Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe
Analysis ID:1449410
MD5:056691c1c5f0fa68a120e107927686b3
SHA1:09412826e7955c95883052e82de1f944c257c26c
SHA256:c4e0d8ae7e8574576dcae763e892888f741dd72178aa61e31cde60c17af6683c
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.thelamalab.com", "Username": "billing@thelamalab.com", "Password": "Thel@malab@20!9"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000002.3283969009.0000000002E16000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000003.00000002.3283969009.0000000002E0E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000003.00000002.3281416419.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000003.00000002.3281416419.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000003.00000002.3283969009.0000000002DC1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 8 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.44f1840.7.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.44f1840.7.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.44f1840.7.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x316a1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x31713:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x3179d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x3182f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x31899:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x3190b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x319a1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x31a31:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.452c260.6.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.452c260.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 12 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Suspicious Outbound SMTP Connections
                      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 162.222.226.100, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe, Initiated: true, ProcessId: 1196, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49707

                      Snort Signatures

                      Timestamp:05/30/24-08:46:40.140192
                      SID:2030171
                      Source Port:49707
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/30/24-08:46:40.140192
                      SID:2839723
                      Source Port:49707
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/30/24-08:46:40.140262
                      SID:2855542
                      Source Port:49707
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/30/24-08:46:40.140262
                      SID:2855245
                      Source Port:49707
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/30/24-08:46:40.140262
                      SID:2840032
                      Source Port:49707
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/30/24-08:46:40.140262
                      SID:2851779
                      Source Port:49707
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.thelamalab.com", "Username": "billing@thelamalab.com", "Password": "Thel@malab@20!9"}
                      Multi AV Scanner detection for submitted file
                      Source: SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeVirustotal: Detection: 33%Perma Link
                      Source: SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeReversingLabs: Detection: 31%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for sample
                      Source: SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeJoe Sandbox ML: detected
                      Source: SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49707 -> 162.222.226.100:587
                      Source: TrafficSnort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.5:49707 -> 162.222.226.100:587
                      Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49707 -> 162.222.226.100:587
                      Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49707 -> 162.222.226.100:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49707 -> 162.222.226.100:587
                      Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49707 -> 162.222.226.100:587
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.452c260.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.44f1840.7.raw.unpack, type: UNPACKEDPE
                      Source: global trafficTCP traffic: 192.168.2.5:49707 -> 162.222.226.100:587
                      Source: Joe Sandbox ViewIP Address: 162.222.226.100 162.222.226.100
                      Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                      Source: global trafficTCP traffic: 192.168.2.5:49707 -> 162.222.226.100:587
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficDNS traffic detected: DNS query: mail.thelamalab.com
                      Source: SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe, 00000003.00000002.3283969009.0000000002E16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.thelamalab.com
                      Source: SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe, 00000000.00000002.2033999344.00000000043EE000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe, 00000003.00000002.3281416419.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to log keystrokes (.Net Source)
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.44f1840.7.raw.unpack, abAX9N.cs.Net Code: K8VU1S
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.452c260.6.raw.unpack, abAX9N.cs.Net Code: K8VU1S

