
              • 0x13509:$v2_2: get_ScanBrowsers
              • 0x135ca:$v2_2: get_ScannedWallets
              • 0x135f0:$v2_2: get_ScanWallets
              • 0x13610:$v2_3: GetArguments
              • 0x11cd9:$v2_4: VerifyUpdate
              • 0x16616:$v2_4: VerifyUpdate
              • 0x139ca:$v2_5: VerifyScanRequest
              • 0x130c6:$v2_6: GetUpdates
              • 0x165f7:$v2_6: GetUpdates
              0.2.lNf8XY8HLb.exe.377fdb0.4.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 12 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: lNf8XY8HLb.exeAvira: detected
                Found malware configuration
                Source: 2.2.InstallUtil.exe.700000.0.unpackMalware Configuration Extractor: RedLine {"C2 url": "194.48.251.46/93.123.109.157"}
                Multi AV Scanner detection for submitted file
                Source: lNf8XY8HLb.exeReversingLabs: Detection: 47%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                Machine Learning detection for sample
                Source: lNf8XY8HLb.exeJoe Sandbox ML: detected
                Source: lNf8XY8HLb.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: lNf8XY8HLb.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb source: InstallUtil.exe, 00000002.00000002.3374957570.0000000000B07000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: InstallUtil.exe, 00000002.00000002.3374957570.0000000000B07000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbl|` source: InstallUtil.exe, 00000002.00000002.3374957570.0000000000B07000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: lNf8XY8HLb.exe, 00000000.00000002.2149675897.0000000005270000.00000004.08000000.00040000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2132297348.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000036B7000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: lNf8XY8HLb.exe, 00000000.00000002.2149675897.0000000005270000.00000004.08000000.00040000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2132297348.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000036B7000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: HP<oHC:\Windows\System.ServiceModel.pdb source: InstallUtil.exe, 00000002.00000002.3374351564.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: protobuf-net.pdbSHA256}Lq source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003866000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2149415983.00000000051B0000.00000004.08000000.00040000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: System.ServiceModel.pdb source: InstallUtil.exe, 00000002.00000002.3378140779.0000000005221000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: InstallUtil.exe, 00000002.00000002.3374957570.0000000000B07000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: protobuf-net.pdb source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003866000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2149415983.00000000051B0000.00000004.08000000.00040000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: InstallUtil.exe, 00000002.00000002.3374957570.0000000000B07000.00000004.00000020.00020000.00000000.sdmp

