Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
Firewall Security.exe

Overview

General Information

Sample Name:Firewall Security.exe
Analysis ID:1317420
MD5:4d6800baf908cecb930a18f6359274f5
SHA1:1579141f4500259c384d07f6b63101fa2fb047b7
SHA256:fa55ce1ea601880ae7844817604add6a2105ed59394e0dc61195fcde086bc0d1
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Creates a DirectInput object (often for capturing keystrokes)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Potential key logger detected (key state polling based)
Program does not show much activity (idle)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • Firewall Security.exe (PID: 7556 cmdline: C:\Users\user\Desktop\Firewall Security.exe MD5: 4D6800BAF908CECB930A18F6359274F5)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Firewall Security.exeReversingLabs: Detection: 30%
Source: Firewall Security.exeVirustotal: Detection: 35%Perma Link
Source: Firewall Security.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\Dell\source\repos\Network Security Premium\Network Security Premium\obj\Debug\Network Security Premium.pdb source: Firewall Security.exe
Source: Firewall Security.exe, 00000000.00000002.1161743937.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Firewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Firewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: Firewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
Source: Firewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmp, Firewall Security.exe, 00000000.00000002.1162103438.0000000006052000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
Source: Firewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
Source: Firewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Firewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Firewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
Source: Firewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
Source: Firewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
Source: Firewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
Source: Firewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: Firewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Firewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Firewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Firewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Firewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: Firewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Firewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: Firewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
Source: Firewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: Firewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
Source: Firewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
Source: Firewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
Source: Firewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: Firewall Security.exe, 00000000.00000002.1161583859.00000000010EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>memstr_c1ebb228-9
Source: C:\Users\user\Desktop\Firewall Security.exeCode function: 0_2_09928BD0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_09928BD0
Source: Firewall Security.exe, 00000000.00000000.895024110.0000000000B96000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNetwork Security Premium.exeR vs Firewall Security.exe
Source: Firewall Security.exe, 00000000.00000002.1161743937.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNetwork Security Premium.exeR vs Firewall Security.exe
Source: Firewall Security.exe, 00000000.00000002.1161743937.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs Firewall Security.exe
Source: Firewall Security.exe, 00000000.00000002.1161743937.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ${q,\\StringFileInfo\\000004B0\\OriginalFilename vs Firewall Security.exe
Source: Firewall Security.exeBinary or memory string: OriginalFilenameNetwork Security Premium.exeR vs Firewall Security.exe
Source: C:\Users\user\Desktop\Firewall Security.exeCode function: 0_2_02EAC4440_2_02EAC444
Source: C:\Users\user\Desktop\Firewall Security.exeCode function: 0_2_02EADBD00_2_02EADBD0
Source: C:\Users\user\Desktop\Firewall Security.exeCode function: 0_2_08F8A0380_2_08F8A038
Source: C:\Users\user\Desktop\Firewall Security.exeCode function: 0_2_08F872600_2_08F87260
Source: C:\Users\user\Desktop\Firewall Security.exeCode function: 0_2_08F8F5B80_2_08F8F5B8
Source: C:\Users\user\Desktop\Firewall Security.exeCode function: 0_2_08F8F5B80_2_08F8F5B8
Source: C:\Users\user\Desktop\Firewall Security.exeCode function: 0_2_099230D00_2_099230D0
Source: C:\Users\user\Desktop\Firewall Security.exeCode function: 0_2_099203200_2_09920320
Source: C:\Users\user\Desktop\Firewall Security.exeCode function: 0_2_099265900_2_09926590
Source: C:\Users\user\Desktop\Firewall Security.exeCode function: 0_2_099260380_2_09926038
Source: C:\Users\user\Desktop\Firewall Security.exeCode function: 0_2_099203100_2_09920310
Source: C:\Users\user\Desktop\Firewall Security.exeCode function: 0_2_099230D00_2_099230D0
Source: Firewall Security.exeReversingLabs: Detection: 30%
Source: Firewall Security.exeVirustotal: Detection: 35%
Source: C:\Users\user\Desktop\Firewall Security.exeFile read: C:\Users\user\Desktop\Firewall Security.exe:Zone.IdentifierJump to behavior
Source: Firewall Security.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Firewall Security.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Firewall Security.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Firewall Security.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\75b341f10c9579cbe1059d18f6f3b27b\mscorlib.ni.dllJump to behavior
Source: classification engineClassification label: mal48.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\Firewall Security.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: Firewall Security.exeStatic file information: File size 1810432 > 1048576
Source: Firewall Security.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: Firewall Security.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Firewall Security.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x16c400
Source: Firewall Security.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Firewall Security.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\Dell\source\repos\Network Security Premium\Network Security Premium\obj\Debug\Network Security Premium.pdb source: Firewall Security.exe
Source: C:\Users\user\Desktop\Firewall Security.exeCode function: 0_2_02EAE730 push eax; ret 0_2_02EAE731
Source: C:\Users\user\Desktop\Firewall Security.exeCode function: 0_2_099211FB pushfd ; iretd 0_2_09921201
Source: C:\Users\user\Desktop\Firewall Security.exeCode function: 0_2_09925E10 push eax; mov dword ptr [esp], edx0_2_09925E24
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Firewall Security.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Users\user\Desktop\Firewall Security.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Firewall Security.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Disable or Modify Tools		2
Input Capture		13
System Information Discovery		Remote Services2
Input Capture		Exfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Obfuscated Files or Information		LSASS MemoryApplication Window DiscoveryRemote Desktop Protocol1
Archive Collected Data		Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1317420 Sample: Firewall Security.exe Startdate: 01/10/2023 Architecture: WINDOWS Score: 48 7 Multi AV Scanner detection for submitted file 2->7 5 Firewall Security.exe 2 2->5         started        process3

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Firewall Security.exe30%ReversingLabsWin32.PUA.Generic
Firewall Security.exe36%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.tiro.com0%URL Reputationsafe
http://www.tiro.com0%URL Reputationsafe
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.urwpp.deDPlease0%URL Reputationsafe
http://www.sakkal.com0%URL Reputationsafe
http://www.founder.com.cn/cn/bThe0%Avira URL Cloudsafe
http://www.founder.com.cn/cn0%Avira URL Cloudsafe
http://www.founder.com.cn/cn/cThe0%Avira URL Cloudsafe
http://www.zhongyicts.com.cn0%Avira URL Cloudsafe
http://www.founder.com.cn/cn0%VirustotalBrowse
http://www.founder.com.cn/cn/cThe0%VirustotalBrowse
http://www.zhongyicts.com.cn1%VirustotalBrowse
http://www.founder.com.cn/cn/bThe1%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://www.apache.org/licenses/LICENSE-2.0Firewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpfalse
    		high
    http://www.fontbureau.comFirewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://www.fontbureau.com/designersGFirewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://www.fontbureau.com/designers/?Firewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.founder.com.cn/cn/bTheFirewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpfalse
          • 1%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://www.fontbureau.com/designers?Firewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.tiro.comFirewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designersFirewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmp, Firewall Security.exe, 00000000.00000002.1162103438.0000000006052000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://www.goodfont.co.krFirewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.carterandcone.comlFirewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.sajatypeworks.comFirewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.typography.netDFirewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.fontbureau.com/designers/cabarga.htmlNFirewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.founder.com.cn/cn/cTheFirewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.galapagosdesign.com/staff/dennis.htmFirewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.founder.com.cn/cnFirewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com/designers/frere-jones.htmlFirewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.jiyu-kobo.co.jp/Firewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.galapagosdesign.com/DPleaseFirewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers8Firewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fonts.comFirewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.sandoll.co.krFirewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.urwpp.deDPleaseFirewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.zhongyicts.com.cnFirewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameFirewall Security.exe, 00000000.00000002.1161743937.0000000002EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.sakkal.comFirewall Security.exe, 00000000.00000002.1162146745.0000000007142000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown

                        World Map of Contacted IPs

                        No contacted IP infos

                        General Information

                        Joe Sandbox Version:38.0.0 Beryl
                        Analysis ID:1317420
                        Start date and time:2023-10-01 04:40:54 +02:00
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 4m 52s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:9
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample file name:Firewall Security.exe
                        Detection:MAL
                        Classification:mal48.winEXE@1/0@0/0
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 40
                        • Number of non-executed functions: 6
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                        • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, displaycatalog.mp.microsoft.com, g.bing.com, arc.msn.com
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        No created / dropped files found