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.44f1840.7.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.452c260.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.452c260.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.44f1840.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeCode function: 0_2_017ED4FC0_2_017ED4FC
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeCode function: 0_2_056EDEE00_2_056EDEE0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeCode function: 0_2_056EDECF0_2_056EDECF
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeCode function: 0_2_076D2FC00_2_076D2FC0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeCode function: 0_2_076D2FB10_2_076D2FB1
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeCode function: 0_2_076D46890_2_076D4689
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeCode function: 0_2_076D46980_2_076D4698
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeCode function: 0_2_076D95880_2_076D9588
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeCode function: 0_2_076D33F80_2_076D33F8
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeCode function: 0_2_076D2B880_2_076D2B88
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeCode function: 0_2_076D4AD00_2_076D4AD0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeCode function: 3_2_00E44A983_2_00E44A98
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeCode function: 3_2_00E49BE23_2_00E49BE2
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeCode function: 3_2_00E4CDA03_2_00E4CDA0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeCode function: 3_2_00E43E803_2_00E43E80
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeCode function: 3_2_00E441C83_2_00E441C8
                      Source: SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe, 00000000.00000002.2043896999.00000000079A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe, 00000000.00000002.2043188370.0000000005CD0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe, 00000000.00000002.2031876383.000000000124E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe, 00000000.00000002.2032788607.0000000003256000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename9d02a015-5a5b-4340-adbb-c530e02a0bc4.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe, 00000000.00000002.2033999344.00000000043EE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename9d02a015-5a5b-4340-adbb-c530e02a0bc4.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe, 00000000.00000002.2033999344.00000000043EE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe, 00000003.00000002.3281736530.0000000000CF9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe, 00000003.00000002.3281416419.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename9d02a015-5a5b-4340-adbb-c530e02a0bc4.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeBinary or memory string: OriginalFilenameJAdH.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.44f1840.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.452c260.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.452c260.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.44f1840.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.44f1840.7.raw.unpack, RsYAkkzVoy.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.44f1840.7.raw.unpack, Kqqzixk.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.44f1840.7.raw.unpack, xROdzGigX.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.44f1840.7.raw.unpack, ywes.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.44f1840.7.raw.unpack, iPVW0zV.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.44f1840.7.raw.unpack, 1Pi9sgbHwoV.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.44f1840.7.raw.unpack, YUgDfWK2g4.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.44f1840.7.raw.unpack, YUgDfWK2g4.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.44f1840.7.raw.unpack, MarWtcu.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.44f1840.7.raw.unpack, MarWtcu.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.44f1840.7.raw.unpack, MarWtcu.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.44f1840.7.raw.unpack, MarWtcu.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.79a0000.11.raw.unpack, nPPJpwtNJtBCyxbcyH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.45f5730.8.raw.unpack, nPPJpwtNJtBCyxbcyH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.45f5730.8.raw.unpack, O1iNVDjFhWDiwZWh6R.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.45f5730.8.raw.unpack, O1iNVDjFhWDiwZWh6R.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.45f5730.8.raw.unpack, O1iNVDjFhWDiwZWh6R.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.79a0000.11.raw.unpack, O1iNVDjFhWDiwZWh6R.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.79a0000.11.raw.unpack, O1iNVDjFhWDiwZWh6R.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.79a0000.11.raw.unpack, O1iNVDjFhWDiwZWh6R.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.7650000.10.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.3527c98.0.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.324695c.1.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.3256974.3.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.logJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeMutant created: NULL
                      Source: SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeVirustotal: Detection: 33%
                      Source: SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeReversingLabs: Detection: 31%
                      Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe"
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe"
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.79a0000.11.raw.unpack, O1iNVDjFhWDiwZWh6R.cs.Net Code: FNo4fILjWQ System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.45f5730.8.raw.unpack, O1iNVDjFhWDiwZWh6R.cs.Net Code: FNo4fILjWQ System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.5cd0000.9.raw.unpack, RLhDAEYwfjHvjWVq5a.cs.Net Code: Gc3JujKCKLERSog4UEp System.Reflection.Assembly.Load(byte[])
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeCode function: 0_2_017EE938 push esp; retf 0_2_017EE939
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeCode function: 0_2_017EF4D0 pushad ; iretd 0_2_017EF4D1
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeCode function: 0_2_017EDB64 push esp; ret 0_2_017EDB6D
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeCode function: 0_2_056E7438 push eax; mov dword ptr [esp], ecx0_2_056E743C
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeCode function: 0_2_056EF318 pushfd ; ret 0_2_056EF319
                      Source: SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeStatic PE information: section name: .text entropy: 7.977119114968714
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.79a0000.11.raw.unpack, XSto5VoL4tPq7xkL0d.csHigh entropy of concatenated method names: 'RKxfZUFKh', 'wRAAsbopO', 'OppNYpTPy', 'AlL8uUccU', 'BialIUMms', 'gsyZiBSis', 'MOAahE1pp1csqIrnUl', 'BOo4g88USclNylgO3I', 'jZGDlw2o0', 'KM3cUYCdT'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.79a0000.11.raw.unpack, Apusg8zBR3AKMdNEr9.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nlFMGMUOLn', 'nbsMJuD9Zs', 'RgTMHVHZs5', 'GakMxRu0MI', 'TmqMDnh8gI', 'MwLMMm8INq', 'EIYMchhrrm'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.79a0000.11.raw.unpack, CpnoByH04ttEyn8DMA.csHigh entropy of concatenated method names: 'MEKDvMQfrY', 'e0eDUJk7TE', 'H3hD74s61k', 'MtbDu5C4OT', 'HepDq7s5l5', 'UUhDdnYMRR', 'nv0DkRU4Mc', 'LQxD9u7hit', 'lJFDLYNYUJ', 'lsdDXxtoCo'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.79a0000.11.raw.unpack, nPPJpwtNJtBCyxbcyH.csHigh entropy of concatenated method names: 'giWUitJyXY', 'hItU1Xr1fw', 'rINUKyorcJ', 'YxgUTw5NaG', 'kDpUYZE65y', 'pwqUOKfwAE', 'XUpUmbKCi9', 'nq4UCJvBAH', 'RB5UommUwa', 'LtAUI1N8fk'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.79a0000.11.raw.unpack, MNr5xSBl83eE1HYO4d.csHigh entropy of concatenated method names: 'gk3xLCXFvl', 'gPnxXShmlO', 'ToString', 'RI2xviU0se', 'rvgxUsa4R2', 'QSCx7Ir1vr', 'brBxuTQ4X0', 'fjXxqORf5o', 'g1sxdcH8Aw', 'GaMxkkyylM'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.79a0000.11.raw.unpack, vKlb0ovYD1ufBTpK4O.csHigh entropy of concatenated method names: 'ToString', 'ejlHpZBFxD', 'IXqHhiZMoe', 'NbCHjUHTna', 'jvvHQYIn8n', 'e9pHgda2BD', 'rAoHwuBWqm', 'LcvHsNDTRM', 'aR6H6vhOFK', 'a5dHrxC4pp'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.79a0000.11.raw.unpack, wbCLsElQ6ZjOXOKYvc.csHigh entropy of concatenated method names: 'ARd7AaWsWx', 'Wwu7Npyw6n', 'mLI73sFZxi', 'QCP7lldSIh', 'g0c7Jm2bOy', 'yOM7HpcPrK', 'HUb7xNkBey', 'e1Y7DhBdi0', 'yov7MTclNX', 'fRd7cB2a8w'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.79a0000.11.raw.unpack, VWfxUa4bEkMqC6dyt1G.csHigh entropy of concatenated method names: 'hIoMaCyJ8B', 'ABFMFVVM0d', 'du3MfqV91F', 'YiOMAsBe0C', 'edEMSNN6CT', 'et2MNOrry9', 'y6sM8o0dqb', 'BRKM3TLeei', 'NPAMlmdIjT', 'xBcMZTnRgB'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.79a0000.11.raw.unpack, CVg2HoKr3KAbKBGiTO.csHigh entropy of concatenated method names: 'MfEJ2gUZDP', 'zhmJtBoMtH', 'oO3JigwKqr', 'C7OJ179N2X', 'fOUJhcTutp', 'Ee6Jj7rKD4', 'OGQJQ67TTN', 'BveJg90alT', 'fkVJwfbhIG', 'vmSJsounnM'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.79a0000.11.raw.unpack, YBmtCKcQIPARXTMxEJ.csHigh entropy of concatenated method names: 'cbuqyqL47K', 'u29qU1SDg0', 'sGaquyMIUf', 'KWjqdRGhl0', 'zoPqkyx1Dk', 'FSEuYGn3Jr', 'vTEuOloXdo', 'lL7umWb4lc', 'slhuCGnO6y', 'iWguoSAmGj'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.79a0000.11.raw.unpack, Tg74RB4UkoylxM20T6T.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'XWcci13V5u', 'MChc1sKBo4', 'Q3RcK3GdMh', 'suJcTDSjaI', 'hsxcYxTK7K', 'fI9cOV5VPN', 'BVOcmtAmCG'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.79a0000.11.raw.unpack, tt5Xh5Dw5JtqvwdLTi.csHigh entropy of concatenated method names: 'e44G3Ado0x', 'HZXGlyhQwc', 'eWqGnGV7tK', 'pvVGhGIZMN', 'vTXGQFGiYZ', 'qAtGgO7XnD', 'kIhGs2Dp94', 'CWNG6uUk4n', 'c4TG2oP7XA', 'VLVGptylHn'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.79a0000.11.raw.unpack, pw5TrieZgYoUTqckBu.csHigh entropy of concatenated method names: 'h4nDnw4vYB', 'Ek0DhXZ4JR', 'nfXDjxepLR', 'P0lDQL6Wj4', 'y5YDius0Jy', 'wv9DgaL4Jm', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.79a0000.11.raw.unpack, hcIus6dMpS44mvygK5.csHigh entropy of concatenated method names: 'jtbxCFG9x2', 'umcxIaiv1h', 'EFkDWLETRn', 'hO7DPLTdwd', 'GEZxp35Fdo', 'TX7xtiQlbX', 'pCexBOkhdG', 'UQCxiQP3GE', 'QgAx12RNEe', 'tKgxKjbIG2'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.79a0000.11.raw.unpack, R8fZNyfRQeDyuqGP4r.csHigh entropy of concatenated method names: 'npXdaH0BFS', 'W9YdFOX1jM', 'Q9ddfQ2Qbk', 'SIHdAmUPtf', 'evLdSGN9RA', 'RPodNFHyWu', 'gYNd8iw1Ta', 'GTRd39O2VZ', 'lTMdlrxRBV', 'Y5ZdZFNW3L'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.79a0000.11.raw.unpack, XSYg8PaMFQr0IIDUnU.csHigh entropy of concatenated method names: 'Dispose', 'SjrPofw3A1', 'oahEh9Netv', 'oX6VVhMrvG', 'ctDPIJLaNP', 'EMtPzoLiST', 'ProcessDialogKey', 'aSKEWIxxFu', 'nGcEPrGXSh', 'TcaEEMHlyE'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.79a0000.11.raw.unpack, O1iNVDjFhWDiwZWh6R.csHigh entropy of concatenated method names: 'GI6by5Qgms', 'hTmbvorDxg', 'JwbbUpMAbV', 'wPlb72siLJ', 'm2ibuvgkV8', 'YNqbqldn9r', 'OwMbdHc1BD', 'mCebkp19GD', 'vDSb9XDvSL', 'rZVbL76lJI'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.79a0000.11.raw.unpack, P4Q8AB4oJKnsL4q5hWN.csHigh entropy of concatenated method names: 'O5ucaAOObl', 'FsDcFwRKYc', 'RodcfPXOD8', 'iPBTy1JzvroS9fRq3eg', 'Mu26ACaMu8nkchsJw3M', 'C6VNUdaLmdX6dVEvQ4h', 'DypOVKa5xqcQ38aTJkm'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.79a0000.11.raw.unpack, xMw0LbqZX14KFuLXTQ.csHigh entropy of concatenated method names: 'XWDPdh93Rg', 'IviPk55f2y', 'oldPLOxgA5', 'FZBPXYIKJw', 'pGcPJTgCpv', 'Sg8PH830G3', 'DPy1bw9POLUU0MRpX5', 'OoaTRZA9vy9BtdS4mP', 'QXSPPmI4vu', 'IG3PbFh2qv'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.79a0000.11.raw.unpack, SSHgMo1VYEb2oRQhRC.csHigh entropy of concatenated method names: 'C4YMPvaeUZ', 'HIUMbgMGKk', 'm63M4GKtUY', 'TnXMvnYiec', 'vXqMUp4Nxg', 'WapMulRG2C', 'VvSMqtbN8J', 'CwQDmuHWXp', 'jbdDCpMjVl', 'NPeDouU6OL'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.45f5730.8.raw.unpack, XSto5VoL4tPq7xkL0d.csHigh entropy of concatenated method names: 'RKxfZUFKh', 'wRAAsbopO', 'OppNYpTPy', 'AlL8uUccU', 'BialIUMms', 'gsyZiBSis', 'MOAahE1pp1csqIrnUl', 'BOo4g88USclNylgO3I', 'jZGDlw2o0', 'KM3cUYCdT'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.45f5730.8.raw.unpack, Apusg8zBR3AKMdNEr9.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nlFMGMUOLn', 'nbsMJuD9Zs', 'RgTMHVHZs5', 'GakMxRu0MI', 'TmqMDnh8gI', 'MwLMMm8INq', 'EIYMchhrrm'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.45f5730.8.raw.unpack, CpnoByH04ttEyn8DMA.csHigh entropy of concatenated method names: 'MEKDvMQfrY', 'e0eDUJk7TE', 'H3hD74s61k', 'MtbDu5C4OT', 'HepDq7s5l5', 'UUhDdnYMRR', 'nv0DkRU4Mc', 'LQxD9u7hit', 'lJFDLYNYUJ', 'lsdDXxtoCo'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.45f5730.8.raw.unpack, nPPJpwtNJtBCyxbcyH.csHigh entropy of concatenated method names: 'giWUitJyXY', 'hItU1Xr1fw', 'rINUKyorcJ', 'YxgUTw5NaG', 'kDpUYZE65y', 'pwqUOKfwAE', 'XUpUmbKCi9', 'nq4UCJvBAH', 'RB5UommUwa', 'LtAUI1N8fk'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.45f5730.8.raw.unpack, MNr5xSBl83eE1HYO4d.csHigh entropy of concatenated method names: 'gk3xLCXFvl', 'gPnxXShmlO', 'ToString', 'RI2xviU0se', 'rvgxUsa4R2', 'QSCx7Ir1vr', 'brBxuTQ4X0', 'fjXxqORf5o', 'g1sxdcH8Aw', 'GaMxkkyylM'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.45f5730.8.raw.unpack, vKlb0ovYD1ufBTpK4O.csHigh entropy of concatenated method names: 'ToString', 'ejlHpZBFxD', 'IXqHhiZMoe', 'NbCHjUHTna', 'jvvHQYIn8n', 'e9pHgda2BD', 'rAoHwuBWqm', 'LcvHsNDTRM', 'aR6H6vhOFK', 'a5dHrxC4pp'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.45f5730.8.raw.unpack, wbCLsElQ6ZjOXOKYvc.csHigh entropy of concatenated method names: 'ARd7AaWsWx', 'Wwu7Npyw6n', 'mLI73sFZxi', 'QCP7lldSIh', 'g0c7Jm2bOy', 'yOM7HpcPrK', 'HUb7xNkBey', 'e1Y7DhBdi0', 'yov7MTclNX', 'fRd7cB2a8w'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.45f5730.8.raw.unpack, VWfxUa4bEkMqC6dyt1G.csHigh entropy of concatenated method names: 'hIoMaCyJ8B', 'ABFMFVVM0d', 'du3MfqV91F', 'YiOMAsBe0C', 'edEMSNN6CT', 'et2MNOrry9', 'y6sM8o0dqb', 'BRKM3TLeei', 'NPAMlmdIjT', 'xBcMZTnRgB'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.45f5730.8.raw.unpack, CVg2HoKr3KAbKBGiTO.csHigh entropy of concatenated method names: 'MfEJ2gUZDP', 'zhmJtBoMtH', 'oO3JigwKqr', 'C7OJ179N2X', 'fOUJhcTutp', 'Ee6Jj7rKD4', 'OGQJQ67TTN', 'BveJg90alT', 'fkVJwfbhIG', 'vmSJsounnM'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.45f5730.8.raw.unpack, YBmtCKcQIPARXTMxEJ.csHigh entropy of concatenated method names: 'cbuqyqL47K', 'u29qU1SDg0', 'sGaquyMIUf', 'KWjqdRGhl0', 'zoPqkyx1Dk', 'FSEuYGn3Jr', 'vTEuOloXdo', 'lL7umWb4lc', 'slhuCGnO6y', 'iWguoSAmGj'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.45f5730.8.raw.unpack, Tg74RB4UkoylxM20T6T.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'XWcci13V5u', 'MChc1sKBo4', 'Q3RcK3GdMh', 'suJcTDSjaI', 'hsxcYxTK7K', 'fI9cOV5VPN', 'BVOcmtAmCG'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.45f5730.8.raw.unpack, tt5Xh5Dw5JtqvwdLTi.csHigh entropy of concatenated method names: 'e44G3Ado0x', 'HZXGlyhQwc', 'eWqGnGV7tK', 'pvVGhGIZMN', 'vTXGQFGiYZ', 'qAtGgO7XnD', 'kIhGs2Dp94', 'CWNG6uUk4n', 'c4TG2oP7XA', 'VLVGptylHn'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.45f5730.8.raw.unpack, pw5TrieZgYoUTqckBu.csHigh entropy of concatenated method names: 'h4nDnw4vYB', 'Ek0DhXZ4JR', 'nfXDjxepLR', 'P0lDQL6Wj4', 'y5YDius0Jy', 'wv9DgaL4Jm', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.45f5730.8.raw.unpack, hcIus6dMpS44mvygK5.csHigh entropy of concatenated method names: 'jtbxCFG9x2', 'umcxIaiv1h', 'EFkDWLETRn', 'hO7DPLTdwd', 'GEZxp35Fdo', 'TX7xtiQlbX', 'pCexBOkhdG', 'UQCxiQP3GE', 'QgAx12RNEe', 'tKgxKjbIG2'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.45f5730.8.raw.unpack, R8fZNyfRQeDyuqGP4r.csHigh entropy of concatenated method names: 'npXdaH0BFS', 'W9YdFOX1jM', 'Q9ddfQ2Qbk', 'SIHdAmUPtf', 'evLdSGN9RA', 'RPodNFHyWu', 'gYNd8iw1Ta', 'GTRd39O2VZ', 'lTMdlrxRBV', 'Y5ZdZFNW3L'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.45f5730.8.raw.unpack, XSYg8PaMFQr0IIDUnU.csHigh entropy of concatenated method names: 'Dispose', 'SjrPofw3A1', 'oahEh9Netv', 'oX6VVhMrvG', 'ctDPIJLaNP', 'EMtPzoLiST', 'ProcessDialogKey', 'aSKEWIxxFu', 'nGcEPrGXSh', 'TcaEEMHlyE'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.45f5730.8.raw.unpack, O1iNVDjFhWDiwZWh6R.csHigh entropy of concatenated method names: 'GI6by5Qgms', 'hTmbvorDxg', 'JwbbUpMAbV', 'wPlb72siLJ', 'm2ibuvgkV8', 'YNqbqldn9r', 'OwMbdHc1BD', 'mCebkp19GD', 'vDSb9XDvSL', 'rZVbL76lJI'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.45f5730.8.raw.unpack, P4Q8AB4oJKnsL4q5hWN.csHigh entropy of concatenated method names: 'O5ucaAOObl', 'FsDcFwRKYc', 'RodcfPXOD8', 'iPBTy1JzvroS9fRq3eg', 'Mu26ACaMu8nkchsJw3M', 'C6VNUdaLmdX6dVEvQ4h', 'DypOVKa5xqcQ38aTJkm'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.45f5730.8.raw.unpack, xMw0LbqZX14KFuLXTQ.csHigh entropy of concatenated method names: 'XWDPdh93Rg', 'IviPk55f2y', 'oldPLOxgA5', 'FZBPXYIKJw', 'pGcPJTgCpv', 'Sg8PH830G3', 'DPy1bw9POLUU0MRpX5', 'OoaTRZA9vy9BtdS4mP', 'QXSPPmI4vu', 'IG3PbFh2qv'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.45f5730.8.raw.unpack, SSHgMo1VYEb2oRQhRC.csHigh entropy of concatenated method names: 'C4YMPvaeUZ', 'HIUMbgMGKk', 'm63M4GKtUY', 'TnXMvnYiec', 'vXqMUp4Nxg', 'WapMulRG2C', 'VvSMqtbN8J', 'CwQDmuHWXp', 'jbdDCpMjVl', 'NPeDouU6OL'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.5cd0000.9.raw.unpack, K4VVbTCGN4q2c8lCCj.csHigh entropy of concatenated method names: 'G3KbyTLLkM4Bb', 'si9SO65af8rO14mjPDU', 'bBffTJ5RQH5OqC4Gea9', 'ovKlj65mCkfoxl0nYKf', 'BWF7CK5kxuHeQeFkeiK', 'qwHs9D5fCc7yK8DUC5g', 'CQU41K5NJrprlOnEHS0', 'RhSTw15QcpoAFlp1KXj', 'nntNvk5jVxrl8qAx10M', 'uNAC9m5VOKsj7MEAs02'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.5cd0000.9.raw.unpack, q1bUrWhd8NtMR4Tat2.csHigh entropy of concatenated method names: 'FtMrR4Tat', 'asVbu6B2r', 'BfjKHvjWV', 'r8MoiUGvh', 'dTGON4q2c', 'brXv00T5r', 'Dispose', 'q1bhUrWd8', 'zN8XoTN4OjYAicjyxg', 'ruXo51Q9ZfIq3o9q7i'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.5cd0000.9.raw.unpack, RLhDAEYwfjHvjWVq5a.csHigh entropy of concatenated method names: 'An354LdEp', 'zbMnKODFs', 'B6jqN3UrZ', 'QkT3JtuA7', 'rmgQyVns4', 'CtlpashST', 'Bh5RaqMVd', 'PW46FiDNh', 'W34ldUSmX', 'AVZwxu1MB'
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe PID: 4696, type: MEMORYSTR
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeMemory allocated: 17A0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeMemory allocated: 3210000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeMemory allocated: 3040000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeMemory allocated: 7A20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeMemory allocated: 8A20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeMemory allocated: 8CB0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeMemory allocated: 9CB0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeMemory allocated: E40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeMemory allocated: 2DC0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeMemory allocated: 2BE0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeWindow / User API: threadDelayed 1032Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeWindow / User API: threadDelayed 4094Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe TID: 5844Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe TID: 5248Thread sleep time: -11990383647911201s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe TID: 5248Thread sleep time: -100000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe TID: 5248Thread sleep time: -99875s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe TID: 5240Thread sleep count: 1032 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe TID: 5240Thread sleep count: 4094 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe TID: 5248Thread sleep time: -99766s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe TID: 5248Thread sleep time: -99656s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe TID: 5248Thread sleep time: -99547s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe TID: 5248Thread sleep time: -99438s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe TID: 5248Thread sleep time: -99313s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe TID: 5248Thread sleep time: -99188s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe TID: 5248Thread sleep time: -99078s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe TID: 5248Thread sleep time: -98969s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe TID: 5248Thread sleep time: -98844s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe TID: 5248Thread sleep time: -98734s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe TID: 5248Thread sleep time: -98625s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe TID: 5248Thread sleep time: -98516s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe TID: 5248Thread sleep time: -98406s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe TID: 5248Thread sleep time: -98297s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe TID: 5248Thread sleep time: -98188s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe TID: 5248Thread sleep time: -98063s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe TID: 5248Thread sleep time: -97953s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe TID: 5248Thread sleep time: -97843s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe TID: 5248Thread sleep time: -97730s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe TID: 5248Thread sleep time: -97625s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe TID: 5248Thread sleep time: -97516s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe TID: 5248Thread sleep time: -97391s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe TID: 5248Thread sleep time: -97281s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe TID: 5248Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeThread delayed: delay time: 99875Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeThread delayed: delay time: 99766Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeThread delayed: delay time: 99656Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeThread delayed: delay time: 99547Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeThread delayed: delay time: 99438Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeThread delayed: delay time: 99313Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeThread delayed: delay time: 99188Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeThread delayed: delay time: 99078Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeThread delayed: delay time: 98969Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeThread delayed: delay time: 98844Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeThread delayed: delay time: 98734Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeThread delayed: delay time: 98625Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeThread delayed: delay time: 98516Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeThread delayed: delay time: 98406Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeThread delayed: delay time: 98297Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeThread delayed: delay time: 98188Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeThread delayed: delay time: 98063Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeThread delayed: delay time: 97953Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeThread delayed: delay time: 97843Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeThread delayed: delay time: 97730Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeThread delayed: delay time: 97625Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeThread delayed: delay time: 97516Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeThread delayed: delay time: 97391Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeThread delayed: delay time: 97281Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe, 00000003.00000002.3282432547.0000000000F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.44f1840.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.452c260.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.452c260.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.44f1840.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.3283969009.0000000002E16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.3283969009.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.3281416419.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.3283969009.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2033999344.00000000043EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe PID: 4696, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe PID: 1196, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.44f1840.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.452c260.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.452c260.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.44f1840.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.3281416419.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.3283969009.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2033999344.00000000043EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe PID: 4696, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe PID: 1196, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.44f1840.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.452c260.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.452c260.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.44f1840.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.3283969009.0000000002E16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.3283969009.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.3281416419.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.3283969009.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2033999344.00000000043EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe PID: 4696, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe PID: 1196, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		111
                      Process Injection                      		1
                      Masquerading                      		2
                      OS Credential Dumping                      		111
                      Security Software Discovery                      		Remote Services1
                      Email Collection                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		1
                      Input Capture                      		1
                      Process Discovery                      		Remote Desktop Protocol1
                      Input Capture                      		1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)141
                      Virtualization/Sandbox Evasion                      		1
                      Credentials in Registry                      		141
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin Shares11
                      Archive Collected Data                      		1
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object Model2
                      Data from Local System                      		11
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets1
                      File and Directory Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                      Obfuscated Files or Information                      		Cached Domain Credentials24
                      System Information Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                      Software Packing                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe34%VirustotalBrowse
                      SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe32%ReversingLabsWin32.Trojan.Generic
                      SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      SourceDetectionScannerLabelLink
                      mail.thelamalab.com1%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      https://account.dyn.com/0%URL Reputationsafe
                      http://mail.thelamalab.com0%Avira URL Cloudsafe
                      http://mail.thelamalab.com1%VirustotalBrowse