                Networking

                barindex
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: 194.48.251.46/93.123.109.157
                Source: unknownDNS traffic detected: query: panel.o7lab.me1337 replaycode: Name error (3)
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: panel.o7lab.me1337
                Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://panel.o7lab.me1337
                Source: InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://panel.o7lab.me1337/
                Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002864000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
                Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                Source: lNf8XY8HLb.exe, 00000000.00000002.2132297348.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002864000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                Source: InstallUtil.exe, 00000002.00000002.3375862226.0000000002864000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/0
                Source: InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/
                Source: InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
                Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnectLR
                Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
                Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnectT
                Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsLR
                Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
                Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesLR
                Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
                Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentLR
                Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
                Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateLR
                Source: InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
                Source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3374386867.0000000000702000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
                Source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3374386867.0000000000702000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
                Source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003866000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2149415983.00000000051B0000.00000004.08000000.00040000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                Source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003866000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2149415983.00000000051B0000.00000004.08000000.00040000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                Source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003866000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2149415983.00000000051B0000.00000004.08000000.00040000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                Source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3374386867.0000000000702000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/ip%appdata%
                Source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003866000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2149415983.00000000051B0000.00000004.08000000.00040000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                Source: lNf8XY8HLb.exe, 00000000.00000002.2132297348.000000000270D000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003866000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2149415983.00000000051B0000.00000004.08000000.00040000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                Source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003866000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2149415983.00000000051B0000.00000004.08000000.00040000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 2.2.InstallUtil.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                Source: 2.2.InstallUtil.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 0.2.lNf8XY8HLb.exe.377fdb0.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                Source: 0.2.lNf8XY8HLb.exe.377fdb0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 0.2.lNf8XY8HLb.exe.377fdb0.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                Source: 0.2.lNf8XY8HLb.exe.377fdb0.4.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                Source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 00000002.00000002.3374386867.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                Source: 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                Source: 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                Source: Process Memory Space: lNf8XY8HLb.exe PID: 2548, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                Source: Process Memory Space: InstallUtil.exe PID: 1432, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeCode function: 0_2_024968F80_2_024968F8
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeCode function: 0_2_024951A00_2_024951A0
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeCode function: 0_2_02491A000_2_02491A00
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeCode function: 0_2_024968E90_2_024968E9
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeCode function: 0_2_0249EE180_2_0249EE18
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeCode function: 0_2_024951900_2_02495190
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeCode function: 0_2_05A6ECF00_2_05A6ECF0
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeCode function: 0_2_05A500070_2_05A50007
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeCode function: 0_2_05A6E0080_2_05A6E008
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeCode function: 0_2_05A500400_2_05A50040
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeCode function: 0_2_05A6E3F00_2_05A6E3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_00A6E7B02_2_00A6E7B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 2_2_00A6DC902_2_00A6DC90
                Source: lNf8XY8HLb.exe, 00000000.00000002.2132297348.00000000026B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs lNf8XY8HLb.exe
                Source: lNf8XY8HLb.exe, 00000000.00000000.2121997026.00000000003BA000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameredline.exe0 vs lNf8XY8HLb.exe
                Source: lNf8XY8HLb.exe, 00000000.00000002.2149675897.0000000005270000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs lNf8XY8HLb.exe
                Source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003866000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs lNf8XY8HLb.exe
                Source: lNf8XY8HLb.exe, 00000000.00000002.2132297348.00000000029D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs lNf8XY8HLb.exe
                Source: lNf8XY8HLb.exe, 00000000.00000002.2131028362.00000000007BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs lNf8XY8HLb.exe
                Source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000036B7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs lNf8XY8HLb.exe
                Source: lNf8XY8HLb.exe, 00000000.00000002.2149415983.00000000051B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs lNf8XY8HLb.exe
                Source: lNf8XY8HLb.exe, 00000000.00000002.2132297348.0000000002A57000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameImplosions.exe4 vs lNf8XY8HLb.exe
                Source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs lNf8XY8HLb.exe
                Source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameImplosions.exe4 vs lNf8XY8HLb.exe
                Source: lNf8XY8HLb.exe, 00000000.00000002.2148514302.0000000004D70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameZzmvrlsj.dll" vs lNf8XY8HLb.exe
                Source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs lNf8XY8HLb.exe
                Source: lNf8XY8HLb.exeBinary or memory string: OriginalFilenameredline.exe0 vs lNf8XY8HLb.exe
                Source: lNf8XY8HLb.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: 2.2.InstallUtil.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                Source: 2.2.InstallUtil.exe.700000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 0.2.lNf8XY8HLb.exe.377fdb0.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                Source: 0.2.lNf8XY8HLb.exe.377fdb0.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 0.2.lNf8XY8HLb.exe.377fdb0.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                Source: 0.2.lNf8XY8HLb.exe.377fdb0.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                Source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 00000002.00000002.3374386867.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                Source: 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                Source: 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                Source: Process Memory Space: lNf8XY8HLb.exe PID: 2548, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                Source: Process Memory Space: InstallUtil.exe PID: 1432, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                Source: lNf8XY8HLb.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.lNf8XY8HLb.exe.5270000.10.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                Source: 0.2.lNf8XY8HLb.exe.5270000.10.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                Source: 0.2.lNf8XY8HLb.exe.5270000.10.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                Source: 0.2.lNf8XY8HLb.exe.5270000.10.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                Source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                Source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                Source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.lNf8XY8HLb.exe.5270000.10.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                Source: 0.2.lNf8XY8HLb.exe.5270000.10.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                Source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                Source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                Source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                Source: 0.2.lNf8XY8HLb.exe.36e1570.2.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                Source: 0.2.lNf8XY8HLb.exe.5270000.10.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                Source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                Source: 0.2.lNf8XY8HLb.exe.36e1570.2.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                Source: 0.2.lNf8XY8HLb.exe.5270000.10.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                Source: 0.2.lNf8XY8HLb.exe.5270000.10.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                Source: 0.2.lNf8XY8HLb.exe.36e1570.2.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                Source: 0.2.lNf8XY8HLb.exe.36e1570.2.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                Source: 0.2.lNf8XY8HLb.exe.36e1570.2.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                Source: 0.2.lNf8XY8HLb.exe.5270000.10.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                Source: 0.2.lNf8XY8HLb.exe.36e1570.2.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/0@25/0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3852:120:WilError_03
                Source: lNf8XY8HLb.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: lNf8XY8HLb.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: lNf8XY8HLb.exeReversingLabs: Detection: 47%
                Source: unknownProcess created: C:\Users\user\Desktop\lNf8XY8HLb.exe "C:\Users\user\Desktop\lNf8XY8HLb.exe"
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wtsapi32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winsta.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: lNf8XY8HLb.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: lNf8XY8HLb.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: lNf8XY8HLb.exeStatic file information: File size 1077248 > 1048576
                Source: lNf8XY8HLb.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x106600
                Source: lNf8XY8HLb.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb source: InstallUtil.exe, 00000002.00000002.3374957570.0000000000B07000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: InstallUtil.exe, 00000002.00000002.3374957570.0000000000B07000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbl|` source: InstallUtil.exe, 00000002.00000002.3374957570.0000000000B07000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: lNf8XY8HLb.exe, 00000000.00000002.2149675897.0000000005270000.00000004.08000000.00040000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2132297348.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000036B7000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: lNf8XY8HLb.exe, 00000000.00000002.2149675897.0000000005270000.00000004.08000000.00040000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2132297348.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000036B7000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: HP<oHC:\Windows\System.ServiceModel.pdb source: InstallUtil.exe, 00000002.00000002.3374351564.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: protobuf-net.pdbSHA256}Lq source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003866000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2149415983.00000000051B0000.00000004.08000000.00040000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: System.ServiceModel.pdb source: InstallUtil.exe, 00000002.00000002.3378140779.0000000005221000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: InstallUtil.exe, 00000002.00000002.3374957570.0000000000B07000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: protobuf-net.pdb source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003866000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2149415983.00000000051B0000.00000004.08000000.00040000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: InstallUtil.exe, 00000002.00000002.3374957570.0000000000B07000.00000004.00000020.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: lNf8XY8HLb.exe, ConfigDescriptorListener.cs.Net Code: QueryAlgo System.Reflection.Assembly.Load(byte[])
                Source: 0.2.lNf8XY8HLb.exe.5270000.10.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                Source: 0.2.lNf8XY8HLb.exe.5270000.10.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                Source: 0.2.lNf8XY8HLb.exe.5270000.10.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                Source: 0.2.lNf8XY8HLb.exe.51b0000.9.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                Source: 0.2.lNf8XY8HLb.exe.51b0000.9.raw.unpack, ListDecorator.cs.Net Code: Read
                Source: 0.2.lNf8XY8HLb.exe.51b0000.9.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                Source: 0.2.lNf8XY8HLb.exe.51b0000.9.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                Source: 0.2.lNf8XY8HLb.exe.51b0000.9.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                Source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                Source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                Source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                Source: 0.2.lNf8XY8HLb.exe.36e1570.2.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                Source: 0.2.lNf8XY8HLb.exe.36e1570.2.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                Source: 0.2.lNf8XY8HLb.exe.36e1570.2.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                Yara detected Costura Assembly Loader
                Source: Yara matchFile source: 0.2.lNf8XY8HLb.exe.5150000.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2149289785.0000000005150000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2132297348.000000000270D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: lNf8XY8HLb.exe PID: 2548, type: MEMORYSTR
                Source: lNf8XY8HLb.exeStatic PE information: section name: .text entropy: 7.918696279398938
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: lNf8XY8HLb.exe PID: 2548, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: lNf8XY8HLb.exe, 00000000.00000002.2132297348.000000000270D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeMemory allocated: 2490000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeMemory allocated: 26B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeMemory allocated: 46B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: A60000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 27C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 24E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3756Thread sleep time: -110000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeLast function: Thread delayed
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeLast function: Thread delayed
                Source: lNf8XY8HLb.exe, 00000000.00000002.2132297348.000000000270D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
                Source: lNf8XY8HLb.exe, 00000000.00000002.2132297348.000000000270D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
                Source: InstallUtil.exe, 00000002.00000002.3378140779.0000000005200000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                .NET source code references suspicious native API functions
                Source: 0.2.lNf8XY8HLb.exe.5270000.10.raw.unpack, NativeMethods.csReference to suspicious API methods: OpenProcessToken(hProcess, desiredAccess, out var TokenHandle)
                Source: 0.2.lNf8XY8HLb.exe.5270000.10.raw.unpack, ResourceReferenceValue.csReference to suspicious API methods: NativeMethods.LoadLibrary(ResourceFilePath)
                Source: 0.2.lNf8XY8HLb.exe.377fdb0.4.raw.unpack, NativeHelper.csReference to suspicious API methods: GetProcAddress(hModule, "GetConsoleWindow")
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeQueries volume information: C:\Users\user\Desktop\lNf8XY8HLb.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\lNf8XY8HLb.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected RedLine Stealer
                Source: Yara matchFile source: 2.2.InstallUtil.exe.700000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.lNf8XY8HLb.exe.377fdb0.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.lNf8XY8HLb.exe.377fdb0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.3374386867.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2132297348.0000000002A57000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: lNf8XY8HLb.exe PID: 2548, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1432, type: MEMORYSTR
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: lNf8XY8HLb.exe, 00000000.00000002.2132297348.0000000002A57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumRule
                Source: lNf8XY8HLb.exe, 00000000.00000002.2132297348.0000000002A57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: JaxxxLibertyAfihkakfobkmkjojpchpfgcmhfjnmnfpi
                Source: lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
                Source: lNf8XY8HLb.exe, 00000000.00000002.2132297348.0000000002A57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusRule
                Source: lNf8XY8HLb.exe, 00000000.00000002.2148514302.0000000004D70000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: set_UseMachineKeyStore
                Source: Yara matchFile source: 2.2.InstallUtil.exe.700000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.lNf8XY8HLb.exe.377fdb0.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.lNf8XY8HLb.exe.377fdb0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.3374386867.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2132297348.0000000002A57000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: lNf8XY8HLb.exe PID: 2548, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1432, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected RedLine Stealer
                Source: Yara matchFile source: 2.2.InstallUtil.exe.700000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.lNf8XY8HLb.exe.377fdb0.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.lNf8XY8HLb.exe.377fdb0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.lNf8XY8HLb.exe.3731590.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.3374386867.0000000000702000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2132297348.0000000002A57000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: lNf8XY8HLb.exe PID: 2548, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1432, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		11
                Process Injection                		2
                Virtualization/Sandbox Evasion                		OS Credential Dumping11
                Security Software Discovery                		Remote Services1
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Native API                		1
                DLL Side-Loading                		1
                Scheduled Task/Job                		1
                Disable or Modify Tools                		LSASS Memory2
                Virtualization/Sandbox Evasion                		Remote Desktop Protocol1
                Data from Local System                		1
                Non-Application Layer Protocol                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		11
                Process Injection                		Security Account Manager1
                Process Discovery                		SMB/Windows Admin SharesData from Network Shared Drive11
                Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Obfuscated Files or Information                		NTDS12
                System Information Discovery                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                Software Packing                		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                lNf8XY8HLb.exe47%ReversingLabsByteCode-MSIL.Trojan.Zilla
                lNf8XY8HLb.exe100%AviraHEUR/AGEN.1323689
                lNf8XY8HLb.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://stackoverflow.com/q/14436606/233540%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous0%URL Reputationsafe
                http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                https://stackoverflow.com/q/11564914/23354;0%URL Reputationsafe
                https://stackoverflow.com/q/2152978/233540%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                http://schemas.xmlsoap.org/soap/actor/next0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                panel.o7lab.me1337
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  194.48.251.46/93.123.109.157true
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://ipinfo.io/ip%appdata%lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3374386867.0000000000702000.00000040.00000400.00020000.00000000.sdmpfalse
                      		unknown
                      http://panel.o7lab.me1337/InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmpfalse
                        		unknown
                        http://tempuri.org/Endpoint/CheckConnectLRInstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          https://stackoverflow.com/q/14436606/23354lNf8XY8HLb.exe, 00000000.00000002.2132297348.000000000270D000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003866000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2149415983.00000000051B0000.00000004.08000000.00040000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://github.com/mgravell/protobuf-netJlNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003866000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2149415983.00000000051B0000.00000004.08000000.00040000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousInstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://tempuri.org/Endpoint/CheckConnectResponseInstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              http://panel.o7lab.me1337InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                http://schemas.xmlsoap.org/ws/2004/08/addressing/faultXInstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://api.ip.sb/geoip%USERPEnvironmentROFILE%lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3374386867.0000000000702000.00000040.00000400.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://schemas.xmlsoap.org/soap/envelope/InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002864000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://github.com/mgravell/protobuf-netlNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003866000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2149415983.00000000051B0000.00000004.08000000.00040000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://tempuri.org/InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002864000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://tempuri.org/Endpoint/CheckConnectInstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://tempuri.org/Endpoint/EnvironmentSettingsLRInstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://tempuri.org/Endpoint/VerifyUpdateResponseInstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://tempuri.org/Endpoint/SetEnvironmentResponseInstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://tempuri.org/Endpoint/SetEnvironmentLRInstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://api.ipify.orgcookies//settinString.RemoveglNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3374386867.0000000000702000.00000040.00000400.00020000.00000000.sdmptrue
                                                    		unknown
                                                    https://github.com/mgravell/protobuf-netilNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003866000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2149415983.00000000051B0000.00000004.08000000.00040000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://schemas.xmlsoap.org/ws/2004/08/addressingInstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://tempuri.org/Endpoint/GetUpdatesLRInstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://tempuri.org/Endpoint/VerifyUpdateLRInstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://stackoverflow.com/q/11564914/23354;lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003866000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2149415983.00000000051B0000.00000004.08000000.00040000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://stackoverflow.com/q/2152978/23354lNf8XY8HLb.exe, 00000000.00000002.2147687054.0000000003866000.00000004.00000800.00020000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2149415983.00000000051B0000.00000004.08000000.00040000.00000000.sdmp, lNf8XY8HLb.exe, 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://tempuri.org/Endpoint/GetUpdatesResponseInstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://tempuri.org/Endpoint/InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://tempuri.org/Endpoint/EnvironmentSettingsResponseInstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000286B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.000000000297B000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.0000000002896000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://tempuri.org/Endpoint/CheckConnectTInstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://tempuri.org/0InstallUtil.exe, 00000002.00000002.3375862226.0000000002864000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namelNf8XY8HLb.exe, 00000000.00000002.2132297348.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/soap/actor/nextInstallUtil.exe, 00000002.00000002.3375862226.00000000027C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown

                                                                    World Map of Contacted IPs

                                                                    No contacted IP infos

                                                                    General Information

                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                    Analysis ID:1545097
                                                                    Start date and time:2024-10-30 05:18:09 +01:00
                                                                    Joe Sandbox product:CloudBasic
                                                                    Overall analysis duration:0h 5m 47s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                    Number of analysed new started processes analysed:7
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:0
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Sample name:lNf8XY8HLb.exe
                                                                    renamed because original name is a hash value
                                                                    Original Sample Name:7637c65d7d91f91e0507ed92ca67d011.exe
                                                                    Detection:MAL
                                                                    Classification:mal100.troj.spyw.evad.winEXE@4/0@25/0
                                                                    EGA Information:
                                                                    • Successful, ratio: 50%
                                                                    HCA Information:
                                                                    • Successful, ratio: 92%
                                                                    • Number of executed functions: 60
                                                                    • Number of non-executed functions: 5
                                                                    Cookbook Comments:
                                                                    • Found application associated with file extension: .exe