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):4.038637255620245
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        • Win32 Executable (generic) a (10002005/4) 49.78%
                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        • DOS Executable Generic (2002/1) 0.01%
                        File name:Firewall Security.exe
                        File size:1'810'432 bytes
                        MD5:4d6800baf908cecb930a18f6359274f5
                        SHA1:1579141f4500259c384d07f6b63101fa2fb047b7
                        SHA256:fa55ce1ea601880ae7844817604add6a2105ed59394e0dc61195fcde086bc0d1
                        SHA512:01a053bcddb30190ed171fd594a78fbdf34e72ff6f709f8b44b4a98db7be3d110d4f57c46264286387c1878b78a5f2b3b1b3a657c9a1a606765e99e5db02e7af
                        SSDEEP:6144:bsl+BvlcILZd0oY7wg0OGPE3pzBlsK1nhcLHGQ:b1lNLT0oY7H0OGPE3plaK1EGQ
                        TLSH:BB85EF7314095449D07A8EF00315FFB6405EAC7E049987DEA9EBFD43A63628FEC61A27
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....B.Z.........."...P.................. ........@.. ....................................`................................

                        File Icon

                        Icon Hash:0f0b1d8b1b0b3997

                        Static PE Info

                        General

                        Entrypoint:0x56e3ca
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Time Stamp:0x5AD8429F [Thu Apr 19 07:17:51 2018 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                        Instruction
                        jmp dword ptr [00402000h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x16e3780x4f.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1700000x4d7cc.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1be0000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x16e2400x1c.text
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000x16c3d00x16c400False0.11373501308339053data3.835831492359187IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rsrc0x1700000x4d7cc0x4d800False0.20701234879032257data3.947941815599056IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x1be0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_ICON0x1701c80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m0.6578014184397163
                        RT_ICON0x1706400x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 2835 x 2835 px/m0.49385245901639346
                        RT_ICON0x170fd80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.41393058161350843
                        RT_ICON0x1720900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m0.2945020746887967
                        RT_ICON0x1746480x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m0.23488427019367028
                        RT_ICON0x1788800x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 2835 x 2835 px/m0.16767395417279798
                        RT_ICON0x181d380x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m0.1369632083284041
                        RT_ICON0x1925700x25228Device independent bitmap graphic, 192 x 384 x 32, image size 147456, resolution 2835 x 2835 px/m0.1037382317361805
                        RT_ICON0x1b77a80x5be0PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9979166666666667
                        RT_GROUP_ICON0x1bd3980x84data0.7272727272727273
                        RT_VERSION0x1bd42c0x39cdata0.3906926406926407
                        DLLImport
                        mscoree.dll_CorExeMain

                        Network Behavior

                        No network behavior found

                        Statistics

                        CPU Usage

                        050100s020406080100

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        • File
                        • Registry

                        Click to dive into process behavior distribution

                        System Behavior

                        General

                        Target ID:0
                        Start time:04:41:46
                        Start date:01/10/2023
                        Path:C:\Users\user\Desktop\Firewall Security.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\Desktop\Firewall Security.exe
                        Imagebase:0x9e0000
                        File size:1'810'432 bytes
                        MD5 hash:4D6800BAF908CECB930A18F6359274F5
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Reputation:low
                        Has exited:false
                        Show Windows behavior

                        File Activities

                        Show Windows behavior

                        Section Activities

                        Show Windows behavior

                        Registry Activities

                        Show Windows behavior

                        Mutex Activities

                        Show Windows behavior

                        Process Activities

                        Show Windows behavior

                        Thread Activities

                        Show Windows behavior

                        Memory Activities

                        Show Windows behavior

                        System Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        Show Windows behavior

                        Windows UI Activities

                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                        Disassembly