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      mail.thelamalab.com
                      		162.222.226.100
                      		truetrueunknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://mail.thelamalab.comSecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe, 00000003.00000002.3283969009.0000000002E16000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://account.dyn.com/SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe, 00000000.00000002.2033999344.00000000043EE000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe, 00000003.00000002.3281416419.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      162.222.226.100
                      		mail.thelamalab.comUnited States
                      		394695PUBLIC-DOMAIN-REGISTRYUStrue

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1449410
                      Start date and time:2024-05-30 08:45:46 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 6m 22s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:6
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@3/1@1/1
                      EGA Information:
                      • Successful, ratio: 50%
                      HCA Information:
                      • Successful, ratio: 99%
                      • Number of executed functions: 161
                      • Number of non-executed functions: 11
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Execution Graph export aborted for target SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe, PID 1196 because it is empty
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      02:46:34API Interceptor26x Sleep call for process: SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      162.222.226.100DOCUMENTS.exeGet hashmaliciousAgentTeslaBrowse
                        SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeGet hashmaliciousAgentTeslaBrowse
                          SHIPPING ORDER.exeGet hashmaliciousAgentTeslaBrowse
                            receipt-73633T36X90N.exeGet hashmaliciousAgentTeslaBrowse
                              AQQ-T7630-CVE8.exeGet hashmaliciousAgentTeslaBrowse
                                SecuriteInfo.com.Win32.CrypterX-gen.1573.32091.exeGet hashmaliciousAgentTeslaBrowse
                                  SCAN_INCORRECT_DETAILS.exeGet hashmaliciousAgentTeslaBrowse
                                    SecuriteInfo.com.Heur.26171.30744.exeGet hashmaliciousAgentTeslaBrowse
                                      INVOICE_FEB-888201-2024.exeGet hashmaliciousAgentTeslaBrowse
                                        INVOICE_FEB-888201-2024.exeGet hashmaliciousAgentTeslaBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          mail.thelamalab.comDOCUMENTS.exeGet hashmaliciousAgentTeslaBrowse
                                          • 162.222.226.100
                                          SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeGet hashmaliciousAgentTeslaBrowse
                                          • 162.222.226.100
                                          SHIPPING ORDER.exeGet hashmaliciousAgentTeslaBrowse
                                          • 162.222.226.100
                                          receipt-73633T36X90N.exeGet hashmaliciousAgentTeslaBrowse
                                          • 162.222.226.100
                                          AQQ-T7630-CVE8.exeGet hashmaliciousAgentTeslaBrowse
                                          • 162.222.226.100
                                          SecuriteInfo.com.Win32.CrypterX-gen.1573.32091.exeGet hashmaliciousAgentTeslaBrowse
                                          • 162.222.226.100
                                          SCAN_INCORRECT_DETAILS.exeGet hashmaliciousAgentTeslaBrowse
                                          • 162.222.226.100
                                          SecuriteInfo.com.Heur.26171.30744.exeGet hashmaliciousAgentTeslaBrowse
                                          • 162.222.226.100
                                          INVOICE_FEB-888201-2024.exeGet hashmaliciousAgentTeslaBrowse
                                          • 162.222.226.100
                                          INVOICE_FEB-888201-2024.exeGet hashmaliciousAgentTeslaBrowse
                                          • 162.222.226.100

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          PUBLIC-DOMAIN-REGISTRYUSSecuriteInfo.com.Win32.PWSX-gen.21784.812.exeGet hashmaliciousAgentTeslaBrowse
                                          • 199.79.62.115
                                          Advance Payment _copy.scrGet hashmaliciousAgentTeslaBrowse
                                          • 208.91.199.224
                                          Numero de pedido HMFZ0772 Pedido.exeGet hashmaliciousAgentTeslaBrowse
                                          • 208.91.199.225
                                          SWIFT COPY.exeGet hashmaliciousAgentTeslaBrowse
                                          • 208.91.199.223
                                          SWIFT COPY.exeGet hashmaliciousAgentTeslaBrowse
                                          • 208.91.198.143
                                          Wire Transfer_50%.scr.exeGet hashmaliciousAgentTeslaBrowse
                                          • 208.91.199.224
                                          https://akinware.com.ng/itaufredensonychichitonew/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                          • 199.79.63.115
                                          N#U00a3mero de pedido HMFZ0772 [Pedido].exeGet hashmaliciousAgentTeslaBrowse
                                          • 208.91.199.223
                                          PDF89gh ReUrgent Quotepdf.exeGet hashmaliciousFormBookBrowse
                                          • 162.222.225.165
                                          GestorRemesasCONFIRMIMING.exeGet hashmaliciousAgentTeslaBrowse
                                          • 208.91.198.143

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.34331486778365
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                          Malicious:false
                                          Reputation:high, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.967978206290368
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Windows Screen Saver (13104/52) 0.07%
                                          • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                          File name:SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe
                                          File size:712'704 bytes
                                          MD5:056691c1c5f0fa68a120e107927686b3
                                          SHA1:09412826e7955c95883052e82de1f944c257c26c
                                          SHA256:c4e0d8ae7e8574576dcae763e892888f741dd72178aa61e31cde60c17af6683c
                                          SHA512:2e404a5dfa2987b7cb86f58531cbb8bfbad6aea1f528c0328d6ff49725e1c02f0af334085f62a42a7b66d54137a668e3e9f45f44d0c5742e8e0c586d88a3264f
                                          SSDEEP:12288:OMdKkAdrJwKcI64X6t3M2b1X4bK+FJxeDg+baVQ1tlyIim2Px2/ILvWsx8blDvkd:UcgDE17Dnbx1/y99P/CsxQlDvM
                                          TLSH:46E423993938442BC4FB04F606E112484BB2923748EEF6DC9E92E5987CF7B540966F33
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9.Wf..............0......$........... ........@.. ....................... ............@................................