                                                                    Warnings

                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                    • Execution Graph export aborted for target lNf8XY8HLb.exe, PID 2548 because it is empty
                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                    • VT rate limit hit for: lNf8XY8HLb.exe

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    No simulations

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    No context

                                                                    Domains

                                                                    No context

                                                                    ASNs

                                                                    No context

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    No created / dropped files found

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Entropy (8bit):7.914002155763885
                                                                    TrID:
                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                    File name:lNf8XY8HLb.exe
                                                                    File size:1'077'248 bytes
                                                                    MD5:7637c65d7d91f91e0507ed92ca67d011
                                                                    SHA1:7421f4ec388c0596be5df2cd07873b52fe94fe03
                                                                    SHA256:d3d22f35f4571d498c8d6cb177cc260301652b9dd030ca431bd6bf2a4626f0c4
                                                                    SHA512:aea8265502155302bfa9cec0820d9654d57c81b897507c225f6069e40e05025fb115139577ab7ed2dff9d13c19dbfd70063616aaa1231df496e3cc174def198b
                                                                    SSDEEP:24576:TUorxJdcT8IgUsBFJ/ZHOyNeM7DkdIM4Oiy:YorxJIsB//ZHOC7c
                                                                    TLSH:87351223BD565973C388873AC8AB44040BA3D392B5D3EB4B39DE63E648C33B65E55643
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... g.................f............... ........@.. ....................................`................................

                                                                    File Icon

                                                                    Icon Hash:00928e8e8686b000

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x5084ce
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0x6720B9C7 [Tue Oct 29 10:32:39 2024 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    jmp dword ptr [00402000h]
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1084800x4b.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x10a0000x560.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x10c0000xc.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x20000x1064d40x10660002ffeb269ba39e17f8a765e6d924e563False0.9359925857551215data7.918696279398938IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .rsrc0x10a0000x5600x600863a283af8deb7807689ed8583e97dc3False0.4010416666666667data3.8662134705302984IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0x10c0000xc0x200a361b0e0ddea666e7baacac0e14ab6bdFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                    RT_VERSION0x10a0a00x30cdata0.4217948717948718
                                                                    RT_MANIFEST0x10a3ac0x1b4XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (433), with no line terminators0.5642201834862385

                                                                    Imports

                                                                    DLLImport
                                                                    mscoree.dll_CorExeMain

                                                                    Network Behavior

                                                                    Network Port Distribution

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Oct 30, 2024 05:19:04.128959894 CET5426653192.168.2.61.1.1.1
                                                                    Oct 30, 2024 05:19:04.143321037 CET53542661.1.1.1192.168.2.6
                                                                    Oct 30, 2024 05:19:09.191883087 CET4919153192.168.2.61.1.1.1
                                                                    Oct 30, 2024 05:19:09.211436987 CET53491911.1.1.1192.168.2.6
                                                                    Oct 30, 2024 05:19:14.223376036 CET6068953192.168.2.61.1.1.1
                                                                    Oct 30, 2024 05:19:14.238451004 CET53606891.1.1.1192.168.2.6
                                                                    Oct 30, 2024 05:19:19.254890919 CET5371653192.168.2.61.1.1.1
                                                                    Oct 30, 2024 05:19:19.263942003 CET53537161.1.1.1192.168.2.6
                                                                    Oct 30, 2024 05:19:24.270328999 CET6063153192.168.2.61.1.1.1
                                                                    Oct 30, 2024 05:19:24.284746885 CET53606311.1.1.1192.168.2.6
                                                                    Oct 30, 2024 05:19:29.301143885 CET6552653192.168.2.61.1.1.1
                                                                    Oct 30, 2024 05:19:29.310241938 CET53655261.1.1.1192.168.2.6
                                                                    Oct 30, 2024 05:19:34.317193031 CET6108653192.168.2.61.1.1.1
                                                                    Oct 30, 2024 05:19:34.326225996 CET53610861.1.1.1192.168.2.6
                                                                    Oct 30, 2024 05:19:39.332695007 CET4941253192.168.2.61.1.1.1
                                                                    Oct 30, 2024 05:19:39.347580910 CET53494121.1.1.1192.168.2.6
                                                                    Oct 30, 2024 05:19:44.364393950 CET5769653192.168.2.61.1.1.1
                                                                    Oct 30, 2024 05:19:44.379956007 CET53576961.1.1.1192.168.2.6
                                                                    Oct 30, 2024 05:19:49.395184040 CET6034453192.168.2.61.1.1.1
                                                                    Oct 30, 2024 05:19:49.409646988 CET53603441.1.1.1192.168.2.6
                                                                    Oct 30, 2024 05:19:54.427362919 CET6472053192.168.2.61.1.1.1
                                                                    Oct 30, 2024 05:19:54.450553894 CET53647201.1.1.1192.168.2.6
                                                                    Oct 30, 2024 05:19:59.457743883 CET6004153192.168.2.61.1.1.1
                                                                    Oct 30, 2024 05:19:59.483247995 CET53600411.1.1.1192.168.2.6
                                                                    Oct 30, 2024 05:20:04.489239931 CET6090453192.168.2.61.1.1.1
                                                                    Oct 30, 2024 05:20:04.503985882 CET53609041.1.1.1192.168.2.6
                                                                    Oct 30, 2024 05:20:09.520545006 CET5816253192.168.2.61.1.1.1
                                                                    Oct 30, 2024 05:20:09.536453962 CET53581621.1.1.1192.168.2.6
                                                                    Oct 30, 2024 05:20:14.551975965 CET6146953192.168.2.61.1.1.1
                                                                    Oct 30, 2024 05:20:14.560494900 CET53614691.1.1.1192.168.2.6
                                                                    Oct 30, 2024 05:20:19.567380905 CET5179953192.168.2.61.1.1.1
                                                                    Oct 30, 2024 05:20:19.582701921 CET53517991.1.1.1192.168.2.6
                                                                    Oct 30, 2024 05:20:24.600769997 CET5788853192.168.2.61.1.1.1
                                                                    Oct 30, 2024 05:20:24.618524075 CET53578881.1.1.1192.168.2.6
                                                                    Oct 30, 2024 05:20:29.630110025 CET5626153192.168.2.61.1.1.1
                                                                    Oct 30, 2024 05:20:29.645733118 CET53562611.1.1.1192.168.2.6
                                                                    Oct 30, 2024 05:20:34.661268950 CET6361153192.168.2.61.1.1.1
                                                                    Oct 30, 2024 05:20:34.675904989 CET53636111.1.1.1192.168.2.6
                                                                    Oct 30, 2024 05:20:39.694083929 CET5452753192.168.2.61.1.1.1
                                                                    Oct 30, 2024 05:20:39.701659918 CET53545271.1.1.1192.168.2.6
                                                                    Oct 30, 2024 05:20:44.708374977 CET5645453192.168.2.61.1.1.1
                                                                    Oct 30, 2024 05:20:44.717184067 CET53564541.1.1.1192.168.2.6
                                                                    Oct 30, 2024 05:20:49.723874092 CET5450353192.168.2.61.1.1.1
                                                                    Oct 30, 2024 05:20:49.733434916 CET53545031.1.1.1192.168.2.6
                                                                    Oct 30, 2024 05:20:54.739362955 CET6157753192.168.2.61.1.1.1
                                                                    Oct 30, 2024 05:20:54.748542070 CET53615771.1.1.1192.168.2.6
                                                                    Oct 30, 2024 05:20:59.754939079 CET6543353192.168.2.61.1.1.1
                                                                    Oct 30, 2024 05:20:59.764657021 CET53654331.1.1.1192.168.2.6
                                                                    Oct 30, 2024 05:21:04.792201996 CET6208753192.168.2.61.1.1.1
                                                                    Oct 30, 2024 05:21:04.801762104 CET53620871.1.1.1192.168.2.6