                        Execution Graph

                        Execution Coverage

                        Dynamic/Packed Code Coverage

                        Signature Coverage

                        Execution Coverage:7.6%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:2.3%
                        Total number of Nodes:175
                        Total number of Limit Nodes:11
                        Show Legend
                        Hide Nodes/Edges
                        execution_graph 48482 9928990 48483 99289a0 48482->48483 48487 99289c0 SendMessageW 48483->48487 48489 99289c8 SendMessageW 48483->48489 48484 99289b1 48488 9928a34 48487->48488 48488->48484 48490 9928a34 48489->48490 48490->48484 48491 2eaf8e8 48494 2eac804 48491->48494 48495 2eafd18 SetWindowLongW 48494->48495 48496 2eaf900 48495->48496 48497 9927fd0 DispatchMessageA 48498 992803c 48497->48498 48606 8f82aeb 48607 8f82afe 48606->48607 48611 8f831c8 PostMessageW 48607->48611 48613 8f831a0 PostMessageW 48607->48613 48608 8f82b21 48612 8f83234 48611->48612 48612->48608 48614 8f83234 48613->48614 48614->48608 48499 8f83270 48500 8f8329a 48499->48500 48505 8f835b8 48500->48505 48511 8f83531 48500->48511 48516 8f83540 48500->48516 48501 8f832bd 48506 8f835c6 48505->48506 48507 8f83571 48505->48507 48506->48501 48521 2eabfe8 48507->48521 48525 2eabff8 48507->48525 48508 8f83584 48508->48501 48513 8f83554 48511->48513 48512 8f83584 48512->48501 48514 2eabfe8 3 API calls 48513->48514 48515 2eabff8 3 API calls 48513->48515 48514->48512 48515->48512 48518 8f83554 48516->48518 48517 8f83584 48517->48501 48519 2eabfe8 3 API calls 48518->48519 48520 2eabff8 3 API calls 48518->48520 48519->48517 48520->48517 48522 2eabff8 48521->48522 48524 2eac059 48522->48524 48529 2ea73dc 48522->48529 48524->48508 48527 2eac015 48525->48527 48526 2eac059 48526->48508 48527->48526 48528 2ea73dc 3 API calls 48527->48528 48528->48526 48530 2ea73e7 48529->48530 48533 2eac528 48530->48533 48532 2eacf4f 48532->48524 48534 2eac533 48533->48534 48535 2ead022 48534->48535 48536 2ead0c1 48534->48536 48540 2ead108 48534->48540 48549 2ead120 48534->48549 48535->48536 48537 2eac528 3 API calls 48535->48537 48536->48532 48537->48535 48542 2ead151 48540->48542 48544 2ead252 48540->48544 48541 2ead15d 48541->48535 48542->48541 48558 2ead488 48542->48558 48561 2ead478 48542->48561 48543 2ead19e 48543->48544 48564 2eae7a8 48543->48564 48569 2eae797 48543->48569 48544->48535 48551 2ead151 48549->48551 48552 2ead252 48549->48552 48550 2ead15d 48550->48535 48551->48550 48556 2ead488 2 API calls 48551->48556 48557 2ead478 2 API calls 48551->48557 48552->48535 48553 2ead19e 48553->48552 48554 2eae7a8 CreateWindowExW 48553->48554 48555 2eae797 CreateWindowExW 48553->48555 48554->48552 48555->48552 48556->48553 48557->48553 48575 2ead4c8 48558->48575 48559 2ead492 48559->48543 48562 2ead492 48561->48562 48563 2ead4c8 2 API calls 48561->48563 48562->48543 48563->48562 48565 2eae7d3 48564->48565 48566 2eae882 48565->48566 48595 2eaf680 48565->48595 48598 2eaf670 48565->48598 48570 2eae766 48569->48570 48572 2eae7a2 48569->48572 48570->48544 48571 2eae882 48571->48571 48572->48571 48573 2eaf680 CreateWindowExW 48572->48573 48574 2eaf670 CreateWindowExW 48572->48574 48573->48571 48574->48571 48576 2ead4e9 48575->48576 48577 2ead50c 48575->48577 48576->48577 48583 2ead760 48576->48583 48587 2ead770 48576->48587 48577->48559 48578 2ead504 48578->48577 48579 2ead710 GetModuleHandleW 48578->48579 48580 2ead73d 48579->48580 48580->48559 48584 2ead784 48583->48584 48586 2ead7a9 48584->48586 48591 2eac658 48584->48591 48586->48578 48588 2ead784 48587->48588 48589 2ead7a9 48588->48589 48590 2eac658 LoadLibraryExW 48588->48590 48589->48578 48590->48589 48592 2ead950 LoadLibraryExW 48591->48592 48594 2ead9c9 48592->48594 48594->48586 48602 2eac7cc 48595->48602 48599 2eaf680 48598->48599 48600 2eac7cc CreateWindowExW 48599->48600 48601 2eaf6b5 48600->48601 48601->48566 48603 2eaf6d0 CreateWindowExW 48602->48603 48605 2eaf7f4 48603->48605 48615 8f87260 48619 8f872c5 48615->48619 48616 8f84f24 PeekMessageW 48616->48619 48619->48616 48620 8f87312 48619->48620 48621 8f84f3c 48619->48621 48624 8f84f70 48619->48624 48622 8f87a50 KiUserCallbackDispatcher 48621->48622 48623 8f87ac4 48622->48623 48623->48619 48625 8f88330 DispatchMessageW 48624->48625 48626 8f8839c 48625->48626 48626->48619 48627 2ea7780 DuplicateHandle 48628 2ea7816 48627->48628 48629 2ea6940 48630 2ea6950 48629->48630 48631 2ea6961 48630->48631 48634 2ea6da8 48630->48634 48639 2ea6e6f 48630->48639 48635 2ea6de2 48634->48635 48636 2ea6ed9 48635->48636 48644 2ea7018 48635->48644 48648 2ea7009 48635->48648 48636->48631 48640 2ea6e74 48639->48640 48641 2ea6ed9 48640->48641 48642 2ea7018 6 API calls 48640->48642 48643 2ea7009 6 API calls 48640->48643 48641->48631 48642->48641 48643->48641 48645 2ea7025 48644->48645 48646 2ea705f 48645->48646 48653 2ea6d08 48645->48653 48646->48636 48649 2ea7016 48648->48649 48652 2ea6fbc 48648->48652 48650 2ea705f 48649->48650 48651 2ea6d08 6 API calls 48649->48651 48650->48636 48651->48650 48652->48636 48654 2ea6d13 48653->48654 48656 2ea7d78 48654->48656 48657 2ea739c 48654->48657 48656->48656 48658 2ea73a7 48657->48658 48670 2eab340 48658->48670 48681 2eab544 48658->48681 48686 2eab331 48658->48686 48659 2ea7df6 48660 2ea73cc LoadLibraryExW CreateWindowExW GetModuleHandleW 48659->48660 48661 2ea7e10 48660->48661 48662 2ea73dc LoadLibraryExW CreateWindowExW GetModuleHandleW 48661->48662 48663 2ea7e17 48662->48663 48665 2ead108 LoadLibraryExW CreateWindowExW GetModuleHandleW 48663->48665 48666 2ead120 LoadLibraryExW CreateWindowExW GetModuleHandleW 48663->48666 48664 2ea7e21 48664->48656 48665->48664 48666->48664 48671 2eab36e 48670->48671 48675 2eab397 48671->48675 48677 2eab64a 48671->48677 48697 2eaa828 GetFocus 48671->48697 48673 2eab43f 48674 2ea73dc 3 API calls 48673->48674 48678 2eab4ab 48673->48678 48674->48678 48675->48673 48676 2eab43a KiUserCallbackDispatcher 48675->48676 48675->48678 48676->48673 48678->48677 48679 2eabfe8 3 API calls 48678->48679 48680 2eabff8 3 API calls 48678->48680 48679->48677 48680->48677 48682 2eab561 48681->48682 48683 2eab64a 48682->48683 48684 2eabfe8 3 API calls 48682->48684 48685 2eabff8 3 API calls 48682->48685 48684->48683 48685->48683 48687 2eab36e 48686->48687 48691 2eab397 48687->48691 48693 2eab64a 48687->48693 48698 2eaa828 GetFocus 48687->48698 48689 2eab43f 48690 2ea73dc 3 API calls 48689->48690 48694 2eab4ab 48689->48694 48690->48694 48691->48689 48692 2eab43a KiUserCallbackDispatcher 48691->48692 48691->48694 48692->48689 48694->48693 48695 2eabfe8 3 API calls 48694->48695 48696 2eabff8 3 API calls 48694->48696 48695->48693 48696->48693 48697->48675 48698->48691