                                          File Icon

                                          Icon Hash:990c17132b0f3331

                                          Static PE Info

                                          General

                                          Entrypoint:0x4ad69a
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x6657F939 [Thu May 30 03:57:45 2024 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xad6480x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xae0000x1e0c.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xb00000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xab6a00xab800e2a548b814912b15ab25156dede8b834False0.9703116458637027data7.977119114968714IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0xae0000x1e0c0x2000b3f82af7b3ab9e8262dd549fe6643d52False0.8682861328125data7.438657279891937IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xb00000xc0x400c5e873cb3db5fb7aae223219a23c4906False0.025390625data0.05585530805374581IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_ICON0xae0c80x1acfPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9814949730438584
                                          RT_GROUP_ICON0xafba80x14data1.05
                                          RT_VERSION0xafbcc0x23cdata0.46853146853146854

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Network Behavior

                                          Snort IDS Alerts

                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          05/30/24-08:46:40.140192TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49707587192.168.2.5162.222.226.100
                                          05/30/24-08:46:40.140192TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49707587192.168.2.5162.222.226.100
                                          05/30/24-08:46:40.140262TCP2855542ETPRO TROJAN Agent Tesla CnC Exfil Activity49707587192.168.2.5162.222.226.100
                                          05/30/24-08:46:40.140262TCP2855245ETPRO TROJAN Agent Tesla Exfil via SMTP49707587192.168.2.5162.222.226.100
                                          05/30/24-08:46:40.140262TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249707587192.168.2.5162.222.226.100
                                          05/30/24-08:46:40.140262TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49707587192.168.2.5162.222.226.100

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          May 30, 2024 08:46:38.007750988 CEST49707587192.168.2.5162.222.226.100
                                          May 30, 2024 08:46:38.012741089 CEST58749707162.222.226.100192.168.2.5
                                          May 30, 2024 08:46:38.012816906 CEST49707587192.168.2.5162.222.226.100
                                          May 30, 2024 08:46:38.903578043 CEST58749707162.222.226.100192.168.2.5
                                          May 30, 2024 08:46:38.903846979 CEST49707587192.168.2.5162.222.226.100
                                          May 30, 2024 08:46:38.909205914 CEST58749707162.222.226.100192.168.2.5
                                          May 30, 2024 08:46:39.063839912 CEST58749707162.222.226.100192.168.2.5
                                          May 30, 2024 08:46:39.064995050 CEST49707587192.168.2.5162.222.226.100
                                          May 30, 2024 08:46:39.069881916 CEST58749707162.222.226.100192.168.2.5
                                          May 30, 2024 08:46:39.253048897 CEST58749707162.222.226.100192.168.2.5
                                          May 30, 2024 08:46:39.253940105 CEST49707587192.168.2.5162.222.226.100
                                          May 30, 2024 08:46:39.258826971 CEST58749707162.222.226.100192.168.2.5
                                          May 30, 2024 08:46:39.455547094 CEST58749707162.222.226.100192.168.2.5
                                          May 30, 2024 08:46:39.457067013 CEST49707587192.168.2.5162.222.226.100
                                          May 30, 2024 08:46:39.462049007 CEST58749707162.222.226.100192.168.2.5
                                          May 30, 2024 08:46:39.637135983 CEST58749707162.222.226.100192.168.2.5
                                          May 30, 2024 08:46:39.639043093 CEST49707587192.168.2.5162.222.226.100
                                          May 30, 2024 08:46:39.644058943 CEST58749707162.222.226.100192.168.2.5
                                          May 30, 2024 08:46:39.981177092 CEST58749707162.222.226.100192.168.2.5
                                          May 30, 2024 08:46:39.981327057 CEST49707587192.168.2.5162.222.226.100
                                          May 30, 2024 08:46:39.986202955 CEST58749707162.222.226.100192.168.2.5
                                          May 30, 2024 08:46:40.139539003 CEST58749707162.222.226.100192.168.2.5
                                          May 30, 2024 08:46:40.140192032 CEST49707587192.168.2.5162.222.226.100
                                          May 30, 2024 08:46:40.140261889 CEST49707587192.168.2.5162.222.226.100
                                          May 30, 2024 08:46:40.140316963 CEST49707587192.168.2.5162.222.226.100
                                          May 30, 2024 08:46:40.140404940 CEST49707587192.168.2.5162.222.226.100
                                          May 30, 2024 08:46:40.145077944 CEST58749707162.222.226.100192.168.2.5
                                          May 30, 2024 08:46:40.145184040 CEST58749707162.222.226.100192.168.2.5
                                          May 30, 2024 08:46:40.145224094 CEST58749707162.222.226.100192.168.2.5
                                          May 30, 2024 08:46:40.145251036 CEST58749707162.222.226.100192.168.2.5
                                          May 30, 2024 08:46:40.436125040 CEST58749707162.222.226.100192.168.2.5
                                          May 30, 2024 08:46:40.476773977 CEST49707587192.168.2.5162.222.226.100
                                          May 30, 2024 08:48:17.711576939 CEST49707587192.168.2.5162.222.226.100
                                          May 30, 2024 08:48:17.716542959 CEST58749707162.222.226.100192.168.2.5
                                          May 30, 2024 08:48:18.082999945 CEST58749707162.222.226.100192.168.2.5
                                          May 30, 2024 08:48:18.083405972 CEST49707587192.168.2.5162.222.226.100
                                          May 30, 2024 08:48:18.083411932 CEST58749707162.222.226.100192.168.2.5
                                          May 30, 2024 08:48:18.083462954 CEST49707587192.168.2.5162.222.226.100
                                          May 30, 2024 08:48:18.088429928 CEST58749707162.222.226.100192.168.2.5

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          May 30, 2024 08:46:37.699270964 CEST6364953192.168.2.51.1.1.1
                                          May 30, 2024 08:46:37.990999937 CEST53636491.1.1.1192.168.2.5

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          May 30, 2024 08:46:37.699270964 CEST192.168.2.51.1.1.10xb527Standard query (0)mail.thelamalab.comA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          May 30, 2024 08:46:37.990999937 CEST1.1.1.1192.168.2.50xb527No error (0)mail.thelamalab.com162.222.226.100A (IP address)IN (0x0001)false

                                          SMTP Packets

                                          TimestampSource PortDest PortSource IPDest IPCommands
                                          May 30, 2024 08:46:38.903578043 CEST58749707162.222.226.100192.168.2.5220-md-114.webhostbox.net ESMTP Exim 4.96.2 #2 Thu, 30 May 2024 12:16:38 +0530
                                          220-We do not authorize the use of this system to transport unsolicited,
                                          220 and/or bulk e-mail.
                                          May 30, 2024 08:46:38.903846979 CEST49707587192.168.2.5162.222.226.100EHLO 128757
                                          May 30, 2024 08:46:39.063839912 CEST58749707162.222.226.100192.168.2.5250-md-114.webhostbox.net Hello 128757 [8.46.123.175]
                                          250-SIZE 52428800
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-PIPECONNECT
                                          250-AUTH PLAIN LOGIN
                                          250-STARTTLS
                                          250 HELP
                                          May 30, 2024 08:46:39.064995050 CEST49707587192.168.2.5162.222.226.100AUTH login YmlsbGluZ0B0aGVsYW1hbGFiLmNvbQ==
                                          May 30, 2024 08:46:39.253048897 CEST58749707162.222.226.100192.168.2.5334 UGFzc3dvcmQ6
                                          May 30, 2024 08:46:39.455547094 CEST58749707162.222.226.100192.168.2.5235 Authentication succeeded
                                          May 30, 2024 08:46:39.457067013 CEST49707587192.168.2.5162.222.226.100MAIL FROM:<billing@thelamalab.com>
                                          May 30, 2024 08:46:39.637135983 CEST58749707162.222.226.100192.168.2.5250 OK
                                          May 30, 2024 08:46:39.639043093 CEST49707587192.168.2.5162.222.226.100RCPT TO:<jinhux31@gmail.com>
                                          May 30, 2024 08:46:39.981177092 CEST58749707162.222.226.100192.168.2.5250 Accepted
                                          May 30, 2024 08:46:39.981327057 CEST49707587192.168.2.5162.222.226.100DATA
                                          May 30, 2024 08:46:40.139539003 CEST58749707162.222.226.100192.168.2.5354 Enter message, ending with "." on a line by itself
                                          May 30, 2024 08:46:40.140404940 CEST49707587192.168.2.5162.222.226.100.
                                          May 30, 2024 08:46:40.436125040 CEST58749707162.222.226.100192.168.2.5250 OK id=1sCZYe-000Tl3-0C
                                          May 30, 2024 08:48:17.711576939 CEST49707587192.168.2.5162.222.226.100QUIT
                                          May 30, 2024 08:48:18.082999945 CEST58749707162.222.226.100192.168.2.5221 md-114.webhostbox.net closing connection

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:02:46:34
                                          Start date:30/05/2024
                                          Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe"
                                          Imagebase:0xd90000
                                          File size:712'704 bytes
                                          MD5 hash:056691C1C5F0FA68A120E107927686B3
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2033999344.00000000043EE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2033999344.00000000043EE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:02:46:35
                                          Start date:30/05/2024
                                          Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exe"
                                          Imagebase:0x810000
                                          File size:712'704 bytes
                                          MD5 hash:056691C1C5F0FA68A120E107927686B3
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3283969009.0000000002E16000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3283969009.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3281416419.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3281416419.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3283969009.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3283969009.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:false