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Oct 30, 2024 05:19:04.128959894 CET192.168.2.61.1.1.10x77d2Standard query (0)panel.o7lab.me1337A (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:19:09.191883087 CET192.168.2.61.1.1.10x4321Standard query (0)panel.o7lab.me1337A (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:19:14.223376036 CET192.168.2.61.1.1.10x4b93Standard query (0)panel.o7lab.me1337A (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:19:19.254890919 CET192.168.2.61.1.1.10x47e3Standard query (0)panel.o7lab.me1337A (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:19:24.270328999 CET192.168.2.61.1.1.10xdd7Standard query (0)panel.o7lab.me1337A (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:19:29.301143885 CET192.168.2.61.1.1.10xf9faStandard query (0)panel.o7lab.me1337A (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:19:34.317193031 CET192.168.2.61.1.1.10x8d6aStandard query (0)panel.o7lab.me1337A (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:19:39.332695007 CET192.168.2.61.1.1.10x27aeStandard query (0)panel.o7lab.me1337A (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:19:44.364393950 CET192.168.2.61.1.1.10x4217Standard query (0)panel.o7lab.me1337A (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:19:49.395184040 CET192.168.2.61.1.1.10x82a8Standard query (0)panel.o7lab.me1337A (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:19:54.427362919 CET192.168.2.61.1.1.10x5291Standard query (0)panel.o7lab.me1337A (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:19:59.457743883 CET192.168.2.61.1.1.10x3639Standard query (0)panel.o7lab.me1337A (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:20:04.489239931 CET192.168.2.61.1.1.10xd70Standard query (0)panel.o7lab.me1337A (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:20:09.520545006 CET192.168.2.61.1.1.10x43cStandard query (0)panel.o7lab.me1337A (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:20:14.551975965 CET192.168.2.61.1.1.10xab93Standard query (0)panel.o7lab.me1337A (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:20:19.567380905 CET192.168.2.61.1.1.10x4750Standard query (0)panel.o7lab.me1337A (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:20:24.600769997 CET192.168.2.61.1.1.10xa30eStandard query (0)panel.o7lab.me1337A (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:20:29.630110025 CET192.168.2.61.1.1.10xd9eeStandard query (0)panel.o7lab.me1337A (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:20:34.661268950 CET192.168.2.61.1.1.10xf88dStandard query (0)panel.o7lab.me1337A (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:20:39.694083929 CET192.168.2.61.1.1.10x1a9aStandard query (0)panel.o7lab.me1337A (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:20:44.708374977 CET192.168.2.61.1.1.10xd31aStandard query (0)panel.o7lab.me1337A (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:20:49.723874092 CET192.168.2.61.1.1.10x58d6Standard query (0)panel.o7lab.me1337A (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:20:54.739362955 CET192.168.2.61.1.1.10x5b0Standard query (0)panel.o7lab.me1337A (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:20:59.754939079 CET192.168.2.61.1.1.10x3eebStandard query (0)panel.o7lab.me1337A (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:21:04.792201996 CET192.168.2.61.1.1.10x5d1Standard query (0)panel.o7lab.me1337A (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Oct 30, 2024 05:19:04.143321037 CET1.1.1.1192.168.2.60x77d2Name error (3)panel.o7lab.me1337nonenoneA (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:19:09.211436987 CET1.1.1.1192.168.2.60x4321Name error (3)panel.o7lab.me1337nonenoneA (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:19:14.238451004 CET1.1.1.1192.168.2.60x4b93Name error (3)panel.o7lab.me1337nonenoneA (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:19:19.263942003 CET1.1.1.1192.168.2.60x47e3Name error (3)panel.o7lab.me1337nonenoneA (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:19:24.284746885 CET1.1.1.1192.168.2.60xdd7Name error (3)panel.o7lab.me1337nonenoneA (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:19:29.310241938 CET1.1.1.1192.168.2.60xf9faName error (3)panel.o7lab.me1337nonenoneA (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:19:34.326225996 CET1.1.1.1192.168.2.60x8d6aName error (3)panel.o7lab.me1337nonenoneA (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:19:39.347580910 CET1.1.1.1192.168.2.60x27aeName error (3)panel.o7lab.me1337nonenoneA (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:19:44.379956007 CET1.1.1.1192.168.2.60x4217Name error (3)panel.o7lab.me1337nonenoneA (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:19:49.409646988 CET1.1.1.1192.168.2.60x82a8Name error (3)panel.o7lab.me1337nonenoneA (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:19:54.450553894 CET1.1.1.1192.168.2.60x5291Name error (3)panel.o7lab.me1337nonenoneA (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:19:59.483247995 CET1.1.1.1192.168.2.60x3639Name error (3)panel.o7lab.me1337nonenoneA (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:20:04.503985882 CET1.1.1.1192.168.2.60xd70Name error (3)panel.o7lab.me1337nonenoneA (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:20:09.536453962 CET1.1.1.1192.168.2.60x43cName error (3)panel.o7lab.me1337nonenoneA (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:20:14.560494900 CET1.1.1.1192.168.2.60xab93Name error (3)panel.o7lab.me1337nonenoneA (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:20:19.582701921 CET1.1.1.1192.168.2.60x4750Name error (3)panel.o7lab.me1337nonenoneA (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:20:24.618524075 CET1.1.1.1192.168.2.60xa30eName error (3)panel.o7lab.me1337nonenoneA (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:20:29.645733118 CET1.1.1.1192.168.2.60xd9eeName error (3)panel.o7lab.me1337nonenoneA (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:20:34.675904989 CET1.1.1.1192.168.2.60xf88dName error (3)panel.o7lab.me1337nonenoneA (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:20:39.701659918 CET1.1.1.1192.168.2.60x1a9aName error (3)panel.o7lab.me1337nonenoneA (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:20:44.717184067 CET1.1.1.1192.168.2.60xd31aName error (3)panel.o7lab.me1337nonenoneA (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:20:49.733434916 CET1.1.1.1192.168.2.60x58d6Name error (3)panel.o7lab.me1337nonenoneA (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:20:54.748542070 CET1.1.1.1192.168.2.60x5b0Name error (3)panel.o7lab.me1337nonenoneA (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:20:59.764657021 CET1.1.1.1192.168.2.60x3eebName error (3)panel.o7lab.me1337nonenoneA (IP address)IN (0x0001)false
                                                                    Oct 30, 2024 05:21:04.801762104 CET1.1.1.1192.168.2.60x5d1Name error (3)panel.o7lab.me1337nonenoneA (IP address)IN (0x0001)false

                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:00:19:00
                                                                    Start date:30/10/2024
                                                                    Path:C:\Users\user\Desktop\lNf8XY8HLb.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\lNf8XY8HLb.exe"
                                                                    Imagebase:0x2b0000
                                                                    File size:1'077'248 bytes
                                                                    MD5 hash:7637C65D7D91F91E0507ED92CA67D011
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2149289785.0000000005150000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2132297348.0000000002A57000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2132297348.0000000002A57000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2132297348.000000000270D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.2147687054.00000000037F4000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.2147687054.0000000003731000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:2
                                                                    Start time:00:19:01
                                                                    Start date:30/10/2024
                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                                    Imagebase:0x320000
                                                                    File size:42'064 bytes
                                                                    MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3374386867.0000000000702000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.3374386867.0000000000702000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000002.00000002.3374386867.0000000000702000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                    Reputation:moderate
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:3
                                                                    Start time:00:19:01
                                                                    Start date:30/10/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff66e660000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:false