                        Executed Functions

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 527 8f8a038-8f8a057 528 8f8a05d-8f8a07d call 8f87e9c 527->528 529 8f8a182-8f8a1a7 527->529 533 8f8a08d-8f8a096 528->533 534 8f8a07f-8f8a082 528->534 537 8f8a1ae-8f8a1da 529->537 594 8f8a098 call 8f8a038 533->594 595 8f8a098 call 8f8a029 533->595 534->533 535 8f8a084-8f8a087 534->535 535->533 535->537 562 8f8a1e1 537->562 538 8f8a09e-8f8a0a0 539 8f8a175-8f8a17f 538->539 540 8f8a0a6-8f8a0b6 538->540 542 8f8a0b8-8f8a0bd 540->542 543 8f8a0bf-8f8a0c4 540->543 545 8f8a0ef-8f8a117 call 8f87ea8 542->545 546 8f8a0d4-8f8a0d9 543->546 547 8f8a0c6-8f8a0d2 543->547 554 8f8a11d-8f8a130 545->554 555 8f8a1e6-8f8a242 call 8f87ec4 545->555 548 8f8a0ea-8f8a0ec 546->548 549 8f8a0db-8f8a0e8 546->549 547->545 548->545 549->545 559 8f8a171-8f8a173 554->559 560 8f8a132-8f8a16f 554->560 565 8f8a248-8f8a259 555->565 566 8f8a33c 555->566 559->539 559->562 560->559 562->555 572 8f8a309-8f8a335 565->572 573 8f8a25f-8f8a2a7 call 8f87ed0 565->573 569 8f8a341-8f8a345 566->569 570 8f8a359 569->570 571 8f8a347-8f8a356 569->571 571->570 572->566 588 8f8a2a9-8f8a2ce 573->588 589 8f8a2d0-8f8a2d4 573->589 588->569 590 8f8a2ed-8f8a307 589->590 591 8f8a2d6-8f8a2e8 call 8f87ed0 589->591 590->569 591->590 594->538 595->538
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1162335262.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8f80000_Firewall Security.jbxd
                        Similarity
                        • API ID:
                        • String ID: $(&{q
                        • API String ID: 0-815821125
                        • Opcode ID: db1d4e89fa6b9a9f09c0a3b785fabd87cb9e15cc1e96fd7032eecd2a302fe28b
                        • Instruction ID: 657c6c5512178fe48522ab69d5294611e78bd7a9227d823e3653266f4fd0dbad
                        • Opcode Fuzzy Hash: db1d4e89fa6b9a9f09c0a3b785fabd87cb9e15cc1e96fd7032eecd2a302fe28b
                        • Instruction Fuzzy Hash: 8D9182B1E006199FDB18EF79C854AAFBBF6EF88301F10852AE405E7340EB359D058B95
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 702 9920320-9920437 707 992050e-9920518 702->707 708 992043d-9920509 702->708 709 99206b5-992083b 707->709 710 992051e-9920566 707->710 719 9920847-9920853 708->719 709->719 712 9920572-99206b0 710->712 712->719 721 9920855-992085c 719->721 722 9920888-99208b1 719->722 724 9920865-992086c 721->724 725 992085e-9920863 721->725 727 9920924-9920979 722->727 729 9920872-9920881 724->729 730 992086e-9920870 724->730 728 9920884-9920886 725->728 738 9920984-9920a17 727->738 739 992097b 727->739 728->722 732 99208b3-992091d 728->732 729->728 730->728 732->727 749 9920a22-9920a96 738->749 750 9920a19 738->750 739->738 740 992097d 739->740 740->738 759 9920b51-9920b87 749->759 760 9920a9c-9920b41 749->760 750->749 751 9920a1b 750->751 751->749 766 9920b9b-9920ba8 759->766 767 9920b89 759->767 760->759 763 9920b43-9920b50 760->763 763->759 770 9920ba9-9920bb3 766->770 767->766 768 9920b8b-9920b99 767->768 768->770 772 9920c23-9920c33 770->772 773 9920bb5-9920bcd 770->773 776 9920c34-9920d94 772->776 773->776 777 9920bcf-9920bd6 773->777 800 9920da2 776->800 801 9920d96 776->801 778 9920bd8-9920bdd 777->778 779 9920bdf-9920be6 777->779 780 9920bfe-9920c00 778->780 782 9920be8-9920bea 779->782 783 9920bec-9920bfb 779->783 780->776 784 9920c02-9920c21 780->784 782->780 783->780 784->776 802 9920da3 800->802 801->800 802->802
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1162350936.0000000009920000.00000040.00000800.00020000.00000000.sdmp, Offset: 09920000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9920000_Firewall Security.jbxd
                        Similarity
                        • API ID:
                        • String ID: fff?
                        • API String ID: 0-4136771917
                        • Opcode ID: f2caa8c32a4bfcdcb8d983e71f887d8b0de9520a58594804780f9766945f014f
                        • Instruction ID: 162684e15e9b0f48a63636cc9f3e3dfcd23b38217008f4370ab9086efd492914
                        • Opcode Fuzzy Hash: f2caa8c32a4bfcdcb8d983e71f887d8b0de9520a58594804780f9766945f014f
                        • Instruction Fuzzy Hash: D8624A3581061ADFCF11DF60C884AD9B7B2FF99304F1586D5E9086B125EB72AAD5CF80
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Memory Dump Source
                        • Source File: 00000000.00000002.1162335262.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8f80000_Firewall Security.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5194b86159c86d74858d64edb2a93d4df986d23f647b8a1f58b658baee17dcfa
                        • Instruction ID: 5ad33ec15b28f8709254717f86e2e85c615dcce32eb03d0d38f8cc3684b3eead
                        • Opcode Fuzzy Hash: 5194b86159c86d74858d64edb2a93d4df986d23f647b8a1f58b658baee17dcfa
                        • Instruction Fuzzy Hash: C7520735A10619CFCB21EF74C854AA9BBB5FF49311F1485D9E509AB261EF31EA82CF40
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Memory Dump Source
                        • Source File: 00000000.00000002.1162350936.0000000009920000.00000040.00000800.00020000.00000000.sdmp, Offset: 09920000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9920000_Firewall Security.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 83eb6bf2b554d44c193f800ddac7ae097839f0b72714f1b39e244532ea0f0284
                        • Instruction ID: cdff8af59679c129cf1d32db29e2d89545a377998001436ff51c825574eeebe4
                        • Opcode Fuzzy Hash: 83eb6bf2b554d44c193f800ddac7ae097839f0b72714f1b39e244532ea0f0284
                        • Instruction Fuzzy Hash: 9432393591062ACFCB21DF64C945BD9B7B6FF89300F1085E9E409AB260EB75EA85CF40
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Memory Dump Source
                        • Source File: 00000000.00000002.1162335262.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8f80000_Firewall Security.jbxd
                        Similarity
                        • API ID: DispatchMessage
                        • String ID:
                        • API String ID: 2061451462-0
                        • Opcode ID: f1f2c99c07e76b7afb005dbb46cb3352a43ada509f5758a0291a4e48fec5ed65
                        • Instruction ID: d51a54c9fe84c83e2514a2aac04781e5277ee1de3613ca991ff896b70f385c14
                        • Opcode Fuzzy Hash: f1f2c99c07e76b7afb005dbb46cb3352a43ada509f5758a0291a4e48fec5ed65
                        • Instruction Fuzzy Hash: E4F14D71E00209CFDB14EFA9C988BADBBF1BF48305F258559E409AF3A5DB74A945CB40
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 803 2ead4c8-2ead4e7 804 2ead4e9-2ead4f6 call 2eac600 803->804 805 2ead513-2ead517 803->805 810 2ead4f8 804->810 811 2ead50c 804->811 807 2ead52b-2ead56c 805->807 808 2ead519-2ead523 805->808 814 2ead579-2ead587 807->814 815 2ead56e-2ead576 807->815 808->807 860 2ead4fe call 2ead760 810->860 861 2ead4fe call 2ead770 810->861 811->805 816 2ead5ab-2ead5ad 814->816 817 2ead589-2ead58e 814->817 815->814 822 2ead5b0-2ead5b7 816->822 819 2ead599 817->819 820 2ead590-2ead597 call 2eac60c 817->820 818 2ead504-2ead506 818->811 821 2ead648-2ead708 818->821 824 2ead59b-2ead5a9 819->824 820->824 853 2ead70a-2ead70d 821->853 854 2ead710-2ead73b GetModuleHandleW 821->854 825 2ead5b9-2ead5c1 822->825 826 2ead5c4-2ead5cb 822->826 824->822 825->826 828 2ead5d8-2ead5e1 call 2eac61c 826->828 829 2ead5cd-2ead5d5 826->829 834 2ead5ee-2ead5f3 828->834 835 2ead5e3-2ead5eb 828->835 829->828 836 2ead611-2ead615 834->836 837 2ead5f5-2ead5fc 834->837 835->834 858 2ead618 call 2eada50 836->858 859 2ead618 call 2eada41 836->859 837->836 839 2ead5fe-2ead60e call 2eaab20 call 2eac62c 837->839 839->836 842 2ead61b-2ead61e 844 2ead620-2ead63e 842->844 845 2ead641-2ead647 842->845 844->845 853->854 855 2ead73d-2ead743 854->855 856 2ead744-2ead758 854->856 855->856 858->842 859->842 860->818 861->818
                        APIs
                        • GetModuleHandleW.KERNELBASE(00000000), ref: 02EAD72E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1161724704.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2ea0000_Firewall Security.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: a48a61e6c5f37c22ce197127d361d3fca19c006797a6e3501f9b0974523ba590
                        • Instruction ID: b6a7dfbb1c54cab2f32678f3799e6317b65d02ae729e4c7ace5818a02a5583f6
                        • Opcode Fuzzy Hash: a48a61e6c5f37c22ce197127d361d3fca19c006797a6e3501f9b0974523ba590
                        • Instruction Fuzzy Hash: 088126B0A00B058FD724DF29D45475ABBF5BF88308F10992EE48ADBA40DB35F945CB91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 862 2eac7cc-2eaf736 864 2eaf738-2eaf73e 862->864 865 2eaf741-2eaf748 862->865 864->865 866 2eaf74a-2eaf750 865->866 867 2eaf753-2eaf7f2 CreateWindowExW 865->867 866->867 869 2eaf7fb-2eaf833 867->869 870 2eaf7f4-2eaf7fa 867->870 874 2eaf840 869->874 875 2eaf835-2eaf838 869->875 870->869 876 2eaf841 874->876 875->874 876->876
                        APIs
                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02EAF7E2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1161724704.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2ea0000_Firewall Security.jbxd
                        Similarity
                        • API ID: CreateWindow
                        • String ID:
                        • API String ID: 716092398-0
                        • Opcode ID: 27e26568d96ebf4b162679079c7aac60994932a0a9240b2b362295e958c091c3
                        • Instruction ID: cde16761f7748f9ef42a4514e4e2eeaf8bd7be3ba96bac8fcf3b56ed111ed002
                        • Opcode Fuzzy Hash: 27e26568d96ebf4b162679079c7aac60994932a0a9240b2b362295e958c091c3
                        • Instruction Fuzzy Hash: 0151C0B1D10309DFDF14CF99C994ADEBBB5BF88314F24812AE819AB210D775A845CF90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 877 2eaf6c4-2eaf736 878 2eaf738-2eaf73e 877->878 879 2eaf741-2eaf748 877->879 878->879 880 2eaf74a-2eaf750 879->880 881 2eaf753-2eaf78b 879->881 880->881 882 2eaf793-2eaf7f2 CreateWindowExW 881->882 883 2eaf7fb-2eaf833 882->883 884 2eaf7f4-2eaf7fa 882->884 888 2eaf840 883->888 889 2eaf835-2eaf838 883->889 884->883 890 2eaf841 888->890 889->888 890->890
                        APIs
                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02EAF7E2
                        Memory Dump Source
                        • Source File: 00000000.00000002.1161724704.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2ea0000_Firewall Security.jbxd
                        Similarity
                        • API ID: CreateWindow
                        • String ID:
                        • API String ID: 716092398-0
                        • Opcode ID: 19df7c7f43cc61b433e07562bb4d5f32fc25ce13eda0a5d27eeaf1856d0103a9
                        • Instruction ID: b24cbdd0db3cd1196e0cf7ec54c5d5498ba41d94cc411059ae049e1f26b12796
                        • Opcode Fuzzy Hash: 19df7c7f43cc61b433e07562bb4d5f32fc25ce13eda0a5d27eeaf1856d0103a9