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:9.6%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:256
                                            Total number of Limit Nodes:12
                                            execution_graph 32278 17e4668 32279 17e4672 32278->32279 32283 17e4758 32278->32283 32288 17e3e28 32279->32288 32281 17e468d 32284 17e477d 32283->32284 32292 17e4868 32284->32292 32296 17e4858 32284->32296 32289 17e3e33 32288->32289 32290 17e6f8d 32289->32290 32304 17e5c24 32289->32304 32290->32281 32293 17e488f 32292->32293 32295 17e496c 32293->32295 32300 17e44b0 32293->32300 32297 17e4868 32296->32297 32298 17e496c 32297->32298 32299 17e44b0 CreateActCtxA 32297->32299 32299->32298 32301 17e58f8 CreateActCtxA 32300->32301 32303 17e59bb 32301->32303 32305 17e5c2f 32304->32305 32308 17e5c44 32305->32308 32307 17e702d 32307->32290 32309 17e5c4f 32308->32309 32312 17e5c74 32309->32312 32311 17e7102 32311->32307 32313 17e5c7f 32312->32313 32316 17e5ca4 32313->32316 32315 17e7205 32315->32311 32317 17e5caf 32316->32317 32319 17e850b 32317->32319 32322 17eabbb 32317->32322 32318 17e8549 32318->32315 32319->32318 32326 17ecca8 32319->32326 32331 17eabf0 32322->32331 32334 17eabe0 32322->32334 32323 17eabce 32323->32319 32327 17eccd9 32326->32327 32328 17eccfd 32327->32328 32361 17ece68 32327->32361 32365 17ece57 32327->32365 32328->32318 32338 17eace8 32331->32338 32332 17eabff 32332->32323 32335 17eabf0 32334->32335 32337 17eace8 3 API calls 32335->32337 32336 17eabff 32336->32323 32337->32336 32339 17eacf9 32338->32339 32341 17ead1c 32338->32341 32339->32341 32346 17eaf70 32339->32346 32353 17eaf80 32339->32353 32340 17ead14 32340->32341 32342 17eaf20 GetModuleHandleW 32340->32342 32341->32332 32343 17eaf4d 32342->32343 32343->32332 32347 17eaf18 GetModuleHandleW 32346->32347 32350 17eaf7a 32346->32350 32349 17eaf4d 32347->32349 32349->32340 32351 17eafb9 32350->32351 32357 17ea070 32350->32357 32351->32340 32354 17eaf94 32353->32354 32355 17ea070 LoadLibraryExW 32354->32355 32356 17eafb9 32354->32356 32355->32356 32356->32340 32358 17eb160 LoadLibraryExW 32357->32358 32360 17eb1d9 32358->32360 32360->32351 32362 17ece75 32361->32362 32363 17eceaf 32362->32363 32369 17eba20 32362->32369 32363->32328 32366 17ece68 32365->32366 32367 17eceaf 32366->32367 32368 17eba20 3 API calls 32366->32368 32367->32328 32368->32367 32370 17eba2b 32369->32370 32372 17edbc8 32370->32372 32373 17ed21c 32370->32373 32374 17ed227 32373->32374 32375 17e5ca4 3 API calls 32374->32375 32376 17edc37 32375->32376 32376->32372 32068 76d5e61 32069 76d5e6c 32068->32069 32070 76d5bfb 32068->32070 32071 76d5d85 32070->32071 32075 76d6666 32070->32075 32092 76d65f0 32070->32092 32108 76d6600 32070->32108 32076 76d65f4 32075->32076 32078 76d6669 32075->32078 32124 76d704d 32076->32124 32128 76d6a77 32076->32128 32136 76d6bd4 32076->32136 32148 76d6adb 32076->32148 32156 76d6a98 32076->32156 32167 76d6cfc 32076->32167 32179 76d6e3d 32076->32179 32184 76d6ca3 32076->32184 32189 76d70c3 32076->32189 32194 76d6d2a 32076->32194 32202 76d6a28 32076->32202 32206 76d6f2e 32076->32206 32214 76d6dec 32076->32214 32077 76d6622 32077->32071 32078->32071 32093 76d6600 32092->32093 32095 76d704d 2 API calls 32093->32095 32096 76d6dec 2 API calls 32093->32096 32097 76d6f2e 4 API calls 32093->32097 32098 76d6a28 2 API calls 32093->32098 32099 76d6d2a 4 API calls 32093->32099 32100 76d70c3 2 API calls 32093->32100 32101 76d6ca3 2 API calls 32093->32101 32102 76d6e3d 2 API calls 32093->32102 32103 76d6cfc 6 API calls 32093->32103 32104 76d6a98 4 API calls 32093->32104 32105 76d6adb 4 API calls 32093->32105 32106 76d6bd4 6 API calls 32093->32106 32107 76d6a77 4 API calls 32093->32107 32094 76d6622 32094->32071 32095->32094 32096->32094 32097->32094 32098->32094 32099->32094 32100->32094 32101->32094 32102->32094 32103->32094 32104->32094 32105->32094 32106->32094 32107->32094 32109 76d661a 32108->32109 32111 76d704d 2 API calls 32109->32111 32112 76d6dec 2 API calls 32109->32112 32113 76d6f2e 4 API calls 32109->32113 32114 76d6a28 2 API calls 32109->32114 32115 76d6d2a 4 API calls 32109->32115 32116 76d70c3 2 API calls 32109->32116 32117 76d6ca3 2 API calls 32109->32117 32118 76d6e3d 2 API calls 32109->32118 32119 76d6cfc 6 API calls 32109->32119 32120 76d6a98 4 API calls 32109->32120 32121 76d6adb 4 API calls 32109->32121 32122 76d6bd4 6 API calls 32109->32122 32123 76d6a77 4 API calls 32109->32123 32110 76d6622 32110->32071 32111->32110 32112->32110 32113->32110 32114->32110 32115->32110 32116->32110 32117->32110 32118->32110 32119->32110 32120->32110 32121->32110 32122->32110 32123->32110 32220 76d53a8 32124->32220 32224 76d53a0 32124->32224 32125 76d7069 32131 76d6a80 32128->32131 32129 76d6a92 32228 76d5478 32129->32228 32232 76d5480 32129->32232 32130 76d6c8d 32130->32077 32131->32129 32236 76d5539 32131->32236 32240 76d5540 32131->32240 32137 76d6bda 32136->32137 32244 76d52f8 32137->32244 32248 76d52f0 32137->32248 32138 76d7133 32139 76d6a92 32146 76d5478 VirtualAllocEx 32139->32146 32147 76d5480 VirtualAllocEx 32139->32147 32140 76d6c8d 32140->32077 32141 76d6a80 32141->32138 32141->32139 32142 76d5539 WriteProcessMemory 32141->32142 32143 76d5540 WriteProcessMemory 32141->32143 32142->32141 32143->32141 32146->32140 32147->32140 32149 76d6a80 32148->32149 32150 76d6a92 32149->32150 32152 76d5539 WriteProcessMemory 32149->32152 32153 76d5540 WriteProcessMemory 32149->32153 32154 76d5478 VirtualAllocEx 32150->32154 32155 76d5480 VirtualAllocEx 32150->32155 32151 76d6c8d 32151->32077 32152->32149 32153->32149 32154->32151 32155->32151 32165 76d5539 WriteProcessMemory 32156->32165 32166 76d5540 WriteProcessMemory 32156->32166 32157 76d6bce 32157->32077 32158 76d6a92 32161 76d5478 VirtualAllocEx 32158->32161 32162 76d5480 VirtualAllocEx 32158->32162 32159 76d6c8d 32159->32077 32160 76d6a80 32160->32157 32160->32158 32163 76d5539 WriteProcessMemory 32160->32163 32164 76d5540 WriteProcessMemory 32160->32164 32161->32159 32162->32159 32163->32160 32164->32160 32165->32160 32166->32160 32168 76d6beb 32167->32168 32172 76d6a80 32168->32172 32175 76d52f8 ResumeThread 32168->32175 32176 76d52f0 ResumeThread 32168->32176 32169 76d7133 32170 76d6a92 32177 76d5478 VirtualAllocEx 32170->32177 32178 76d5480 VirtualAllocEx 32170->32178 32171 76d6c8d 32171->32077 32172->32169 32172->32170 32173 76d5539 WriteProcessMemory 32172->32173 32174 76d5540 WriteProcessMemory 32172->32174 32173->32172 32174->32172 32175->32172 32176->32172 32177->32171 32178->32171 32180 76d6e5b 32179->32180 32252 76d5628 32180->32252 32256 76d5630 32180->32256 32181 76d6e63 32185 76d73a7 32184->32185 32187 76d53a8 Wow64SetThreadContext 32185->32187 32188 76d53a0 Wow64SetThreadContext 32185->32188 32186 76d73c2 32187->32186 32188->32186 32190 76d70d3 32189->32190 32192 76d5539 WriteProcessMemory 32190->32192 32193 76d5540 WriteProcessMemory 32190->32193 32191 76d6ef6 32192->32191 32193->32191 32197 76d6a80 32194->32197 32195 76d6a92 32200 76d5478 VirtualAllocEx 32195->32200 32201 76d5480 VirtualAllocEx 32195->32201 32196 76d6c8d 32196->32077 32197->32195 32198 76d5539 WriteProcessMemory 32197->32198 32199 76d5540 WriteProcessMemory 32197->32199 32198->32197 32199->32197 32200->32196 32201->32196 32260 76d57bc 32202->32260 32264 76d57c8 32202->32264 32207 76d6a80 32206->32207 32208 76d6a92 32207->32208 32210 76d5539 WriteProcessMemory 32207->32210 32211 76d5540 WriteProcessMemory 32207->32211 32212 76d5478 VirtualAllocEx 32208->32212 32213 76d5480 VirtualAllocEx 32208->32213 32209 76d6c8d 32209->32077 32210->32207 32211->32207 32212->32209 32213->32209 32215 76d6df0 32214->32215 32217 76d6db2 32215->32217 32218 76d5628 ReadProcessMemory 32215->32218 32219 76d5630 ReadProcessMemory 32215->32219 32216 76d6e63 32217->32077 32218->32216 32219->32216 32221 76d53ed Wow64SetThreadContext 32220->32221 32223 76d5435 32221->32223 32223->32125 32225 76d53a8 Wow64SetThreadContext 32224->32225 32227 76d5435 32225->32227 32227->32125 32229 76d5480 VirtualAllocEx 32228->32229 32231 76d54fd 32229->32231 32231->32130 32233 76d54c0 VirtualAllocEx 32232->32233 32235 76d54fd 32233->32235 32235->32130 32237 76d5540 WriteProcessMemory 32236->32237 32239 76d55df 32237->32239 32239->32131 32241 76d5588 WriteProcessMemory 32240->32241 32243 76d55df 32241->32243 32243->32131 32245 76d5338 ResumeThread 32244->32245 32247 76d5369 32245->32247 32247->32141 32249 76d52f8 ResumeThread 32248->32249 32251 76d5369 32249->32251 32251->32141 32253 76d5630 ReadProcessMemory 32252->32253 32255 76d56bf 32253->32255 32255->32181 32257 76d567b ReadProcessMemory 32256->32257 32259 76d56bf 32257->32259 32259->32181 32261 76d57c8 CreateProcessA 32260->32261 32263 76d5a13 32261->32263 32265 76d5851 CreateProcessA 32264->32265 32267 76d5a13 32265->32267 32268 76d77e0 32269 76d796b 32268->32269 32270 76d7806 32268->32270 32270->32269 32273 76d7a60 PostMessageW 32270->32273 32275 76d7a5a 32270->32275 32274 76d7acc 32273->32274 32274->32270 32276 76d7a60 PostMessageW 32275->32276 32277 76d7acc 32276->32277 32277->32270 32379 76d8fd0 32380 76d8f63 FindCloseChangeNotification 32379->32380 32382 76d8fda 32379->32382 32381 76d8f97 32380->32381 32377 17ed5d0 DuplicateHandle 32378 17ed666 32377->32378 32383 17ecf80 32384 17ecfc6 GetCurrentProcess 32383->32384 32386 17ed018 GetCurrentThread 32384->32386 32387 17ed011 32384->32387 32388 17ed04e 32386->32388 32389 17ed055 GetCurrentProcess 32386->32389 32387->32386 32388->32389 32392 17ed08b 32389->32392 32390 17ed0b3 GetCurrentThreadId 32391 17ed0e4 32390->32391 32392->32390