                                                                    Disassembly

                                                                    Reset < >

                                                                      Executed Functions

                                                                      Function 024951A0 Relevance: .3, Instructions: 302COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d10216d59793ac8e55eb133ac3dd77d5d358dfed7b32bc557be6ef3791eda50a
                                                                      • Instruction ID: 881f86a84878787aa0bb7f5a98e0eceaef70e3637247bad46429fad7c5454130
                                                                      • Opcode Fuzzy Hash: d10216d59793ac8e55eb133ac3dd77d5d358dfed7b32bc557be6ef3791eda50a
                                                                      • Instruction Fuzzy Hash: 65B1B030A082448FDF06CF54C845BEABBB2EF85311FA8C5AAD0049F396D7799986CF50
                                                                      Function 05A6ECF0 Relevance: .3, Instructions: 276COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149883887.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5a50000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 23bccb2aad0aa7aa91e71f3f616d86b8567b0c44d082109eac5f8e90418f1cec
                                                                      • Instruction ID: daef085ac094cd2f020e826eac7dbbd32621c0cc87d1a9bfb0816c4be9f2e4ae
                                                                      • Opcode Fuzzy Hash: 23bccb2aad0aa7aa91e71f3f616d86b8567b0c44d082109eac5f8e90418f1cec
                                                                      • Instruction Fuzzy Hash: 70D1B374E01259CFDB54DFA9D990B9DBBB2BF88300F1081A9D509AB369DB31AD81CF50
                                                                      Function 02495190 Relevance: .2, Instructions: 204COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 35a95387d49175007aad494dd3e300819c38c4d8dee2ab29c5f52985cd5abe51
                                                                      • Instruction ID: f64c462c6530bb5f8b9b3c387f250c7c7450abad24ebc3c9d441d913d34d8a1d
                                                                      • Opcode Fuzzy Hash: 35a95387d49175007aad494dd3e300819c38c4d8dee2ab29c5f52985cd5abe51
                                                                      • Instruction Fuzzy Hash: 20813830E04204CFDB16CB48C545BAEBBB2FB84312FA5C5A6C015AF395D3B6A986CF54
                                                                      Function 024968E9 Relevance: .2, Instructions: 199COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1062508191f039670fdb7976c11c12eccf3e1ea1fec6bad5c85789a619f94c2f
                                                                      • Instruction ID: 2bf9a3fa65c1717903f4567f65bcbd2932ccf965f78150f1afe346e44aea5083
                                                                      • Opcode Fuzzy Hash: 1062508191f039670fdb7976c11c12eccf3e1ea1fec6bad5c85789a619f94c2f
                                                                      • Instruction Fuzzy Hash: B7814C34A41204CFDB18CF58D488FAABBB6FB84350F568266D4459B3A9D375EC86DF80
                                                                      Function 024968F8 Relevance: .2, Instructions: 193COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f4a428c8d541ac9be9080e8d0ca4c3748ce3c9df996e8faf85d176010c94d5a0
                                                                      • Instruction ID: 7165c294d3bf6c7b741362bd576f81accf6a52407cf6f67796bec47ea61cc25d
                                                                      • Opcode Fuzzy Hash: f4a428c8d541ac9be9080e8d0ca4c3748ce3c9df996e8faf85d176010c94d5a0
                                                                      • Instruction Fuzzy Hash: 1E813A34A41204CFDB18CF58D488F9ABBB6FB84350F668266D4459B3A9D774EC86DF80
                                                                      Function 02491A00 Relevance: .2, Instructions: 167COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 198f4578ce02b04af14f4a58e761a02ce404b8c8445e95cabd3d110f42a6e0e8
                                                                      • Instruction ID: 2594390f134499f21ca107e66f703cf37bff4cdf8e44dadb148b9a97d4ca0a54
                                                                      • Opcode Fuzzy Hash: 198f4578ce02b04af14f4a58e761a02ce404b8c8445e95cabd3d110f42a6e0e8
                                                                      • Instruction Fuzzy Hash: F6515C34B01149CFDB04DF69D588BAABBB3EB88310F249466E4099B398DB759C86CF51
                                                                      Function 02495550 Relevance: .2, Instructions: 174COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1507d0aabb6338d6b07d353c9fca2047528361a4113c8f1497f1027ad76c8516
                                                                      • Instruction ID: 6789d439c5be534967a7f808ba91a676b28ffd4c1c86fb58059d1cdb28993929
                                                                      • Opcode Fuzzy Hash: 1507d0aabb6338d6b07d353c9fca2047528361a4113c8f1497f1027ad76c8516
                                                                      • Instruction Fuzzy Hash: 055191317041408FDB12DB69D854BAABFB7EB85320FB484B7D109CB26ADB319D86CB41
                                                                      Function 05A6BC38 Relevance: .2, Instructions: 172COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149883887.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5a50000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 84b1febbf998d9d87df130faccc92b589f33fc85f65b70173589dc1e0a8cc972
                                                                      • Instruction ID: 721ec8247d84a31eca96fa418a73c0d5d43f58c3954dac457ba1ab55f5a1f0e7
                                                                      • Opcode Fuzzy Hash: 84b1febbf998d9d87df130faccc92b589f33fc85f65b70173589dc1e0a8cc972
                                                                      • Instruction Fuzzy Hash: F571E374E0520CDFDB04DFA8E594AAEBBB2FF89301F20402AD516AB254DB745E45CFA0
                                                                      Function 024955B0 Relevance: .1, Instructions: 107COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 22f393ac40b4e7308e7606dc29e9fb55620852918b49074b09ecfeac96538521
                                                                      • Instruction ID: 54eee1c511e596abe9728841487a7fda934e41c1a540f722cdce20985b619591
                                                                      • Opcode Fuzzy Hash: 22f393ac40b4e7308e7606dc29e9fb55620852918b49074b09ecfeac96538521
                                                                      • Instruction Fuzzy Hash: 6D319D72B04104CFDB12DB65D844BABBBB6EB84321FB085BAD0098B259DB319986CB41
                                                                      Function 02491681 Relevance: .1, Instructions: 98COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 763101fcccf111fb072d4112df83eb39e661de3f1e555a25c8f2192a1a76b7ae
                                                                      • Instruction ID: 0491eafc139356d9989860975b442bbc7e304f3971f1ec143893f8fafa3406ca
                                                                      • Opcode Fuzzy Hash: 763101fcccf111fb072d4112df83eb39e661de3f1e555a25c8f2192a1a76b7ae
                                                                      • Instruction Fuzzy Hash: 0831B034A4014A8FDB04DF68D959BEE7BB2EF89310F248066E50AA7395CB329C46CF51
                                                                      Function 02491830 Relevance: .1, Instructions: 93COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3106ba51401e0ded90c5a83b42bead5c3f6cc6c2380355d15dcddbb01a90edfb
                                                                      • Instruction ID: d6a2c7521f97c92d3c65957a78f44dc7c87c80e62d2b2f96e010018ca3fc7de3
                                                                      • Opcode Fuzzy Hash: 3106ba51401e0ded90c5a83b42bead5c3f6cc6c2380355d15dcddbb01a90edfb
                                                                      • Instruction Fuzzy Hash: 3B31B630B441864FDB15DB69D895AAF7FB2EFC5310B1440AAD8498B355EB309D06CB91
                                                                      Function 02491690 Relevance: .1, Instructions: 90COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f428aa38f9ac3afa5518a7743c28024120a876d919e330fb864847c18d0e255f
                                                                      • Instruction ID: 1e3718432aa5cdf6cefc4facbab97d87575e273976b35d81b60060f19fa61022
                                                                      • Opcode Fuzzy Hash: f428aa38f9ac3afa5518a7743c28024120a876d919e330fb864847c18d0e255f
                                                                      • Instruction Fuzzy Hash: 09318D34E4010ACFDB04DF69D549BAE7BF2EB88310F248066E50AAB384DB769C85CF51
                                                                      Function 0244D01C Relevance: .1, Instructions: 74COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2131766364.000000000244D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0244D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_244d000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0c968bf7f0ef5a9996b5a1f462d5bd9ff23f30b47b199474b650aca96d362fb8
                                                                      • Instruction ID: deb56542c4f073f55c53171d88a4295d7f1f2a9a7b630d26182831a853949696
                                                                      • Opcode Fuzzy Hash: 0c968bf7f0ef5a9996b5a1f462d5bd9ff23f30b47b199474b650aca96d362fb8
                                                                      • Instruction Fuzzy Hash: F3210372904244DFEB14DF14D9C4B27BBA5FB84718F20856AE90A0B342CB36E447CEA2
                                                                      Function 02493708 Relevance: .1, Instructions: 74COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cb93cab18e08a6d9bb2fc61206e62f8123bd588677cc3510c6a57364f10e22b1
                                                                      • Instruction ID: c982090347ccef65d8b2c8ad1a52c264b79536fe5dc6476de772106e80f1e1ff
                                                                      • Opcode Fuzzy Hash: cb93cab18e08a6d9bb2fc61206e62f8123bd588677cc3510c6a57364f10e22b1
                                                                      • Instruction Fuzzy Hash: A43147B4A44655CFDF64CF68D98939ABFF1FB0A314F1088E6D00697240D776A982CF40
                                                                      Function 0249ED08 Relevance: .1, Instructions: 65COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7fc14866145b7cb06069f8aa2c7c7ea42a89ebac781d8e964192400288a0220d
                                                                      • Instruction ID: 0f7e98519a4f86b02006eb4fbf5fbb4cf481461cbd4bd05c71b7b50e2d1304fa
                                                                      • Opcode Fuzzy Hash: 7fc14866145b7cb06069f8aa2c7c7ea42a89ebac781d8e964192400288a0220d
                                                                      • Instruction Fuzzy Hash: 58210970E04209DBDB04DFADD4487AEBFF1EB49305F1486ABC00597294EB744A85CF51
                                                                      Function 0244D006 Relevance: .1, Instructions: 64COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2131766364.000000000244D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0244D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_244d000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1c0ea8ac14fc74e663804003722c5748d7f7d67e40f10682ff6fe27520835ca6
                                                                      • Instruction ID: a65d615ca6f238325ffd58ddac477f893f383efb960e734fd922798b5d7bfc65
                                                                      • Opcode Fuzzy Hash: 1c0ea8ac14fc74e663804003722c5748d7f7d67e40f10682ff6fe27520835ca6
                                                                      • Instruction Fuzzy Hash: 732192755093C0CFDB16CF20D994716BF71EB86214F2881DBD8458B667C33AD41ACB62
                                                                      Function 0249391F Relevance: .1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 779e50c7ee445e4e714048f6bcdd216ff26f905ab718d99b636d61ce00975934
                                                                      • Instruction ID: 1221b5d74c5afefd3907f0cd82470b95bc2f370d6b884035665c0e643873ba2c
                                                                      • Opcode Fuzzy Hash: 779e50c7ee445e4e714048f6bcdd216ff26f905ab718d99b636d61ce00975934
                                                                      • Instruction Fuzzy Hash: 572103B4A44A54CFEF648F78E9493AABFB1FB06315F1148E6D00697284D776A982CF00
                                                                      Function 02497A78 Relevance: .1, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fb7174662617dcd5af4578be2ac2a459907621bd6d02536ea1403871edd21c95
                                                                      • Instruction ID: a0d25d611525a6dd278bb0b79de38252c9695d5409e98e1528fa9da5d0bd0c1f
                                                                      • Opcode Fuzzy Hash: fb7174662617dcd5af4578be2ac2a459907621bd6d02536ea1403871edd21c95
                                                                      • Instruction Fuzzy Hash: 7C11BEB0A10108CFDF48CB14DD48BEBFBB3EB84300F548066C4095B655E7356A8ACF54
                                                                      Function 024950C8 Relevance: .1, Instructions: 59COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c62cfdcb6f7c307b0d1a7176d0a4901e5555e24749658771e0cb690375064ca2
                                                                      • Instruction ID: 0a0b69948b32663fe4a94181975c4b7aa2d5e5e46226035fa70727375cca6796
                                                                      • Opcode Fuzzy Hash: c62cfdcb6f7c307b0d1a7176d0a4901e5555e24749658771e0cb690375064ca2
                                                                      • Instruction Fuzzy Hash: F711C430A05194DFDB17DF79D8A67E97FB2DF46304F2490EAC0448B256DA31594ACF44