                        • Instruction Fuzzy Hash: A451B0B1D10349DFDF14CF99C994ADEBBB5BF48314F24812AE819AB210D775A885CF90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 891 2eac778-2eac790 894 2eac7db-2eac80b 891->894 895 2eac792-2eac7d5 891->895 896 2eafd18-2eafd82 SetWindowLongW 894->896 895->894 898 2eafd8b-2eafd9f 896->898 899 2eafd84-2eafd8a 896->899 899->898
                        APIs
                        • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,02EAF900,?,?,?,?), ref: 02EAFD75
                        Memory Dump Source
                        • Source File: 00000000.00000002.1161724704.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2ea0000_Firewall Security.jbxd
                        Similarity
                        • API ID: LongWindow
                        • String ID:
                        • API String ID: 1378638983-0
                        • Opcode ID: f32fde8c909fe7b3923199243fc276d9318ae85556c27661b8491ec9b3397418
                        • Instruction ID: def8f9aeccadb1f6baa496c7942c73218be6725410496df42fdf4ed107a735c6
                        • Opcode Fuzzy Hash: f32fde8c909fe7b3923199243fc276d9318ae85556c27661b8491ec9b3397418
                        • Instruction Fuzzy Hash: 6031D2B28003489FCB01DFA9D895BEEBFF8EF96364F14444AD585EB601D734A840CBA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 903 2ea7778-2ea777a 904 2ea7780-2ea7814 DuplicateHandle 903->904 905 2ea781d-2ea783a 904->905 906 2ea7816-2ea781c 904->906 906->905
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02EA7807
                        Memory Dump Source
                        • Source File: 00000000.00000002.1161724704.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2ea0000_Firewall Security.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: 6f2dce04c50caf1b5d801c89b4cfacfb9973eb59aab374a6103ce8791ab647bc
                        • Instruction ID: 3d751dac37722fa6adbd01b71f8901660b41676f4036613afc8d24ca79c45a49
                        • Opcode Fuzzy Hash: 6f2dce04c50caf1b5d801c89b4cfacfb9973eb59aab374a6103ce8791ab647bc
                        • Instruction Fuzzy Hash: 0221E6B59002489FDB10CFAAD984AEEFFF8EB48324F24841AE954A7310D774A954CF65
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 914 2eac640-2ead990 917 2ead998-2ead9c7 LoadLibraryExW 914->917 918 2ead992-2ead995 914->918 919 2ead9c9-2ead9cf 917->919 920 2ead9d0-2ead9ed 917->920 918->917 919->920
                        APIs
                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02EAD7A9,00000800,00000000,00000000), ref: 02EAD9BA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1161724704.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2ea0000_Firewall Security.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 1910be1e8bf18ea894caef499122139813559a7d663dadb779804be51384f558
                        • Instruction ID: be1811799fe91549b25e6b9f1266972fcd41024d082c350458fbed0d28dee997
                        • Opcode Fuzzy Hash: 1910be1e8bf18ea894caef499122139813559a7d663dadb779804be51384f558
                        • Instruction Fuzzy Hash: 3F213AB28043498FCB10CFAAC844ADEBBF4BF98314F14845AD559AB610C3B4A545CFA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 909 2ea7780-2ea7814 DuplicateHandle 910 2ea781d-2ea783a 909->910 911 2ea7816-2ea781c 909->911 911->910
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02EA7807
                        Memory Dump Source
                        • Source File: 00000000.00000002.1161724704.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2ea0000_Firewall Security.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: 1700b7507e8d137f53f1a2ba76510bb1de29d465b404ac04858fb07ca9fb24c3
                        • Instruction ID: f0b4b038ca01e342cb7341679d925016c47f725b7c5b8df6afd1ec9bcae6b44f
                        • Opcode Fuzzy Hash: 1700b7507e8d137f53f1a2ba76510bb1de29d465b404ac04858fb07ca9fb24c3
                        • Instruction Fuzzy Hash: 3521C6B59002499FDB10CF9AD584AEEFBF8EB48324F14841AE914A7310D774A954CF65
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 923 8f831a0-8f83232 PostMessageW 924 8f8323b-8f8325c 923->924 925 8f83234-8f8323a 923->925 925->924
                        APIs
                        • PostMessageW.USER32(?,?,?,?), ref: 08F83225
                        Memory Dump Source
                        • Source File: 00000000.00000002.1162335262.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8f80000_Firewall Security.jbxd
                        Similarity
                        • API ID: MessagePost
                        • String ID:
                        • API String ID: 410705778-0
                        • Opcode ID: 7171fa6ed6b3fd8ebce05b9f20c5ace8304d7dfaf3a0f44238722b75c4847570
                        • Instruction ID: 9801024daa12ba2222f84888da9f7722f1ab6e028f5fa8d2f879ccb4bd573e5b
                        • Opcode Fuzzy Hash: 7171fa6ed6b3fd8ebce05b9f20c5ace8304d7dfaf3a0f44238722b75c4847570
                        • Instruction Fuzzy Hash: D2215B75808389CFDB11CFA9C944BEABFF4EB59310F15849AD494A7291C378A544CFA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        APIs
                        • PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,08F87442,00000000,00000000,03EE42B4,02F2AEAC), ref: 08F87890
                        Memory Dump Source
                        • Source File: 00000000.00000002.1162335262.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8f80000_Firewall Security.jbxd
                        Similarity
                        • API ID: MessagePeek
                        • String ID:
                        • API String ID: 2222842502-0
                        • Opcode ID: 82324b094ca1923dbf7fb7f23e467df1cd33965b52233539b59164647fd72613
                        • Instruction ID: 8288cc55f271203e902120c1e5021005699cb703cf89c1f8602b861204f016da
                        • Opcode Fuzzy Hash: 82324b094ca1923dbf7fb7f23e467df1cd33965b52233539b59164647fd72613
                        • Instruction Fuzzy Hash: D611F9B5C00209DFDB10DF9AD584BEEFBF8EB48321F20842AE558A3250D378A554CFA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        APIs
                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02EAD7A9,00000800,00000000,00000000), ref: 02EAD9BA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1161724704.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2ea0000_Firewall Security.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 73f40a68976691bab1ac49f4a37d1c1817e07cf3ebc6e7d364b152b95cfd80ea
                        • Instruction ID: ce89045e77f1f93a961bc485d1fae742b1a519ee65388c3480fb14c7b25101d1
                        • Opcode Fuzzy Hash: 73f40a68976691bab1ac49f4a37d1c1817e07cf3ebc6e7d364b152b95cfd80ea
                        • Instruction Fuzzy Hash: 9F11D3B69002099FCB14CF9AD944AEEBBF8AB88324F14842AD559A7600C7B4A545CFA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        APIs
                        • KiUserCallbackDispatcher.NTDLL(?,?,00000000,00000000,?,?,?,08F874CF,00000000,03EE42B4,02F2AEAC,00000000,?), ref: 08F87AB5
                        Memory Dump Source
                        • Source File: 00000000.00000002.1162335262.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8f80000_Firewall Security.jbxd
                        Similarity
                        • API ID: CallbackDispatcherUser
                        • String ID:
                        • API String ID: 2492992576-0
                        • Opcode ID: 29416517f78e2951d2eff5bdd01098f7a5aaca90ec218ba3415448bf848e73a6
                        • Instruction ID: 1eda45a0440b75503b60d0af42197f9976e4af0bab9f22f0d4bbec1772d6f025
                        • Opcode Fuzzy Hash: 29416517f78e2951d2eff5bdd01098f7a5aaca90ec218ba3415448bf848e73a6
                        • Instruction Fuzzy Hash: 5011F9B1800349DFDB10DF9AD984BEEBBF8EB58314F14842AE559B3210D378A654CFA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        APIs
                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02EAD7A9,00000800,00000000,00000000), ref: 02EAD9BA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1161724704.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2ea0000_Firewall Security.jbxd
                        Similarity
                        • API ID: LibraryLoad
                        • String ID:
                        • API String ID: 1029625771-0
                        • Opcode ID: 8360a594d1a8fab58f1fe741bd9bff92f16c1634711a06527d73e99b09105081
                        • Instruction ID: 0688dd478cd02fda32e75b65618698f5db561992bbfa26f2d4b0a3a09e7c4a85
                        • Opcode Fuzzy Hash: 8360a594d1a8fab58f1fe741bd9bff92f16c1634711a06527d73e99b09105081
                        • Instruction Fuzzy Hash: 661114B28002498FCB10CFAAD944BDEFBF8AB88324F14842ED559A7600C7B4A545CFA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        APIs
                        • KiUserCallbackDispatcher.NTDLL(?,?,00000000,00000000,?,?,?,08F874CF,00000000,03EE42B4,02F2AEAC,00000000,?), ref: 08F87AB5
                        Memory Dump Source
                        • Source File: 00000000.00000002.1162335262.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8f80000_Firewall Security.jbxd
                        Similarity
                        • API ID: CallbackDispatcherUser
                        • String ID:
                        • API String ID: 2492992576-0
                        • Opcode ID: b840d15d40d18ff96816f6821ea03e9b5f286d90674fa4b799879ba86e609d16
                        • Instruction ID: 5c9a66a4676f1f3269903cdce6371d322c70afa63627a152f63ebe9403c2103b
                        • Opcode Fuzzy Hash: b840d15d40d18ff96816f6821ea03e9b5f286d90674fa4b799879ba86e609d16
                        • Instruction Fuzzy Hash: F511F9B1800349DFDB10DF9AD544BDEFBF8EB58324F14842AE858A3251C378A554CFA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        APIs
                        • PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,08F87442,00000000,00000000,03EE42B4,02F2AEAC), ref: 08F87890
                        Memory Dump Source
                        • Source File: 00000000.00000002.1162335262.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8f80000_Firewall Security.jbxd
                        Similarity
                        • API ID: MessagePeek
                        • String ID:
                        • API String ID: 2222842502-0
                        • Opcode ID: 08f838a083f0510389d4f2b290d33b983caed99c17279a7f26a62363d7c9e566
                        • Instruction ID: 16136fec73336e641002f31413384db19495cc52b96282dacf19455c7dc8e8aa
                        • Opcode Fuzzy Hash: 08f838a083f0510389d4f2b290d33b983caed99c17279a7f26a62363d7c9e566
                        • Instruction Fuzzy Hash: B211E4B5C00249DFDB10DF99D584BEEFBF8AB48320F24842AE558B3251D378A554CF65
                        Uniqueness