                                            Executed Functions

                                            Function 017ECF70 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 294 17ecf70-17ed00f GetCurrentProcess 298 17ed018-17ed04c GetCurrentThread 294->298 299 17ed011-17ed017 294->299 300 17ed04e-17ed054 298->300 301 17ed055-17ed089 GetCurrentProcess 298->301 299->298 300->301 303 17ed08b-17ed091 301->303 304 17ed092-17ed0ad call 17ed558 301->304 303->304 307 17ed0b3-17ed0e2 GetCurrentThreadId 304->307 308 17ed0eb-17ed14d 307->308 309 17ed0e4-17ed0ea 307->309 309->308
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 017ECFFE
                                            • GetCurrentThread.KERNEL32 ref: 017ED03B
                                            • GetCurrentProcess.KERNEL32 ref: 017ED078
                                            • GetCurrentThreadId.KERNEL32 ref: 017ED0D1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2032437842.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_17e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: a6cdb3c7897e342a09af9f60f349df90fedbffe1533aa550ba5ed815190757fc
                                            • Instruction ID: a0af76382c14d4b695dfc226f48ce614521bc03358b8be601d67dd38bfaebb28
                                            • Opcode Fuzzy Hash: a6cdb3c7897e342a09af9f60f349df90fedbffe1533aa550ba5ed815190757fc
                                            • Instruction Fuzzy Hash: 765154B09012498FDB24DFAAD548BAEBFF5EF88304F248059D509A7260D7389844CB65
                                            Function 017ECF80 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 316 17ecf80-17ed00f GetCurrentProcess 320 17ed018-17ed04c GetCurrentThread 316->320 321 17ed011-17ed017 316->321 322 17ed04e-17ed054 320->322 323 17ed055-17ed089 GetCurrentProcess 320->323 321->320 322->323 325 17ed08b-17ed091 323->325 326 17ed092-17ed0ad call 17ed558 323->326 325->326 329 17ed0b3-17ed0e2 GetCurrentThreadId 326->329 330 17ed0eb-17ed14d 329->330 331 17ed0e4-17ed0ea 329->331 331->330
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 017ECFFE
                                            • GetCurrentThread.KERNEL32 ref: 017ED03B
                                            • GetCurrentProcess.KERNEL32 ref: 017ED078
                                            • GetCurrentThreadId.KERNEL32 ref: 017ED0D1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2032437842.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_17e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 31ef53b5c1f6440ffe76a27e775e92e65080a501d3836d1ea4a9391778270327
                                            • Instruction ID: d3bdc3833f77157ca8c75684b95dc2c65cc11bb518d7b3951fca9a341a32e7d3
                                            • Opcode Fuzzy Hash: 31ef53b5c1f6440ffe76a27e775e92e65080a501d3836d1ea4a9391778270327
                                            • Instruction Fuzzy Hash: B65154B09013098FDB24DFAAD548BAEBFF5FF88304F248059E519A7360D7389844CB65
                                            Function 056E2468 Relevance: 2.7, Strings: 2, Instructions: 208COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 404 56e2468-56e24ca call 56e1434 411 56e24cc-56e24ce 404->411 412 56e2530-56e255c 404->412 413 56e24d4-56e24e0 411->413 414 56e2563-56e256b 411->414 412->414 418 56e24e6-56e2521 call 56e17e4 413->418 419 56e2572-56e26ad 413->419 414->419 431 56e2526-56e252f 418->431 437 56e26b3-56e26c1 419->437 438 56e26ca-56e2710 437->438 439 56e26c3-56e26c9 437->439 444 56e271d 438->444 445 56e2712-56e2715 438->445 439->438 446 56e271e 444->446 445->444 446->446
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Haq$Haq
                                            • API String ID: 0-4016896955
                                            • Opcode ID: 36dbf1745a678532a64c5b29447703601446b637e84c3706c2fe76d9bcaedae3
                                            • Instruction ID: 4fcfe61dde47f106077cdd3fe524af7ec1a3e748e9316f0fed1ab25869115794
                                            • Opcode Fuzzy Hash: 36dbf1745a678532a64c5b29447703601446b637e84c3706c2fe76d9bcaedae3
                                            • Instruction Fuzzy Hash: 53816B74E013198FCB04DFA9C8946EEBBF6BF88300F14856AD409EB364DB349946CB91
                                            Function 076D57BC Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 447 76d57bc-76d585d 450 76d585f-76d5869 447->450 451 76d5896-76d58b6 447->451 450->451 452 76d586b-76d586d 450->452 456 76d58ef-76d591e 451->456 457 76d58b8-76d58c2 451->457 453 76d586f-76d5879 452->453 454 76d5890-76d5893 452->454 458 76d587d-76d588c 453->458 459 76d587b 453->459 454->451 467 76d5957-76d5a11 CreateProcessA 456->467 468 76d5920-76d592a 456->468 457->456 460 76d58c4-76d58c6 457->460 458->458 461 76d588e 458->461 459->458 462 76d58e9-76d58ec 460->462 463 76d58c8-76d58d2 460->463 461->454 462->456 465 76d58d4 463->465 466 76d58d6-76d58e5 463->466 465->466 466->466 469 76d58e7 466->469 479 76d5a1a-76d5aa0 467->479 480 76d5a13-76d5a19 467->480 468->467 470 76d592c-76d592e 468->470 469->462 472 76d5951-76d5954 470->472 473 76d5930-76d593a 470->473 472->467 474 76d593c 473->474 475 76d593e-76d594d 473->475 474->475 475->475 477 76d594f 475->477 477->472 490 76d5ab0-76d5ab4 479->490 491 76d5aa2-76d5aa6 479->491 480->479 493 76d5ac4-76d5ac8 490->493 494 76d5ab6-76d5aba 490->494 491->490 492 76d5aa8 491->492 492->490 496 76d5ad8-76d5adc 493->496 497 76d5aca-76d5ace 493->497 494->493 495 76d5abc 494->495 495->493 499 76d5aee-76d5af5 496->499 500 76d5ade-76d5ae4 496->500 497->496 498 76d5ad0 497->498 498->496 501 76d5b0c 499->501 502 76d5af7-76d5b06 499->502 500->499 504 76d5b0d 501->504 502->501 504->504
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 076D59FE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2043862241.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_76d0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 23bfcffb4321462d0e7f12fc836ac25fc4523cec3f074b0d3e71cde59e9c0939
                                            • Instruction ID: 373b5b369d2410def0e3c79e3e9966ade774b487967781508753cf9e5fabf98f
                                            • Opcode Fuzzy Hash: 23bfcffb4321462d0e7f12fc836ac25fc4523cec3f074b0d3e71cde59e9c0939
                                            • Instruction Fuzzy Hash: 6DA18DB1D1022ADFDB10DF68C841BEDBBB2BF48310F14816AD81AA7640DB749D95CF92
                                            Function 076D57C8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 505 76d57c8-76d585d 507 76d585f-76d5869 505->507 508 76d5896-76d58b6 505->508 507->508 509 76d586b-76d586d 507->509 513 76d58ef-76d591e 508->513 514 76d58b8-76d58c2 508->514 510 76d586f-76d5879 509->510 511 76d5890-76d5893 509->511 515 76d587d-76d588c 510->515 516 76d587b 510->516 511->508 524 76d5957-76d5a11 CreateProcessA 513->524 525 76d5920-76d592a 513->525 514->513 517 76d58c4-76d58c6 514->517 515->515 518 76d588e 515->518 516->515 519 76d58e9-76d58ec 517->519 520 76d58c8-76d58d2 517->520 518->511 519->513 522 76d58d4 520->522 523 76d58d6-76d58e5 520->523 522->523 523->523 526 76d58e7 523->526 536 76d5a1a-76d5aa0 524->536 537 76d5a13-76d5a19 524->537 525->524 527 76d592c-76d592e 525->527 526->519 529 76d5951-76d5954 527->529 530 76d5930-76d593a 527->530 529->524 531 76d593c 530->531 532 76d593e-76d594d 530->532 531->532 532->532 534 76d594f 532->534 534->529 547 76d5ab0-76d5ab4 536->547 548 76d5aa2-76d5aa6 536->548 537->536 550 76d5ac4-76d5ac8 547->550 551 76d5ab6-76d5aba 547->551 548->547 549 76d5aa8 548->549 549->547 553 76d5ad8-76d5adc 550->553 554 76d5aca-76d5ace 550->554 551->550 552 76d5abc 551->552 552->550 556 76d5aee-76d5af5 553->556 557 76d5ade-76d5ae4 553->557 554->553 555 76d5ad0 554->555 555->553 558 76d5b0c 556->558 559 76d5af7-76d5b06 556->559 557->556 561 76d5b0d 558->561 559->558 561->561
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 076D59FE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2043862241.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_76d0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 99c3181e8072d828e5aacd3e27bcad0f01903ebda0f77329b42d84a335838cd0
                                            • Instruction ID: 149a72a01d3b4f9d6d2a689a9015976dccdf9d5fa271c6c999cea4e2ee2553bd
                                            • Opcode Fuzzy Hash: 99c3181e8072d828e5aacd3e27bcad0f01903ebda0f77329b42d84a335838cd0
                                            • Instruction Fuzzy Hash: 7A916DB1D1022ACFDB10DF68C841BEDBBB2BF48314F14816AD81AA7640DB759D95CF92
                                            Function 017EACE8 Relevance: 1.7, APIs: 1, Instructions: 208COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 562 17eace8-17eacf7 563 17eacf9-17ead06 call 17ea00c 562->563 564 17ead23-17ead27 562->564 570 17ead1c 563->570 571 17ead08 563->571 566 17ead3b-17ead7c 564->566 567 17ead29-17ead33 564->567 573 17ead7e-17ead86 566->573 574 17ead89-17ead97 566->574 567->566 570->564 622 17ead0e call 17eaf70 571->622 623 17ead0e call 17eaf80 571->623 573->574 575 17eadbb-17eadbd 574->575 576 17ead99-17ead9e 574->576 581 17eadc0-17eadc7 575->581 578 17eada9 576->578 579 17eada0-17eada7 call 17ea018 576->579 577 17ead14-17ead16 577->570 580 17eae58-17eaed4 577->580 583 17eadab-17eadb9 578->583 579->583 612 17eaed6-17eaefe 580->612 613 17eaf00-17eaf18 580->613 584 17eadc9-17eadd1 581->584 585 17eadd4-17eaddb 581->585 583->581 584->585 588 17eaddd-17eade5 585->588 589 17eade8-17eadf1 call 17ea028 585->589 588->589 593 17eadfe-17eae03 589->593 594 17eadf3-17eadfb 589->594 595 17eae05-17eae0c 593->595 596 17eae21-17eae25 593->596 594->593 595->596 598 17eae0e-17eae1e call 17ea038 call 17ea048 595->598 620 17eae28 call 17eb250 596->620 621 17eae28 call 17eb280 596->621 598->596 601 17eae2b-17eae2e 603 17eae30-17eae4e 601->603 604 17eae51-17eae57 601->604 603->604 612->613 615 17eaf1a-17eaf1d 613->615 616 17eaf20-17eaf4b GetModuleHandleW 613->616 615->616 617 17eaf4d-17eaf53 616->617 618 17eaf54-17eaf68 616->618 617->618 620->601 621->601 622->577 623->577
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 017EAF3E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2032437842.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_17e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: d936d7c14d358ede8299f83997eddc3ce5e05eb9a05011309a5b9be20a1c6107
                                            • Instruction ID: bb150050bf7efcc8177807d6c238515d5b79e44483cc5da2c3b16f27e155c6fb
                                            • Opcode Fuzzy Hash: d936d7c14d358ede8299f83997eddc3ce5e05eb9a05011309a5b9be20a1c6107
                                            • Instruction Fuzzy Hash: 1F812570A00B458FDB24DF6AD04979ABBF1FF48304F00892ED54ADBA54D775E949CB90
                                            Function 076D8FD0 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 624 76d8fd0-76d8fd8 625 76d8fda-76d9005 624->625 626 76d8f63-76d8f95 FindCloseChangeNotification 624->626 630 76d900c-76d9020 625->630 631 76d9007 625->631 627 76d8f9e-76d8fc6 626->627 628 76d8f97-76d8f9d 626->628 628->627 633 76d9022-76d9025 630->633 631->630 635 76d9028-76d902e 633->635 636 76d9037-76d9038 635->636 637 76d9030 635->637 641 76d90e7-76d90fb 636->641 637->636 638 76d903d-76d90ff 637->638 639 76d90de-76d90e6 637->639 640 76d9094-76d9095 637->640 637->641 642 76d9067-76d908f 637->642 643 76d90b0-76d90b7 637->643 644 76d9043-76d9047 637->644 647 76d9102-76d9111 638->647 646 76d9096-76d909a 640->646 641->647 642->635 657 76d9091-76d9092 642->657 643->641 649 76d90b9-76d90d2 643->649 645 76d9049-76d9062 644->645 644->646 645->635 655 76d9064-76d9065 645->655 658 76d909d call 76d9148 646->658 659 76d909d call 76d9138 646->659 647->635 649->635 654 76d90d8-76d90d9 649->654 653 76d90a3-76d90ab 653->635 654->633 655->633 657->633 658->653 659->653
                                            APIs
                                            • FindCloseChangeNotification.KERNELBASE(?), ref: 076D8F88
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2043862241.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_76d0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ChangeCloseFindNotification
                                            • String ID:
                                            • API String ID: 2591292051-0
                                            • Opcode ID: a014393c7004b31c213d096ac845d403a266784dbb27ee5d1f2516775393bd9c
                                            • Instruction ID: 6f480b7304f274d6cc9f582c7e559bf1502700e39ef08a517cba2e1761bd04d2
                                            • Opcode Fuzzy Hash: a014393c7004b31c213d096ac845d403a266784dbb27ee5d1f2516775393bd9c
                                            • Instruction Fuzzy Hash: 47516AB0D24309DFDB10DFA9E4497EEBBF1EF4A300F14906AD40AA3250D3746A85CBA1
                                            Function 017E58EC Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 769 17e58ec-17e58f6 770 17e58f8-17e59b9 CreateActCtxA 769->770 772 17e59bb-17e59c1 770->772 773 17e59c2-17e5a1c 770->773 772->773 780 17e5a1e-17e5a21 773->780 781 17e5a2b-17e5a2f 773->781 780->781 782 17e5a40 781->782 783 17e5a31-17e5a3d 781->783 785 17e5a41 782->785 783->782 785->785
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 017E59A9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2032437842.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_17e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: b0a90931334e102ed1652646207a333d80671deed944c13d0932e16351898c2a
                                            • Instruction ID: 9f0fe265e050aa76ab33299d69a945d7f1b654102db7d87d08e806ee938e0122
                                            • Opcode Fuzzy Hash: b0a90931334e102ed1652646207a333d80671deed944c13d0932e16351898c2a
                                            • Instruction Fuzzy Hash: 8941CDB4C0061DCBDB24CFA9C888A8DBBF5BF49304F20806AD418AB255DB75694ACF91
                                            Function 017E44B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 786 17e44b0-17e59b9 CreateActCtxA 789 17e59bb-17e59c1 786->789 790 17e59c2-17e5a1c 786->790 789->790 797 17e5a1e-17e5a21 790->797 798 17e5a2b-17e5a2f 790->798 797->798 799 17e5a40 798->799 800 17e5a31-17e5a3d 798->800 802 17e5a41 799->802 800->799 802->802
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 017E59A9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2032437842.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_17e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 2ca2239fa64e64e9ab34edbd4c23acf2cf0e66270795e05f7f8bb7e40e5a72ad