                                                                      Function 02493734 Relevance: .1, Instructions: 58COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0b1ce0ca794188619cef10003f354428c274410b085e76d00528e69568da5298
                                                                      • Instruction ID: 0fd28ad09a0b8a2d340052ac2d7172823ea116a46ccee6c9564cb277f01c5f80
                                                                      • Opcode Fuzzy Hash: 0b1ce0ca794188619cef10003f354428c274410b085e76d00528e69568da5298
                                                                      • Instruction Fuzzy Hash: 2C2104B4A44A14CFEF64CF64E9883AABFB1FB06315F1048E6D00697244D776A9C2CF41
                                                                      Function 02490817 Relevance: .1, Instructions: 55COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 29a2d97e785a58d5ce0e493edcc72d344ed5892fb7cbb961ae4f3974806d5d95
                                                                      • Instruction ID: 192aa58f5ab917aa288814089724541c303601881bfe97f1914251ce5caed2c9
                                                                      • Opcode Fuzzy Hash: 29a2d97e785a58d5ce0e493edcc72d344ed5892fb7cbb961ae4f3974806d5d95
                                                                      • Instruction Fuzzy Hash: FA11442A01E3C55FC7071B7858B50D57F749C8B20830E41CBD9C5CF1A3EA2868AEE7A6
                                                                      Function 024957A0 Relevance: .1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c4f241e2fb4b4108b2035d9342937638db23c3ebad9e84c24bcc5073962b480b
                                                                      • Instruction ID: 63d45ef92aae75f7c4048bc1a30c279cf3e8acbf9561ddde21a5480e0e157a26
                                                                      • Opcode Fuzzy Hash: c4f241e2fb4b4108b2035d9342937638db23c3ebad9e84c24bcc5073962b480b
                                                                      • Instruction Fuzzy Hash: A6115874A00248CFCB15DBA4D580B9EFBB2FB88310FA48A66D5059B308D735A982CB90
                                                                      Function 02497A88 Relevance: .0, Instructions: 50COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 55d5f644a94920dc7e9132243748231f7cd5b2bdd80c34b150703f92278723b4
                                                                      • Instruction ID: 7a75fd7893ee059313fa25ad2286076c8b879a10af1537998222c2c2a99031a0
                                                                      • Opcode Fuzzy Hash: 55d5f644a94920dc7e9132243748231f7cd5b2bdd80c34b150703f92278723b4
                                                                      • Instruction Fuzzy Hash: 10114CB0A50109CBEF08CB55C9447ABF7B3EB88304F548176C5095B758E7796986CF94
                                                                      Function 02491958 Relevance: .0, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 015c20503500f6138cc0b03ebe79ed8874fe530c6317ad13706ef6d16472eac3
                                                                      • Instruction ID: 3a61605458e82724a2172a0a5028c00b0c5d66bd0557722204456c7e9f498b0f
                                                                      • Opcode Fuzzy Hash: 015c20503500f6138cc0b03ebe79ed8874fe530c6317ad13706ef6d16472eac3
                                                                      • Instruction Fuzzy Hash: A411C030E011899FDB45DB78D8547EEBFB2EF84310F14C0B6D84987245EA345A4BCB40
                                                                      Function 05A69F50 Relevance: .0, Instructions: 48COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149883887.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5a50000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 41563243dc99abb0ecc4958222ddcbd4d076e2eee5aa90e5d3067053a842fb91
                                                                      • Instruction ID: 992913644682792a3ad0ad8598cf523d520115d615230824c31af8b860a15edc
                                                                      • Opcode Fuzzy Hash: 41563243dc99abb0ecc4958222ddcbd4d076e2eee5aa90e5d3067053a842fb91
                                                                      • Instruction Fuzzy Hash: B31117B4D0420ADFCB44DFA9C545AAEBBF5FF88300F2185AAD819E3240E7745A81CF81
                                                                      Function 02497ADF Relevance: .0, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1b2d7adce6a6a129e8cce97f773732107038b0c9e8a09ec502a6ff67d76bfb65
                                                                      • Instruction ID: 74e7017bcdfca8639dd018db737bca4631e6d795e76f4ecfd1c148db0fce3211
                                                                      • Opcode Fuzzy Hash: 1b2d7adce6a6a129e8cce97f773732107038b0c9e8a09ec502a6ff67d76bfb65
                                                                      • Instruction Fuzzy Hash: 13112AB0A50105CFEF08CB45C9487AAFBB3FB84304F648176C0095A359E7786A86CF54
                                                                      Function 024923B1 Relevance: .0, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4782b3df54169c32ebd1a20839fff07c8237563fd2af1ae4a9b3b19914e3e1b2
                                                                      • Instruction ID: 4c032a7c93328a285b28c276f7f2ee22ad809bba6940e74b82191383a893811f
                                                                      • Opcode Fuzzy Hash: 4782b3df54169c32ebd1a20839fff07c8237563fd2af1ae4a9b3b19914e3e1b2
                                                                      • Instruction Fuzzy Hash: 0901F431609294AFCF15CB74A4407EA7FF6DB86321F2480B7D84CC2245E6B148828B10
                                                                      Function 02491968 Relevance: .0, Instructions: 42COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d3f31139588eebfe799ba580d5f76f483246fb1c6eb1986256dd0a2dc290eb00
                                                                      • Instruction ID: ce607226b2600bb982be188a9aaab94c97cb88c1e17e6d1982fcb3c94b653b57
                                                                      • Opcode Fuzzy Hash: d3f31139588eebfe799ba580d5f76f483246fb1c6eb1986256dd0a2dc290eb00
                                                                      • Instruction Fuzzy Hash: 32014F30E40109DFEB44EB69D9447AEBBB6EF84310F50C4B6D90A97344EB345A56CF91
                                                                      Function 02490860 Relevance: .0, Instructions: 38COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 814ac44817db9675f997c60bbac23fd12a55b656d043da709b131f09787583e5
                                                                      • Instruction ID: 8da6bfcd55af55cd873b67d7bbd178f6520d86088ae2d9946bebe9182971958c
                                                                      • Opcode Fuzzy Hash: 814ac44817db9675f997c60bbac23fd12a55b656d043da709b131f09787583e5
                                                                      • Instruction Fuzzy Hash: F7F01C0401E3C94FC3430B780CB84A17F389D0710430E05CBD8C88F4A3E6286A6EE372
                                                                      Function 024923C0 Relevance: .0, Instructions: 37COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 71db495a20a46982b68273a7f9c8dce6b8282a2703f2db06ce60c927e6c05840
                                                                      • Instruction ID: 367ffc15006b33bb58c45dd5c5109afa5fd6bda42d350d256c46fc22675b0dbd
                                                                      • Opcode Fuzzy Hash: 71db495a20a46982b68273a7f9c8dce6b8282a2703f2db06ce60c927e6c05840
                                                                      • Instruction Fuzzy Hash: 57F0B435705114AFDF18CB65E54479A7BEAD789325F204077D90CC3748EBB294C18B50
                                                                      Function 05A55124 Relevance: .0, Instructions: 34COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149883887.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5a50000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f0f79a851cb0017d1ed5187cd8993dbf44d35d036d16958c675b9acea6bfa350
                                                                      • Instruction ID: db3983c7eda9022a370d175570c45a073ca92074e985f429a427c0c5bf6d95b4
                                                                      • Opcode Fuzzy Hash: f0f79a851cb0017d1ed5187cd8993dbf44d35d036d16958c675b9acea6bfa350
                                                                      • Instruction Fuzzy Hash: 6311B778900619CFDB64DF14D998ADA77F1FB88302F1041D9D51A97284DB345E84CF85
                                                                      Function 02495128 Relevance: .0, Instructions: 33COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e1851f34177861033d571c165558829f530a08099ee35b6dac5bcc29f32d6b61
                                                                      • Instruction ID: 4e80337bb6a3a791ae9dc19f0732dcaa707740565234d4ff86fe4ada0ff95af8
                                                                      • Opcode Fuzzy Hash: e1851f34177861033d571c165558829f530a08099ee35b6dac5bcc29f32d6b61
                                                                      • Instruction Fuzzy Hash: 12F0B430B44250DFDB1B8B6898567E57FA7DF86304FA880B6D1058B2E6D3715497CF04
                                                                      Function 02497721 Relevance: .0, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8c3ae804c2db00b5b0763218b656b85ea889240f8117a4eaf83c46f366125a0e
                                                                      • Instruction ID: 5f716d85741e9c906a073d19858c16a2881f27895af01f73d02a566177e40a47
                                                                      • Opcode Fuzzy Hash: 8c3ae804c2db00b5b0763218b656b85ea889240f8117a4eaf83c46f366125a0e
                                                                      • Instruction Fuzzy Hash: 82F015224592C46FDB424B649CB98F13F78DE0712432904C3E9C4CB133C522AA6AEB25
                                                                      Function 05A6BBE8 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149883887.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5a50000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8e4d755589a97197d79b317884c5d201d14d1b859b7d5236318784329b59c0d1
                                                                      • Instruction ID: ab039f3038860b0277ba1d5389d66663fcd96fec356312154362c7428c13154a
                                                                      • Opcode Fuzzy Hash: 8e4d755589a97197d79b317884c5d201d14d1b859b7d5236318784329b59c0d1
                                                                      • Instruction Fuzzy Hash: 4FE0C974D0420CEFCB44DFA8D541A9CBBF5EB48300F10C1AA981993340D6329A51DF50
                                                                      Function 05A65C98 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149883887.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5a50000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8e4d755589a97197d79b317884c5d201d14d1b859b7d5236318784329b59c0d1
                                                                      • Instruction ID: f997df546ea83ea8ad229a62b16c4c7bbaf251e9edd084816ff82e085caa7669
                                                                      • Opcode Fuzzy Hash: 8e4d755589a97197d79b317884c5d201d14d1b859b7d5236318784329b59c0d1
                                                                      • Instruction Fuzzy Hash: C9E0E5B4E05208EFCB44DFA9D941AADFBF5FB88300F10C1AA9C19A3340D6319A51EF80
                                                                      Function 05A6A470 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149883887.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5a50000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8e4d755589a97197d79b317884c5d201d14d1b859b7d5236318784329b59c0d1
                                                                      • Instruction ID: 6737c162232a3477e26bbe014defe80459523c867463f370023bed3e081b2167
                                                                      • Opcode Fuzzy Hash: 8e4d755589a97197d79b317884c5d201d14d1b859b7d5236318784329b59c0d1
                                                                      • Instruction Fuzzy Hash: D3E0E574E04208EFCB84DFA8D849AACFBF5EB48300F10C1AA9918A3340E6319E51DF80
                                                                      Function 0249FA18 Relevance: .0, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 04616ab9cd3c50e6aba002d7ef4a8cb6e35cedc78011096a48b6d98c4eeff495
                                                                      • Instruction ID: 448746d3d68050c8576f10b6a0037d43cf09cf66c5fd09c66ff8145036f58ac2
                                                                      • Opcode Fuzzy Hash: 04616ab9cd3c50e6aba002d7ef4a8cb6e35cedc78011096a48b6d98c4eeff495
                                                                      • Instruction Fuzzy Hash: 4EE08675908208EFCB04DF94D841A6DBFF8EB45300F20C19AD84497351D6719E97DB90
                                                                      Function 02495EA4 Relevance: .0, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f6415e78d11995566b10791b83be4b1c23d2fde27d7bcd5d5cd95ab7ad80b0a8
                                                                      • Instruction ID: c5b649bec49e01d8d5e3c0fc598155f8fd27c39ef2e281e05f8cea7f505adbb6
                                                                      • Opcode Fuzzy Hash: f6415e78d11995566b10791b83be4b1c23d2fde27d7bcd5d5cd95ab7ad80b0a8
                                                                      • Instruction Fuzzy Hash: 62E06570A01402CFDF22DB95D184BAA7BA7EB80300FF880BAC4058A31DE73699C1CF00
                                                                      Function 05A6BFB8 Relevance: .0, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149883887.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5a50000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b1e93c7a188c10697e794320a40ce6e5b0d975cd76b596b04212f2b1a38fbcb3
                                                                      • Instruction ID: 10bcb8ef591a436f564aa4b2edcbd382ebd53fb8172ee8eff6841e6ef25c53b5
                                                                      • Opcode Fuzzy Hash: b1e93c7a188c10697e794320a40ce6e5b0d975cd76b596b04212f2b1a38fbcb3