                        Uniqueness Score: -1.00%

                        APIs
                        • PostMessageW.USER32(?,?,?,?), ref: 08F83225
                        Memory Dump Source
                        • Source File: 00000000.00000002.1162335262.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8f80000_Firewall Security.jbxd
                        Similarity
                        • API ID: MessagePost
                        • String ID:
                        • API String ID: 410705778-0
                        • Opcode ID: eb3306e488c2527643819d61f0c9b8604250803ac06c80838dae1d49f8baf41e
                        • Instruction ID: ebf38a87577b2a6bf6ccdfa89b5d11ed3e3e9f46d1365120a11207e12dcbb0fa
                        • Opcode Fuzzy Hash: eb3306e488c2527643819d61f0c9b8604250803ac06c80838dae1d49f8baf41e
                        • Instruction Fuzzy Hash: BB1125B1800349CFDB10DF9AC984BEEBBF8EB48320F20841AE554A3210D378A584CFA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        APIs
                        • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,02EAF900,?,?,?,?), ref: 02EAFD75
                        Memory Dump Source
                        • Source File: 00000000.00000002.1161724704.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2ea0000_Firewall Security.jbxd
                        Similarity
                        • API ID: LongWindow
                        • String ID:
                        • API String ID: 1378638983-0
                        • Opcode ID: 3ca859e1d8d1e1599e2a0c5d45ab01696e8f469237c24cd4ec502b883fdd54e2
                        • Instruction ID: 05aa80dcbec378aac0789e9e39c5d4a6faff8b7d24aa8d951f87b5e3abfd0ee9
                        • Opcode Fuzzy Hash: 3ca859e1d8d1e1599e2a0c5d45ab01696e8f469237c24cd4ec502b883fdd54e2
                        • Instruction Fuzzy Hash: F91125B58002488FCB10CF9AD584BEEBBF8EB88324F20841AD918A7700C374A944CFA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        APIs
                        • GetModuleHandleW.KERNELBASE(00000000), ref: 02EAD72E
                        Memory Dump Source
                        • Source File: 00000000.00000002.1161724704.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2ea0000_Firewall Security.jbxd
                        Similarity
                        • API ID: HandleModule
                        • String ID:
                        • API String ID: 4139908857-0
                        • Opcode ID: c69ef520d7610e51e64bddc60e6d1c44e031862298c44bd688534c064a27fbb7
                        • Instruction ID: 3f8c29ad7a6366deb9c7612518dfe29b885cc52d4b754f0c4677ae0bf492db1a
                        • Opcode Fuzzy Hash: c69ef520d7610e51e64bddc60e6d1c44e031862298c44bd688534c064a27fbb7
                        • Instruction Fuzzy Hash: C71113B5C003098FCB14CF9AC944ADEFBF8EF88324F10841AD419A7610C374A545CFA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        APIs
                        • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,08F87587), ref: 08F8838D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1162335262.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8f80000_Firewall Security.jbxd
                        Similarity
                        • API ID: DispatchMessage
                        • String ID:
                        • API String ID: 2061451462-0
                        • Opcode ID: cc0010b2cb5b422d61a5e5e1d75e03195269f53bf6fe5e6200d745666a3c1650
                        • Instruction ID: 5f2ee51e76231c0cc29c8edfb7bc68cda39db1dbd7675d23ea4c9b7ebec08c61
                        • Opcode Fuzzy Hash: cc0010b2cb5b422d61a5e5e1d75e03195269f53bf6fe5e6200d745666a3c1650
                        • Instruction Fuzzy Hash: C811F2B1D10649CFCB20DFAAD544BDEBBF8EB48360F10842AD419B3200D378A544CFA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        APIs
                        • SendMessageW.USER32(?,?,?,?), ref: 09928A25
                        Memory Dump Source
                        • Source File: 00000000.00000002.1162350936.0000000009920000.00000040.00000800.00020000.00000000.sdmp, Offset: 09920000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9920000_Firewall Security.jbxd
                        Similarity
                        • API ID: MessageSend
                        • String ID:
                        • API String ID: 3850602802-0
                        • Opcode ID: 2ffd91e25e49eb26c6f1f14e182b966e636cbeaabcc9d9f1979f37e3bd4c774d
                        • Instruction ID: f4b3d8811f93ae7ced1b38475cbfd2daabd6baaffdad163f108a4139038dc685
                        • Opcode Fuzzy Hash: 2ffd91e25e49eb26c6f1f14e182b966e636cbeaabcc9d9f1979f37e3bd4c774d
                        • Instruction Fuzzy Hash: D41106B5800349DFDB20CF99D585BEEBFF8EB58320F20845AE455A7210C7786545CFA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1162350936.0000000009920000.00000040.00000800.00020000.00000000.sdmp, Offset: 09920000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9920000_Firewall Security.jbxd
                        Similarity
                        • API ID: DispatchMessage
                        • String ID:
                        • API String ID: 2061451462-0
                        • Opcode ID: 7169d81e035fbedf3a5889180ebcc55a4c7de08f07a0df12954b31638309c905
                        • Instruction ID: ed40687d23ba9f3100575ac908cec9a11c3e07773674d2490d9951479c29b7b9
                        • Opcode Fuzzy Hash: 7169d81e035fbedf3a5889180ebcc55a4c7de08f07a0df12954b31638309c905
                        • Instruction Fuzzy Hash: F511F2B5C007488FCB20DF9AE944BDEBBF8EB48320F14841AE419B3600D778A545CFA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        APIs
                        • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,08F87587), ref: 08F8838D
                        Memory Dump Source
                        • Source File: 00000000.00000002.1162335262.0000000008F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F80000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_8f80000_Firewall Security.jbxd
                        Similarity
                        • API ID: DispatchMessage
                        • String ID:
                        • API String ID: 2061451462-0
                        • Opcode ID: ec1c8cd03c6ad0640c23156fe94d497710a11d27b23a1aafb3172849c9914083
                        • Instruction ID: 1a0256fe11728fff9ae3b405755c69e41d452e78e2c14db03b1c95eabb06d3d8
                        • Opcode Fuzzy Hash: ec1c8cd03c6ad0640c23156fe94d497710a11d27b23a1aafb3172849c9914083
                        • Instruction Fuzzy Hash: A311F5B1C00649CFCB10DF9AD544BDEFBF8AB48324F14846AD458B3200D3786544CFA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        APIs
                        • SendMessageW.USER32(?,?,?,?), ref: 09928A25
                        Memory Dump Source
                        • Source File: 00000000.00000002.1162350936.0000000009920000.00000040.00000800.00020000.00000000.sdmp, Offset: 09920000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9920000_Firewall Security.jbxd
                        Similarity
                        • API ID: MessageSend
                        • String ID:
                        • API String ID: 3850602802-0
                        • Opcode ID: 128a02f1fedd604935d14689d8a80b7dacf8c65cd68564a4f90b4119e7edfeeb
                        • Instruction ID: 0e5428c5ce9cea2e7b74e1d5594010c38d0243a0be61a41227f4fa05fc2f682b
                        • Opcode Fuzzy Hash: 128a02f1fedd604935d14689d8a80b7dacf8c65cd68564a4f90b4119e7edfeeb
                        • Instruction Fuzzy Hash: B411E5B5800349DFDB20DF9AD984BDEBBF8EB58324F20841AE558A7600C774A544CFA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1162350936.0000000009920000.00000040.00000800.00020000.00000000.sdmp, Offset: 09920000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9920000_Firewall Security.jbxd
                        Similarity
                        • API ID: DispatchMessage
                        • String ID:
                        • API String ID: 2061451462-0
                        • Opcode ID: 48a8af3cb30530bde0816e1f9296c991185d47ec510ad6f2e2dda8c6126e4d37
                        • Instruction ID: 441deeb2de7ca2a3a5053c7f91b0d47f521b3ed383730432963ac93bc77a2392