                                            • Instruction ID: 0fa29f3ee7a361e6de7cac2fd37024f8c18fd32650d938bce275e27f784b7613
                                            • Opcode Fuzzy Hash: 2ca2239fa64e64e9ab34edbd4c23acf2cf0e66270795e05f7f8bb7e40e5a72ad
                                            • Instruction Fuzzy Hash: 8F41B2B4C0071DCBDB24DFA9C848B9EBBF5BF49304F20806AD418AB255DB756946CF91
                                            Function 076D5539 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 803 76d5539-76d558e 806 76d559e-76d55dd WriteProcessMemory 803->806 807 76d5590-76d559c 803->807 809 76d55df-76d55e5 806->809 810 76d55e6-76d5616 806->810 807->806 809->810
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 076D55D0
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2043862241.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_76d0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: 1ec712e8f659f1a2a6d1064216421e27205b548cd22e2035676c2322924837f7
                                            • Instruction ID: 0e4efd7981330a6843cc869a093698b454564bf3121f24d1305d7199713903ea
                                            • Opcode Fuzzy Hash: 1ec712e8f659f1a2a6d1064216421e27205b548cd22e2035676c2322924837f7
                                            • Instruction Fuzzy Hash: 882128B5D003599FCB10DFA9C885BDEBBF5FF48310F10842AE91AA7241C7789954CBA0
                                            Function 076D5540 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 814 76d5540-76d558e 816 76d559e-76d55dd WriteProcessMemory 814->816 817 76d5590-76d559c 814->817 819 76d55df-76d55e5 816->819 820 76d55e6-76d5616 816->820 817->816 819->820
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 076D55D0
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2043862241.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_76d0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: 320e6b946e5724bacd253162854e040b4fea043e63b0c699d726e7b84a0674a5
                                            • Instruction ID: 45cae0549002ed4e103f261f3827bbea0e8af57125ceddb6c1c73152f8e45ca3
                                            • Opcode Fuzzy Hash: 320e6b946e5724bacd253162854e040b4fea043e63b0c699d726e7b84a0674a5
                                            • Instruction Fuzzy Hash: D42119B5D003599FDB10DFA9C885BEEBBF5FF48314F10842AE919A7241C7789954CBA0
                                            Function 076D53A0 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 076D5426
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2043862241.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_76d0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: d3b0b7f2fbac73d80c177864fcdbd52b835ea85017c87dbf9d6b89a6e3936aeb
                                            • Instruction ID: e464e9b736d93c08d9e97f99ca69be8252ac8ccf3f9d9538646d99afbe5f38cc
                                            • Opcode Fuzzy Hash: d3b0b7f2fbac73d80c177864fcdbd52b835ea85017c87dbf9d6b89a6e3936aeb
                                            • Instruction Fuzzy Hash: AD2139B1D003099FDB10DFAAC4457EEBBF4EF48314F54842AD559A7241C7789945CBA1
                                            Function 076D5628 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 076D56B0
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2043862241.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_76d0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: 0bce190a89d6cb058d51fdbf9aae1734836ca2a79f039f45145bfebe5c007d46
                                            • Instruction ID: 8740517d9d4cb12c0d5c600fe1f765b4fd3e5c8f9fa85665bd61f929d73ca04c
                                            • Opcode Fuzzy Hash: 0bce190a89d6cb058d51fdbf9aae1734836ca2a79f039f45145bfebe5c007d46
                                            • Instruction Fuzzy Hash: 492116B1C003599FCB10DFAAC881AEEFBF5FF48310F50842AE519A7251C7389954CBA4
                                            Function 017EAF70 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 017EAF3E
                                              • Part of subcall function 017EA070: LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,017EAFB9,00000800,00000000,00000000), ref: 017EB1CA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2032437842.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_17e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: HandleLibraryLoadModule
                                            • String ID:
                                            • API String ID: 4133054770-0
                                            • Opcode ID: f34bdd930438f0868ccd4fb58e0bf331e0d9ece734118b13fcf56721146cb47d
                                            • Instruction ID: 468758a6dc37dc3eaace38b535fc97608929cbd1da6176225d188d650efa74eb
                                            • Opcode Fuzzy Hash: f34bdd930438f0868ccd4fb58e0bf331e0d9ece734118b13fcf56721146cb47d
                                            • Instruction Fuzzy Hash: B311E6B1A043058FDB10DB6AD8087AAFFF5EF89324F0484AAE508D7291D778D805CBB1
                                            Function 017ED5C8 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017ED657
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2032437842.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_17e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: ff18e3a6ecf08ba583c8bdbf0043046d9b655f47a8698cc010a06dd9187f1052
                                            • Instruction ID: f967fffcef3cb0fcdb34eab096e464365830d9bd3dbf0a382455773b9c74c47a
                                            • Opcode Fuzzy Hash: ff18e3a6ecf08ba583c8bdbf0043046d9b655f47a8698cc010a06dd9187f1052
                                            • Instruction Fuzzy Hash: F321E3B59002099FDB10CFAAD584AEEFBF5FF48310F14841AE918A3350C378A944CFA0
                                            Function 076D53A8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 076D5426
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2043862241.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_76d0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: dbaf6f83b618030cc4f74363590255a07434ea2eafe86cc1bb003fff7104bf8a
                                            • Instruction ID: 7b2a74bdf6c27fb5c28398c4948127875fd20142bb14ac0ebe9412093e501de1
                                            • Opcode Fuzzy Hash: dbaf6f83b618030cc4f74363590255a07434ea2eafe86cc1bb003fff7104bf8a
                                            • Instruction Fuzzy Hash: 642129B1D003098FDB10DFAAC4857EEBBF4EF48314F64842AD519A7241CB789945CFA1
                                            Function 076D5630 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 076D56B0
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2043862241.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_76d0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: 9226b52d63337544ea9c96a50dcec0beacd2b2307c2238fe5f7b0da179d4f9a5
                                            • Instruction ID: 5bb1b0cb77309c733c46c073021da8e3e2daca0538838e04e71e8f33379b0b11
                                            • Opcode Fuzzy Hash: 9226b52d63337544ea9c96a50dcec0beacd2b2307c2238fe5f7b0da179d4f9a5
                                            • Instruction Fuzzy Hash: C12107B1C003599FDB10DFAAC885AEEFBF5FF48310F50842AE519A7250C7789954CBA5
                                            Function 017ED5D0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017ED657
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2032437842.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_17e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 03892ba365805c9333c31699eec06c3d2afaf6a1888f6295bae3f3f3a454cf48
                                            • Instruction ID: ed6c101cd5655c1d2a0682bdaada8a17b339407f4c33d8abf64595adc0b5f23f
                                            • Opcode Fuzzy Hash: 03892ba365805c9333c31699eec06c3d2afaf6a1888f6295bae3f3f3a454cf48
                                            • Instruction Fuzzy Hash: F121C2B59002489FDB10CFAAD984ADEFFF9FB48310F14841AE918A3350D378A944CFA5
                                            Function 076D5478 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 076D54EE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2043862241.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_76d0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: aa20af6ffb47f8595ab2436a33b4256b732a155d7c985ca3728d3387b90855e0
                                            • Instruction ID: aaadb823178e70a25fe46637707e76709528a3620efaace6090b9886a312313e
                                            • Opcode Fuzzy Hash: aa20af6ffb47f8595ab2436a33b4256b732a155d7c985ca3728d3387b90855e0
                                            • Instruction Fuzzy Hash: 39114AB58003499BCB10DFAAC845AEEBFF5EF48324F148419E519A7250C7399544CBA1
                                            Function 017EA070 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,017EAFB9,00000800,00000000,00000000), ref: 017EB1CA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2032437842.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_17e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 2321c700a80401e815789c25a62c345c2ae8ec3f99267382f4b5976e556008f4
                                            • Instruction ID: 2a78c9ad18bed3754eda4212c354be53138b5f1cc34969ed4410eee44cfb7c0e
                                            • Opcode Fuzzy Hash: 2321c700a80401e815789c25a62c345c2ae8ec3f99267382f4b5976e556008f4
                                            • Instruction Fuzzy Hash: 8411E4B69002099FDB14DF9AC848B9EFFF4EB49320F14842EE519A7210C379A945CFA5
                                            Function 017EB158 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,017EAFB9,00000800,00000000,00000000), ref: 017EB1CA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2032437842.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_17e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: c983f19aa201d21789d103fd90dbf312f6e8db06794bdfcec5adc97ee57b4f93
                                            • Instruction ID: 2ba7de70ffc4520491ca63b8581b16a467b1c09fcb5b67bd87dd16f359fce885
                                            • Opcode Fuzzy Hash: c983f19aa201d21789d103fd90dbf312f6e8db06794bdfcec5adc97ee57b4f93
                                            • Instruction Fuzzy Hash: 9C1103B68002498FDB14CFAAC849ADEFFF4EB49320F14842AD519A7200C379A545CFA5
                                            Function 076D5480 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 076D54EE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2043862241.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_76d0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 1b47d0145f4ad075d9999674189d123c2286e6b92fa46cb82fc61cfa76714e41
                                            • Instruction ID: fbd83ec00d37012bce2f6c6ccb709dad14ebd038ea3f735c3c40b9599379066f
                                            • Opcode Fuzzy Hash: 1b47d0145f4ad075d9999674189d123c2286e6b92fa46cb82fc61cfa76714e41
                                            • Instruction Fuzzy Hash: 0F113AB58002499FCB10DFAAC845BDFBFF5EF48314F108419E51AA7250C7759954CFA1
                                            Function 076D52F0 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2043862241.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_76d0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: a3c8a88433eb8706f8eea6e030b65dc36334ce06f1d316f4c1f8e3577395fc43
                                            • Instruction ID: bafe97c8f724b442929edfa0b0671dfa1a8a1ab0760c80eb92f0caf7dabb4b3e
                                            • Opcode Fuzzy Hash: a3c8a88433eb8706f8eea6e030b65dc36334ce06f1d316f4c1f8e3577395fc43
                                            • Instruction Fuzzy Hash: EE1116B1D003499BDB10DFAAC4457AEFBF9EF88314F248419D51AA7240DB79A944CFA4
                                            Function 076D52F8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2043862241.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_76d0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: d4e095aed3c242c87a346416464eae406cc719e2b15da4f233be983640c6eed3
                                            • Instruction ID: f060810e553522e68d2b667b39187896007d476336c515e08187bf482604e6aa
                                            • Opcode Fuzzy Hash: d4e095aed3c242c87a346416464eae406cc719e2b15da4f233be983640c6eed3
                                            • Instruction Fuzzy Hash: D9113AB1D002498FDB10DFAAC4457EEFBF5EF88314F248419D51AA7240CB79A944CFA4
                                            Function 076D8F2A Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                            Download Yara Rule
                                            APIs
                                            • FindCloseChangeNotification.KERNELBASE(?), ref: 076D8F88
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2043862241.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_76d0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ChangeCloseFindNotification
                                            • String ID:
                                            • API String ID: 2591292051-0
                                            • Opcode ID: da66f693da900238087ca0c233639eadc616ba634a9801de7adaa95457793327
                                            • Instruction ID: 1d7487b6724009882a7794b94caa952c8a40436f01be18cadd2c264fb1e87a68
                                            • Opcode Fuzzy Hash: da66f693da900238087ca0c233639eadc616ba634a9801de7adaa95457793327
                                            • Instruction Fuzzy Hash: D01125B680034A9FCB10DF9AC545BDEBBF5EF48320F14841AD519A7240D338A944CFA5
                                            Function 017EAED8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 017EAF3E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2032437842.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_17e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: db17d03cb149b8365787cdaf5ef75ae33f5e877e47ce1aee550b4e9712b973cf
                                            • Instruction ID: f138555e2d84871b31b467ff40a53adc3a3715024a65dfb128a1b4817de03cf9
                                            • Opcode Fuzzy Hash: db17d03cb149b8365787cdaf5ef75ae33f5e877e47ce1aee550b4e9712b973cf