                                                                      • Instruction Fuzzy Hash: 17E01A34D0820CABC704DF94D4416ACBBF4EB48300F1081A9981893351D6319A51DF91
                                                                      Function 05A69F08 Relevance: .0, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149883887.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5a50000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 63954f296de4991dc92c1944459e86a194d6061e01c76f7092a0be51c066399e
                                                                      • Instruction ID: 6416c86d6566acc7428d1c2dd1326a6f23a361b9fa51e48be70fe72954c1ee1a
                                                                      • Opcode Fuzzy Hash: 63954f296de4991dc92c1944459e86a194d6061e01c76f7092a0be51c066399e
                                                                      • Instruction Fuzzy Hash: 3AE08634908208EFC704DF94D841AADBBB5EB45300F10819DDC0413340D6329E52DB80
                                                                      Function 05A68810 Relevance: .0, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149883887.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5a50000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b1e93c7a188c10697e794320a40ce6e5b0d975cd76b596b04212f2b1a38fbcb3
                                                                      • Instruction ID: 22a2d19d3b1911a451f9124e2f2e2f4e0313ea433d2f9c48fac3a80f50cb5df9
                                                                      • Opcode Fuzzy Hash: b1e93c7a188c10697e794320a40ce6e5b0d975cd76b596b04212f2b1a38fbcb3
                                                                      • Instruction Fuzzy Hash: CFE01274D08208EFCB04DBA8D451AACBBF8EB88200F2081AA881863341D6359A42DB80
                                                                      Function 05A6B3B0 Relevance: .0, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149883887.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5a50000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dc8da281979175f4cb919549917846b112b3e7fa3594b0b5cf245a528c1fd7c1
                                                                      • Instruction ID: fb428f5e0c4e302c972a86cdff3e1ca5f8c033bdfaaa2efee4b49394be2d2752
                                                                      • Opcode Fuzzy Hash: dc8da281979175f4cb919549917846b112b3e7fa3594b0b5cf245a528c1fd7c1
                                                                      • Instruction Fuzzy Hash: AAE012B294510CEBD710EFF4954569F77E8DF05200F1059E5D50593110EE719A50A795
                                                                      Function 05A69988 Relevance: .0, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149883887.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5a50000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1d035b1037d05d8aaff1cfb9c3a855fc148d2977d1e7c2903b5867c745ee9c32
                                                                      • Instruction ID: 846002e7146f4ea34803bccab33dc73576bac73dc18aff779a1bf6c9f7641d94
                                                                      • Opcode Fuzzy Hash: 1d035b1037d05d8aaff1cfb9c3a855fc148d2977d1e7c2903b5867c745ee9c32
                                                                      • Instruction Fuzzy Hash: 3AE0C2B290010CEBC710EFF48405B8FB7E8DB04200F0015E5940593110EE714E40A791
                                                                      Function 05A6DFC8 Relevance: .0, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149883887.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5a50000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 924a8afdf6df9c5929850b47fcd4e426adc193718974cd9fe034c5b685c8ea75
                                                                      • Instruction ID: be99fed57b751313567c8a8b3d2e1259bdf8b64bd40c43906da0c0650cf4e0c3
                                                                      • Opcode Fuzzy Hash: 924a8afdf6df9c5929850b47fcd4e426adc193718974cd9fe034c5b685c8ea75
                                                                      • Instruction Fuzzy Hash: E0E01234A48208EBC714DF98D941E6CBBB9EB45305F20819DD80917341DA729E52DB81
                                                                      Function 05A51417 Relevance: .0, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149883887.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5a50000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 094df55a21c950febf881b1d1b9b8e18e8d247fd570b63aa40a1864f35a68c5b
                                                                      • Instruction ID: 820f9e4589fbf776ae98a86787c9f75c08528ffbcdd00f9c102f71a6b620a386
                                                                      • Opcode Fuzzy Hash: 094df55a21c950febf881b1d1b9b8e18e8d247fd570b63aa40a1864f35a68c5b
                                                                      • Instruction Fuzzy Hash: 63E06D3491521C8FE706EF64D86C69E7BB2FF89346F084099950E57289CF381D44CF91
                                                                      Function 0249207C Relevance: .0, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 287300e9577b4ddc614931ba2ca4dd338e914c9dd573d84bca6b0ea8558d1f4e
                                                                      • Instruction ID: b6bdb24097ab7da0625c8d580d09ce3bbd5361e0eb465c3b23889ac6b9b5b4b5
                                                                      • Opcode Fuzzy Hash: 287300e9577b4ddc614931ba2ca4dd338e914c9dd573d84bca6b0ea8558d1f4e
                                                                      • Instruction Fuzzy Hash: 69E01A70901119CFDF08DF88E884BDD7BB2FB49304F20166AD0096B354D779A885CF54
                                                                      Function 02495560 Relevance: .0, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b7d82e6850a8f67ad1705d24ba29d39304316293919833cd5c51f54c7ddb2452
                                                                      • Instruction ID: b7c5c0e8c69a33022dbd93f53a0d695d1f84102e664c22990c1ef18fda7d78de
                                                                      • Opcode Fuzzy Hash: b7d82e6850a8f67ad1705d24ba29d39304316293919833cd5c51f54c7ddb2452
                                                                      • Instruction Fuzzy Hash: F4D0C730A042408FEB11CB25A80832336CBE780224FF88832C0088121EE7309482CA09
                                                                      Function 024950F0 Relevance: .0, Instructions: 16COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 43c7892635211e070c263da01abac3543b4a670032de0fe49332e00d1acc1d98
                                                                      • Instruction ID: 84f1825412e074cf269418f992770780ec9c076beb71c9d4fc97331a3065a295
                                                                      • Opcode Fuzzy Hash: 43c7892635211e070c263da01abac3543b4a670032de0fe49332e00d1acc1d98
                                                                      • Instruction Fuzzy Hash: 5CD01770A01148EFCB05EFA9E94155DFBB9EB44204B1085AED808E7304EF312F049B90
                                                                      Function 02491D51 Relevance: .0, Instructions: 15COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9602774b9c12e703ed52873e841e039b9327c36fdd42f2a1bfac7ec308d77e96
                                                                      • Instruction ID: 65ea2225e5ab482fdea926bc881c7be13bde069bb9337fd2f5d1ac9950d09806
                                                                      • Opcode Fuzzy Hash: 9602774b9c12e703ed52873e841e039b9327c36fdd42f2a1bfac7ec308d77e96
                                                                      • Instruction Fuzzy Hash: 97E0EC34E01119DFDF08CFD9D890BADB7B1BB49300F108A1AE426B7290CB35A841CF55
                                                                      Function 02490E3D Relevance: .0, Instructions: 13COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: faabd60ecd347a7d1e0b4c714037ed9c2b2da493281d8a30b3cdd035ed339ff3
                                                                      • Instruction ID: fb80247e48771bfc72da9e384f89785204e43c8fafd5ac52603f14a9795b6b2b
                                                                      • Opcode Fuzzy Hash: faabd60ecd347a7d1e0b4c714037ed9c2b2da493281d8a30b3cdd035ed339ff3
                                                                      • Instruction Fuzzy Hash: 3BD0A774EC0211C7EF04FF60D44435A7BA0DB48301F85286BC64667604DF249C998FD6
                                                                      Function 02497761 Relevance: .0, Instructions: 13COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5c249e01b46f4fb3b805def279243cb60aabe823ef4386e3466e1c6ef227753f
                                                                      • Instruction ID: 68f700443f39bc3f6aa0971003f32c80c9ab22357c597fa35f4facb1ed319107
                                                                      • Opcode Fuzzy Hash: 5c249e01b46f4fb3b805def279243cb60aabe823ef4386e3466e1c6ef227753f
                                                                      • Instruction Fuzzy Hash: 79C0020515D2C41FE38B02315C7A5E67FA9DC8701435E04CBD8C04A0A3A945794AD32A
                                                                      Function 05A6E3C0 Relevance: .0, Instructions: 12COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149883887.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5a50000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1974b692e53cc645db00613b4dca887ce753ca6080b190bd6191bb60307e4a1f
                                                                      • Instruction ID: e92b7dc11536b8f358673a1efb379db91eb6f6c695318cba0ada63db1b9141b2
                                                                      • Opcode Fuzzy Hash: 1974b692e53cc645db00613b4dca887ce753ca6080b190bd6191bb60307e4a1f
                                                                      • Instruction Fuzzy Hash: A1C02B3D08D348C7E3142741640D73272ECE742301F001D20440D8046196F0C894D241
                                                                      Function 02490985 Relevance: .0, Instructions: 12COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b4a6c5f8a70f88b4d4d170ab5844e0fdc254a4174b4c87d93f91320ef17e59ad
                                                                      • Instruction ID: 875dd15934885e4c65821f8ca2bce62daf3308ee4ae82a8ebabfb66a81ce875e
                                                                      • Opcode Fuzzy Hash: b4a6c5f8a70f88b4d4d170ab5844e0fdc254a4174b4c87d93f91320ef17e59ad
                                                                      • Instruction Fuzzy Hash: CCD05E39E80211CFDF04DF14D804392B7E0FF48300B8AA466C54A6B610D730A8928BC1
                                                                      Function 024908C0 Relevance: .0, Instructions: 11COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 82c59bbc8407b1b1b8b65e09d758452f511261ed04f136cbe68103fd1277a139
                                                                      • Instruction ID: 541aea7dc60ace23c8755157c10064fc4a7d88b5af0ea0c6b4469309fa2ff5f2
                                                                      • Opcode Fuzzy Hash: 82c59bbc8407b1b1b8b65e09d758452f511261ed04f136cbe68103fd1277a139
                                                                      • Instruction Fuzzy Hash: A7C0025900F6C45EDB6786600D5BAC73E75581204479D80C6988599153E458490D87A6
                                                                      Function 02497C71 Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 56e0730634ee1d6ca1bb491d7fc1429ae24bfbf552262daa31426a6810b9b082
                                                                      • Instruction ID: d91b5bcb583eb2e6561558ecd6fc31d2914044f5c5feb90e248430994e434e65
                                                                      • Opcode Fuzzy Hash: 56e0730634ee1d6ca1bb491d7fc1429ae24bfbf552262daa31426a6810b9b082
                                                                      • Instruction Fuzzy Hash: CCC0480001D7E00FE36343A50ABA6E73FA88C464A139809DA88C54A563A008215EA3AA
                                                                      Function 02497A60 Relevance: .0, Instructions: 9COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dc94aea31833efcf6953316f9f1a87eda6d4db95836005809749d68efbd71d63
                                                                      • Instruction ID: 9d5f9b34dbf28ee6aab070f329706fc43cf8f9467a92dd65c58639b20c4a56ec
                                                                      • Opcode Fuzzy Hash: dc94aea31833efcf6953316f9f1a87eda6d4db95836005809749d68efbd71d63
                                                                      • Instruction Fuzzy Hash: 81C0480441E2C42BCB620BA89CF95E63F688C8B66079908C2D9C09E17B9444262AA22A
                                                                      Function 02492EF4 Relevance: .0, Instructions: 8COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0540ea8092886982d52a60fe181a728c91c98573de2d23f9e21745058e2135a0
                                                                      • Instruction ID: 27cbae433b4d523be7c5cd7f35ab548b89cddb7010b88e7f39d70141cfc25ac9
                                                                      • Opcode Fuzzy Hash: 0540ea8092886982d52a60fe181a728c91c98573de2d23f9e21745058e2135a0
                                                                      • Instruction Fuzzy Hash: 8AC01234C04192CFCF098F48E448318BAA0BB09340F004CA3D00AE2200C3B40AA28E05
                                                                      Function 024908B0 Relevance: .0, Instructions: 5COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 25d006f10724561288d547c14274e93217480af785146b6270997ae335544b79
                                                                      • Instruction ID: 158deb4abaeb6f2a3ba199cbefb765f8e1162f9c2bd237e13fb9929259a82f24
                                                                      • Opcode Fuzzy Hash: 25d006f10724561288d547c14274e93217480af785146b6270997ae335544b79
                                                                      • Instruction Fuzzy Hash: E590223008020C8B088023803008008B3CC80202003C00000B00C000020E2020300080