                        • Opcode Fuzzy Hash: 48a8af3cb30530bde0816e1f9296c991185d47ec510ad6f2e2dda8c6126e4d37
                        • Instruction Fuzzy Hash: FF11D0B1C007498FCB20DF9AE544BDEFBF8EB48324F24841AD459A3610D778A544CFA5
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Memory Dump Source
                        • Source File: 00000000.00000002.1161644774.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_125d000_Firewall Security.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 80c8b72ddba3cd4e3dfc3f9115f4c643b775b85fdbcc2ffdfc7a7fa1015ec70b
                        • Instruction ID: e7d5d8b367a1d23b30379318d2cacc8c51f3bc45c2500cb32a35eca2f898acfb
                        • Opcode Fuzzy Hash: 80c8b72ddba3cd4e3dfc3f9115f4c643b775b85fdbcc2ffdfc7a7fa1015ec70b
                        • Instruction Fuzzy Hash: D8214871114244EFDB41CF98D8C0B26BF65FB88360F20C569ED048B207C376D456CBA2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Memory Dump Source
                        • Source File: 00000000.00000002.1161644774.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_125d000_Firewall Security.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d4185259a96e32d1f20c97cfe4c8627b874a03380a7764c4cc823e0036727c9b
                        • Instruction ID: 9acd6334d76ee1a7919002e8f23a32cb2526328c810f48a7e39ea3f05a121574
                        • Opcode Fuzzy Hash: d4185259a96e32d1f20c97cfe4c8627b874a03380a7764c4cc823e0036727c9b
                        • Instruction Fuzzy Hash: 6B213776614249DFDB45CF98E9C0F26BFA5FB8832CF248169ED054B206C336D446CBA2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Memory Dump Source
                        • Source File: 00000000.00000002.1161657364.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_126d000_Firewall Security.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8638dd8be496328d8e0ec03b98b5c8032a85ac5024b86663485a388fb7206101
                        • Instruction ID: baa0ba2349d8b80dda9f049d45b1fb07c348cfa03ec72d387c2a07c927c0b8f0
                        • Opcode Fuzzy Hash: 8638dd8be496328d8e0ec03b98b5c8032a85ac5024b86663485a388fb7206101
                        • Instruction Fuzzy Hash: 4D21077571424CEFDB01DF98D9C0B26BBA9FB84324F24C56DE9894B283C376D486CA61
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Memory Dump Source
                        • Source File: 00000000.00000002.1161657364.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_126d000_Firewall Security.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 38d4f5b5617dcf2a04ecafcdf43624576a78d070eb20116a5467f44f1ed4a851
                        • Instruction ID: 1907adca69f7b3f9c5e287189f6d4cdab53247dbd67cff92d38ce0d9963bf601
                        • Opcode Fuzzy Hash: 38d4f5b5617dcf2a04ecafcdf43624576a78d070eb20116a5467f44f1ed4a851
                        • Instruction Fuzzy Hash: DD21377531424CDFDB11CF58D8C0B26BF69EB84354F24C569E9894B282C37BD487CAA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Memory Dump Source
                        • Source File: 00000000.00000002.1161644774.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_125d000_Firewall Security.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: eb886a2089afa14be6593cf5177590eae9d70dcf9b880adc46b1fa24b51e0801
                        • Instruction ID: 67fbd72651d056c368d332f5b2ee6d4bcbe70a777fe908dff6d9c709e9ce8af8
                        • Opcode Fuzzy Hash: eb886a2089afa14be6593cf5177590eae9d70dcf9b880adc46b1fa24b51e0801
                        • Instruction Fuzzy Hash: 8021CD76404284DFDB02CF54D9C4B16BF61FB88320F24C5A9DD084A617C33AD45ACBA2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Memory Dump Source
                        • Source File: 00000000.00000002.1161644774.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_125d000_Firewall Security.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: df6b5baabe9335c76f8349eb3891d6fd96e133866cef17f038124af8d9c691a2
                        • Instruction ID: ab3c8f6c9b1cb28b55aa70d4ffc1a3bbbd6c3fc28a622a1c90d5e00e437efed5
                        • Opcode Fuzzy Hash: df6b5baabe9335c76f8349eb3891d6fd96e133866cef17f038124af8d9c691a2
                        • Instruction Fuzzy Hash: 79110372404244CFDB12CF44E9C0B16BF71FB84328F24C6A9DD094B216C33AD45ACBA2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Memory Dump Source
                        • Source File: 00000000.00000002.1161657364.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_126d000_Firewall Security.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a5ca659f4e1cb75c9d23ca67791a5ff3406791c233829be1ecb41106f2d24afc
                        • Instruction ID: 852652daf3ac3bd78035e8b5776bc8487d241a3264678dffda76fc50fc020fba
                        • Opcode Fuzzy Hash: a5ca659f4e1cb75c9d23ca67791a5ff3406791c233829be1ecb41106f2d24afc
                        • Instruction Fuzzy Hash: 4E11BE75604288DFDB12CF14D5C4B15BB61FB84314F24C6A9D9494B696C33AD48ACBA2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Memory Dump Source
                        • Source File: 00000000.00000002.1161657364.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_126d000_Firewall Security.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a5ca659f4e1cb75c9d23ca67791a5ff3406791c233829be1ecb41106f2d24afc
                        • Instruction ID: 2f3b64d72c2baeb5802fed5ec378a25f6698e31c7109cc9f50725e90e9e19079
                        • Opcode Fuzzy Hash: a5ca659f4e1cb75c9d23ca67791a5ff3406791c233829be1ecb41106f2d24afc
                        • Instruction Fuzzy Hash: 5911BE75604248DFDB12CF54D5C0B15BB61FB84224F28C6A9D9494B697C33AD48ACB51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Memory Dump Source
                        • Source File: 00000000.00000002.1161644774.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_125d000_Firewall Security.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5bcc96fd96fb1fa8d931280f04bd8cf1d7929dc2ba28865c31907dc2d79cbe07
                        • Instruction ID: 5597695e3327076e366fa99692d9639b881f1f3df2a1933d5ae5f19d6ab17d4a
                        • Opcode Fuzzy Hash: 5bcc96fd96fb1fa8d931280f04bd8cf1d7929dc2ba28865c31907dc2d79cbe07
                        • Instruction Fuzzy Hash: 9001F271014388EEE7649A59CCC4B66BF9CEF45630F18851AEE080A282C27A9840CAB6
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Memory Dump Source
                        • Source File: 00000000.00000002.1161644774.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_125d000_Firewall Security.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ce1bb79f44d135b83b3e7b819b9082311f216bd1e07bfcc6fb0c2541047a3601
                        • Instruction ID: b3e016d89a4e17b00e0bcb23ab6c716fee31bbc08a04bbf7e4faf948e0128129
                        • Opcode Fuzzy Hash: ce1bb79f44d135b83b3e7b819b9082311f216bd1e07bfcc6fb0c2541047a3601
                        • Instruction Fuzzy Hash: F0F0F976200644AF97648F0AD985C23FBADEBD4674319C55AED494B712C671EC41CAA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Memory Dump Source
                        • Source File: 00000000.00000002.1161644774.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_125d000_Firewall Security.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 91871433d523bd272d0e0d8a70b653ab9c8493ce680b8944220957eeff1c83a7
                        • Instruction ID: 473b731af10c99013d7d3eff9ef8d7c270fb26f4fd877ad7fcda286740d9eb23
                        • Opcode Fuzzy Hash: 91871433d523bd272d0e0d8a70b653ab9c8493ce680b8944220957eeff1c83a7
                        • Instruction Fuzzy Hash: 0CF0C271004384EEE7248A0ACCC4B62FFACEB40634F28C05AED084A282C2789844CAB0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Memory Dump Source
                        • Source File: 00000000.00000002.1161644774.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_125d000_Firewall Security.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9548e6b4f1418ff39dcf0ed4a6fc30d304d0fefe91c1198bf3b04c24d5151fab
                        • Instruction ID: c496e71c9674de5e1a37524d79f9d4c83e4fe64934fd80203827c7546664ca83
                        • Opcode Fuzzy Hash: 9548e6b4f1418ff39dcf0ed4a6fc30d304d0fefe91c1198bf3b04c24d5151fab
                        • Instruction Fuzzy Hash: CAF03775104680AFD3698F06C984C22BFB9EB8A6607198489E8894B322C670FC42CBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions

                        APIs
                        • GetKeyState.USER32(00000001), ref: 09928C2D
                        • GetKeyState.USER32(00000002), ref: 09928C72
                        • GetKeyState.USER32(00000004), ref: 09928CB7
                        • GetKeyState.USER32(00000005), ref: 09928CFC
                        • GetKeyState.USER32(00000006), ref: 09928D41
                        Memory Dump Source
                        • Source File: 00000000.00000002.1162350936.0000000009920000.00000040.00000800.00020000.00000000.sdmp, Offset: 09920000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9920000_Firewall Security.jbxd
                        Similarity
                        • API ID: State
                        • String ID:
                        • API String ID: 1649606143-0
                        • Opcode ID: 3ebddf0c4d6f8c7fdf63edad42885d51932654fd65687f239a9ccf8f9a5a17db
                        • Instruction ID: b7576e59810182a57073409eb3c436a0263566312db2f6a5dc41ef3cdead2ee3
                        • Opcode Fuzzy Hash: 3ebddf0c4d6f8c7fdf63edad42885d51932654fd65687f239a9ccf8f9a5a17db
                        • Instruction Fuzzy Hash: 6941A4758017958FDB21DFAAC5487AFBFF8AB54305F24840EE049BB280C7B9514ACB96
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1162350936.0000000009920000.00000040.00000800.00020000.00000000.sdmp, Offset: 09920000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9920000_Firewall Security.jbxd
                        Similarity
                        • API ID:
                        • String ID: fff?
                        • API String ID: 0-4136771917
                        • Opcode ID: be7b8049ef9994046957a0488906a00d206a90e532b0c9417db35d860769631b
                        • Instruction ID: 410ec7d6e05ff87907871d048b4f82a9f99589ad9be25e5441b59f0813edfade
                        • Opcode Fuzzy Hash: be7b8049ef9994046957a0488906a00d206a90e532b0c9417db35d860769631b
                        • Instruction Fuzzy Hash: 49122A35800619DFCF11DF50C888AE9BBB2FF49304F1585D5E9096F265EB72AA96CF80
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Memory Dump Source
                        • Source File: 00000000.00000002.1161724704.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2ea0000_Firewall Security.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3c2275b7248b8fd0495385762fc9a28c4d5339b5f306a8479e25d1d746a73d5e
                        • Instruction ID: 34e306d5faba95ef4a396b5b61aa8df3b512b1024a5507886ce20643405643e0
                        • Opcode Fuzzy Hash: 3c2275b7248b8fd0495385762fc9a28c4d5339b5f306a8479e25d1d746a73d5e
                        • Instruction Fuzzy Hash: 585235B05217458BD714CF28E89A6997FB9FB41318FD0C22DE1A16F2E0DBB4644ACF84
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Memory Dump Source
                        • Source File: 00000000.00000002.1161724704.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2ea0000_Firewall Security.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 60428fed8a75e58490826913203cf65affa15773d311919b4e7dddc187a4258c
                        • Instruction ID: 7aac0506ffff783b32604c749f9742b0800227c5104091002fe5cf02e9db1a90
                        • Opcode Fuzzy Hash: 60428fed8a75e58490826913203cf65affa15773d311919b4e7dddc187a4258c
                        • Instruction Fuzzy Hash: D7A16D32A402198FCF15DFB5C8545AEBBB2FF85304B25A56AE805AF261DB31E905CF80
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Memory Dump Source
                        • Source File: 00000000.00000002.1162350936.0000000009920000.00000040.00000800.00020000.00000000.sdmp, Offset: 09920000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9920000_Firewall Security.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c55e5b333e688e087c9b8c2537f4df274da04251297fa9187868512f6e2d2b96
                        • Instruction ID: 30db9f876221c24a49c563b91e65db9bb947f3c545f12c25eafac1a9f32c2699
                        • Opcode Fuzzy Hash: c55e5b333e688e087c9b8c2537f4df274da04251297fa9187868512f6e2d2b96
                        • Instruction Fuzzy Hash: 1381C276D00609DBCB14DFA9DC452EDFBB2FF94350F14C13AD415A6688EB359A1ACB40
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Memory Dump Source
                        • Source File: 00000000.00000002.1162350936.0000000009920000.00000040.00000800.00020000.00000000.sdmp, Offset: 09920000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9920000_Firewall Security.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5da12e668bee108e42ff7f912e4f0ccd2af91f3bad37ff2af1c8da0e76eebd8d
                        • Instruction ID: ccef3378a299391a04c72d01c7478acfcfd65ab0ed5e5fb2bd4ca4dc85812e46
                        • Opcode Fuzzy Hash: 5da12e668bee108e42ff7f912e4f0ccd2af91f3bad37ff2af1c8da0e76eebd8d
                        • Instruction Fuzzy Hash: 4F81BE76D006098BCB04CFA9DC492EEFBB2FF94350F14C13AE415AB689EB358956CB41
                        Uniqueness

                        Uniqueness Score: -1.00%