                                                                      Non-executed Functions

                                                                      Function 05A6E3F0 Relevance: 1.4, Strings: 1, Instructions: 131COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149883887.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5a50000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 8EB
                                                                      • API String ID: 0-165611517
                                                                      • Opcode ID: e439068d5f349527fa4b1f90663bf206b028731c45c51b9e92f11a870b086999
                                                                      • Instruction ID: cbfbe4aae66918c7eaaa380f4f888736d4285485f20a5222d0e34806806f5c27
                                                                      • Opcode Fuzzy Hash: e439068d5f349527fa4b1f90663bf206b028731c45c51b9e92f11a870b086999
                                                                      • Instruction Fuzzy Hash: 64516738A01258DFDB55CF29D888FADB7B2FB49310F4044A9D51AA7394EB359E84CF11
                                                                      Function 05A6E008 Relevance: .2, Instructions: 203COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149883887.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5a50000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: de7956146444c671aca294a4001d8b32b4be214e2fd4912fc484bd57cd4cb2a0
                                                                      • Instruction ID: 689dd2699b73edccfbaac122d1ebd511d2f191681ab2d100df55156076cbfbf2
                                                                      • Opcode Fuzzy Hash: de7956146444c671aca294a4001d8b32b4be214e2fd4912fc484bd57cd4cb2a0
                                                                      • Instruction Fuzzy Hash: AC810778E05318CFDB24DFA9C984BAEBBFABF59304F1490A9C019AB250DB745985DF01
                                                                      Function 0249EE18 Relevance: .2, Instructions: 165COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2132051176.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2490000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3fa01eefdb55d56f88be8615ac4863523a061d3e45713518b2b4018776c99b31
                                                                      • Instruction ID: c07be0dda0750e33bb5a19e2c8f4d42020eaf29e194e1dadf6fbbd2da29fbe0e
                                                                      • Opcode Fuzzy Hash: 3fa01eefdb55d56f88be8615ac4863523a061d3e45713518b2b4018776c99b31
                                                                      • Instruction Fuzzy Hash: 4971E975E402198FEB4ADF6BE85069ABFF3BBC8300F14D52AC104AB269EF7418458F50
                                                                      Function 05A50007 Relevance: .1, Instructions: 79COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149883887.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5a50000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ce4d777e0a1a5f7f90a43c6694eb9112c52920685140d3cad5c0922047a9a06f
                                                                      • Instruction ID: 566ee8447261514d71f7670790f205903714ad63da5d16c434ec30daa8d246e2
                                                                      • Opcode Fuzzy Hash: ce4d777e0a1a5f7f90a43c6694eb9112c52920685140d3cad5c0922047a9a06f
                                                                      • Instruction Fuzzy Hash: E5313071D047598FEB19CF6AC848689BBF3BF89310F14C0FAD408AA255EB740A86CF10
                                                                      Function 05A50040 Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149883887.0000000005A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5a50000_lNf8XY8HLb.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3fa444e3c7ca5bd2667114bfeee06769f5aa1b4cc2f51825fd8d3ba9346f934a
                                                                      • Instruction ID: 092939db38e5027e1759092105783a50c9c4d885b5c3b1b3cb5210196a107b2f
                                                                      • Opcode Fuzzy Hash: 3fa444e3c7ca5bd2667114bfeee06769f5aa1b4cc2f51825fd8d3ba9346f934a
                                                                      • Instruction Fuzzy Hash: 9631DC71D046199BEB28CF5BC84869EFBF7BFC8300F14C1AAD809A6254EB740A859F50

                                                                      Execution Graph

                                                                      Execution Coverage:12.9%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:16
                                                                      Total number of Limit Nodes:0
                                                                      execution_graph 11709 a60871 11710 a60889 11709->11710 11713 a608d8 11709->11713 11718 a608c8 11709->11718 11714 a608fa 11713->11714 11723 a60ce0 11714->11723 11727 a60ce8 11714->11727 11715 a6093e 11715->11710 11719 a608fa 11718->11719 11720 a60ce0 GetConsoleWindow 11719->11720 11721 a60ce8 GetConsoleWindow 11719->11721 11722 a6093e 11720->11722 11721->11722 11722->11710 11724 a60d26 GetConsoleWindow 11723->11724 11726 a60d56 11724->11726 11726->11715 11728 a60d26 GetConsoleWindow 11727->11728 11730 a60d56 11728->11730 11730->11715

                                                                      Executed Functions

                                                                      Function 00A60CE0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 815 a60ce0-a60d54 GetConsoleWindow 818 a60d56-a60d5c 815->818 819 a60d5d-a60d82 815->819 818->819
                                                                      APIs
                                                                      • GetConsoleWindow.KERNELBASE ref: 00A60D47
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.3374905032.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_a60000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID: ConsoleWindow
                                                                      • String ID:
                                                                      • API String ID: 2863861424-0
                                                                      • Opcode ID: b05930aa640a3dd0755bde48a5ea4079c50d18e5702c15b034cf6023a3b4199c
                                                                      • Instruction ID: 2579840a5ceaf1d2cae462b9b3faf80cfa4bd7435030e0f8bd8f0ae0c022c9f1
                                                                      • Opcode Fuzzy Hash: b05930aa640a3dd0755bde48a5ea4079c50d18e5702c15b034cf6023a3b4199c
                                                                      • Instruction Fuzzy Hash: 661155B5900349CFDB20DFAAC545BDEBBF0AF88324F24881AC119A7240C779A944CBA1
                                                                      Function 00A60CE8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 823 a60ce8-a60d54 GetConsoleWindow 826 a60d56-a60d5c 823->826 827 a60d5d-a60d82 823->827 826->827
                                                                      APIs
                                                                      • GetConsoleWindow.KERNELBASE ref: 00A60D47
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.3374905032.0000000000A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_a60000_InstallUtil.jbxd
                                                                      Similarity
                                                                      • API ID: ConsoleWindow
                                                                      • String ID:
                                                                      • API String ID: 2863861424-0
                                                                      • Opcode ID: 11843d09c9ed78a5c9d2da41c8d537742f0a9d7ae01e952889209c9ca2683a10
                                                                      • Instruction ID: 7c1ae2e5d1da23ea10326262c1571c57b54ed9068585fda25e3bf805d16ba8ed
                                                                      • Opcode Fuzzy Hash: 11843d09c9ed78a5c9d2da41c8d537742f0a9d7ae01e952889209c9ca2683a10
                                                                      • Instruction Fuzzy Hash: 8B1136B1D00349CFDB20DFAAC445B9FFBF4AF88324F24841AC519A7240CB79A944CBA5