                                            • Instruction Fuzzy Hash: 9411E0B6C002498FDB10DF9AD448BDEFBF9EF88314F10846AD529A7254C379A549CFA1
                                            Function 076D8F30 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • FindCloseChangeNotification.KERNELBASE(?), ref: 076D8F88
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2043862241.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_76d0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: ChangeCloseFindNotification
                                            • String ID:
                                            • API String ID: 2591292051-0
                                            • Opcode ID: 08c588f689a94eea057e952e3f25ad80f1bc8b35270cb6ea500f561c42c26f64
                                            • Instruction ID: 083abbf96b727c22e2f60123d4d5f1c426f622ed1cf4e10d9004559b3b239826
                                            • Opcode Fuzzy Hash: 08c588f689a94eea057e952e3f25ad80f1bc8b35270cb6ea500f561c42c26f64
                                            • Instruction Fuzzy Hash: C51133B68003498FCB10DF9AC549BDEBBF5EF48320F14841AD518A7340C338A944CFA5
                                            Function 076D7A5A Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 076D7ABD
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2043862241.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_76d0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 7c564c22f4830eedd1f6c665e2ec3d133134f95862be13d8aac6b4c6ca952e01
                                            • Instruction ID: 6318fa724cbe8b56efc6f6ccfd226f533cf1e78188cabd7739b60fd32ecfd15f
                                            • Opcode Fuzzy Hash: 7c564c22f4830eedd1f6c665e2ec3d133134f95862be13d8aac6b4c6ca952e01
                                            • Instruction Fuzzy Hash: EB11F2B58003499FDB10DF9AC485BDEFBF8EB48310F14841AE519A7600C379AA44CFA1
                                            Function 076D7A60 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 076D7ABD
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2043862241.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_76d0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 75ff10e81c7320b5861070f7da9b5a506b4bafe25dba696e87c3a7759f0106f5
                                            • Instruction ID: 087b4c48b75594b45cdcccc08cf5023c88e6209e2cd7999014f4212da8f1f6a5
                                            • Opcode Fuzzy Hash: 75ff10e81c7320b5861070f7da9b5a506b4bafe25dba696e87c3a7759f0106f5
                                            • Instruction Fuzzy Hash: 8911D3B58003499FDB10DF9AD445BDEFBF8EB48310F148419E519A7600C379A944CFA5
                                            Function 056E2178 Relevance: 1.5, Strings: 1, Instructions: 291COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (aq
                                            • API String ID: 0-600464949
                                            • Opcode ID: 5585c3c31f1b60ac9e4c3e3f8e18c76aa9d37761524d749a8771ad6b162aa52d
                                            • Instruction ID: 22e1fcf3765bacfd726d11dbe59a97a5557e00005c92efcc4b46f917843942e5
                                            • Opcode Fuzzy Hash: 5585c3c31f1b60ac9e4c3e3f8e18c76aa9d37761524d749a8771ad6b162aa52d
                                            • Instruction Fuzzy Hash: 2791CF75B02208DFCB18DFA9D854AAEBBF6EF85310F10886AE445E7750DB34A845CB61
                                            Function 056EEA70 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (aq
                                            • API String ID: 0-600464949
                                            • Opcode ID: 965b69097fc6b37a5c98136e60e4a1ab5d76ad47dab80165136746311bb68054
                                            • Instruction ID: 1921dbf66ca030637bd1496ea8773560faa92ca5a3de5f52915b00f4190c77e0
                                            • Opcode Fuzzy Hash: 965b69097fc6b37a5c98136e60e4a1ab5d76ad47dab80165136746311bb68054
                                            • Instruction Fuzzy Hash: 55919E30B026098FCB14DF69D484AAEBBF6FF88700F248569D4069B7A5DB75EC45CB90
                                            Function 056EC569 Relevance: 1.4, Strings: 1, Instructions: 170COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Haq
                                            • API String ID: 0-725504367
                                            • Opcode ID: 704a65ab1139a4262311c51bf819715d8522467a6b57a59555476fc5f8a3e3ba
                                            • Instruction ID: 395522a0358ea8e2f3271820d27d407df056bd9a9faa9e0012ba826b1adff8ab
                                            • Opcode Fuzzy Hash: 704a65ab1139a4262311c51bf819715d8522467a6b57a59555476fc5f8a3e3ba
                                            • Instruction Fuzzy Hash: 8451D035A02515CFDB11DF64C844AAEBBF2FF49700F2580AAD905AB751DB35ED06CB90
                                            Function 056EBFEC Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Te]q
                                            • API String ID: 0-52440209
                                            • Opcode ID: 2f2dee91ded09ad9d40f027681b1a7929883cf178233633fe7b67ed4fc7808f6
                                            • Instruction ID: 34274a9ac1b392e29b9f7c68c7f1e527e4d4e71c6b7f3e235901f6b0c1003bd1
                                            • Opcode Fuzzy Hash: 2f2dee91ded09ad9d40f027681b1a7929883cf178233633fe7b67ed4fc7808f6
                                            • Instruction Fuzzy Hash: 3B519E71B0121A8FDB05DFB998489BEBBF6EFC4220B158929E419DB355DB309D06C7A0
                                            Function 056EB0E8 Relevance: 1.4, Strings: 1, Instructions: 140COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (aq
                                            • API String ID: 0-600464949
                                            • Opcode ID: c20e8662e92a6965f29db2bcaf7fb311184c504359fb560a5c697c14bb556a5e
                                            • Instruction ID: 77351fee9057b40f9d6efcea918a49b2262dd15920052c19f8a4c7bc2ded915b
                                            • Opcode Fuzzy Hash: c20e8662e92a6965f29db2bcaf7fb311184c504359fb560a5c697c14bb556a5e
                                            • Instruction Fuzzy Hash: B14123317076204FCB5AAB7998186BE6AE7BFCA750B14446DC906DB3E8DF24CC02C785
                                            Function 056ECE70 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Te]q
                                            • API String ID: 0-52440209
                                            • Opcode ID: f298fce9463d5ba80605b151ec9dcf8e9a0fbce853dc315e56ca12c6a5204798
                                            • Instruction ID: 63da411ae793464f464b0ae73d8092f9a11260ce775d430e7fc0afb9c7b0f280
                                            • Opcode Fuzzy Hash: f298fce9463d5ba80605b151ec9dcf8e9a0fbce853dc315e56ca12c6a5204798
                                            • Instruction Fuzzy Hash: 66115131B0120A8BDF18EBB999109EEBAF6AFC8610B104069C809E7344EB358D02CB95
                                            Function 056EFA90 Relevance: 1.3, Strings: 1, Instructions: 38COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4']q
                                            • API String ID: 0-1259897404
                                            • Opcode ID: cc5b5a954e28993675d15ccb3f536488099280dc7c1e90bd32c348a264e4ec0b
                                            • Instruction ID: fc558a990e066541893605300f0b8471aeec47f81a8ab4f1d0920759501d607b
                                            • Opcode Fuzzy Hash: cc5b5a954e28993675d15ccb3f536488099280dc7c1e90bd32c348a264e4ec0b
                                            • Instruction Fuzzy Hash: 7A01A2B0A01209EFCB14EFB8E54AA9CBFF1FF54600F5045A9D805AB324DE346E09CB41
                                            Function 056EFAA0 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4']q
                                            • API String ID: 0-1259897404
                                            • Opcode ID: 012bda73170c17ea3da368fc6933e613976827da3857e6e34fc0f090d7cba512
                                            • Instruction ID: 6796c089a5bf4bd764cf914ff99df806e3b3be2ce3e84733f6346dd01c77f02f
                                            • Opcode Fuzzy Hash: 012bda73170c17ea3da368fc6933e613976827da3857e6e34fc0f090d7cba512
                                            • Instruction Fuzzy Hash: 42F03C70A01209EFCB54EFB8E65999CBFB6FF54601B5005A9D806AB364EF345E08CB51
                                            Function 056E8EB0 Relevance: .7, Instructions: 730COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d1ed2ef757a6bcf9d8f0e34b13be189a0baf77b3562bebfdf19790d50bb1b9f3
                                            • Instruction ID: dbdeedda9318263a841ea0677872dccdd054e9face5b9ecf918fb2b73304c1c1
                                            • Opcode Fuzzy Hash: d1ed2ef757a6bcf9d8f0e34b13be189a0baf77b3562bebfdf19790d50bb1b9f3
                                            • Instruction Fuzzy Hash: 99724131D11609CFDB15EF68C898AADB7B1FF45304F008699D54AA7265EF30AAC9CF81
                                            Function 056E5E68 Relevance: .6, Instructions: 551COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d9923553bfbfccdf0ccaff98232949676106d6871dbf6cdc2f3659d30792d0c5
                                            • Instruction ID: 3a313fe5af63f75a26703543912c7ebdd4b5db613ec82de0315f0326eb48b6fa
                                            • Opcode Fuzzy Hash: d9923553bfbfccdf0ccaff98232949676106d6871dbf6cdc2f3659d30792d0c5
                                            • Instruction Fuzzy Hash: 7A42E531E11619CFCB25DF68C8946EDB7B1BF99304F1086A9D45AB7321EB70AA85CF40
                                            Function 056EA780 Relevance: .5, Instructions: 500COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 61b0be2190bd70ae08440579c9d3e321e7b74a3b4ddddb8bf639734756316c46
                                            • Instruction ID: bed215e713216e8a04b9898993bdb953b6b209b7f8450b7bfc0c47e443dc4215
                                            • Opcode Fuzzy Hash: 61b0be2190bd70ae08440579c9d3e321e7b74a3b4ddddb8bf639734756316c46
                                            • Instruction Fuzzy Hash: BD221834A02215CFCB14DF69C888A9DB7B2FF89304F1485A9E44AAB365DB30ED85CF50
                                            Function 056E5E58 Relevance: .3, Instructions: 336COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f87871676352ecd2e83004549a53cba6652297ece2788b7e5c2ec1d30e77a1c2
                                            • Instruction ID: d9864415dea49ec59fc4f74314b08f6ed9f34fcd1e273db4d13f211342484e1b
                                            • Opcode Fuzzy Hash: f87871676352ecd2e83004549a53cba6652297ece2788b7e5c2ec1d30e77a1c2
                                            • Instruction Fuzzy Hash: CBE1FA31E02619CFCB25DF68C9946EDB7B2BF59304F1486A9D41AA7761EB30AD81CF40
                                            Function 056EA750 Relevance: .2, Instructions: 205COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1ffdce79fd273dd9965d2623fde0bc611f4001f9097e2ecdc3de08192212d5ac
                                            • Instruction ID: 50ff0ff5ef9c7e0fce07df1311e3968351c4d90e86abada284b35e7eb20283cf
                                            • Opcode Fuzzy Hash: 1ffdce79fd273dd9965d2623fde0bc611f4001f9097e2ecdc3de08192212d5ac
                                            • Instruction Fuzzy Hash: B87156307022008FCB14EF79C898BA9B7A6FF89314F0485BDD54A9B7A5DB75AC09CB50
                                            Function 056E8840 Relevance: .2, Instructions: 197COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2ae42a6ffe7e6eb832f1e7d497ac45b824c757173eaa200f561e1864ec4f216a
                                            • Instruction ID: d2427ddb0baea4d45e0dcb18d5aa2a8a8797c94e391d848226407743f3ff9919
                                            • Opcode Fuzzy Hash: 2ae42a6ffe7e6eb832f1e7d497ac45b824c757173eaa200f561e1864ec4f216a
                                            • Instruction Fuzzy Hash: AD91F97591170ACFCB41EF68C884999FBF5FF49310B14879AE819AB355EB30E985CB80
                                            Function 056E7BB8 Relevance: .2, Instructions: 187COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3977eec6b34e9088e74b5f7a98334e87e2f3bd8d2b6d8eba8c158366186eec24
                                            • Instruction ID: 23b73688593f3baaa6de7e1eba64618333d132747e340400f6fecf136fc0ab3e
                                            • Opcode Fuzzy Hash: 3977eec6b34e9088e74b5f7a98334e87e2f3bd8d2b6d8eba8c158366186eec24
                                            • Instruction Fuzzy Hash: 84710FB9701A408FC718DF29C488A59BBF2FF9930471589A9E14ACB772DB71EC41CB50
                                            Function 056E7BC8 Relevance: .2, Instructions: 176COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2f0262ce711094cbbeb74c6effdca651f4f7971e047194177a8abd6e19e96888
                                            • Instruction ID: d7c80da916a313371b973231f0e035840e4654b187f2d9cbf371355b204140fc
                                            • Opcode Fuzzy Hash: 2f0262ce711094cbbeb74c6effdca651f4f7971e047194177a8abd6e19e96888
                                            • Instruction Fuzzy Hash: 3D71BAB8700A008FC718DF29C598959BBF2FF8970471589A9E54ACB772DB72EC41CB50
                                            Function 056E79D8 Relevance: .2, Instructions: 172COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a57c807ba93746768b790b4e015af7ca565643acccafaf940100d4518a2e750a
                                            • Instruction ID: 052239e60aa8ff888641f8c054ae029eb4846d89634ade268887744b71ab4630
                                            • Opcode Fuzzy Hash: a57c807ba93746768b790b4e015af7ca565643acccafaf940100d4518a2e750a
                                            • Instruction Fuzzy Hash: F171AF74A012468FCB04CF68D584999FBF1FF48314B1986AAE80ADB712E734ED85CF94
                                            Function 056E17E4 Relevance: .2, Instructions: 157COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6314819930c724db5bc997c355f4158a6ea3bd4bfdd631d2e606dc1a2a1a1a9a
                                            • Instruction ID: d60eb9910d54e4bc5abc30d62ddd11fff92619e0ff3a5d1798e3c41aaed932be
                                            • Opcode Fuzzy Hash: 6314819930c724db5bc997c355f4158a6ea3bd4bfdd631d2e606dc1a2a1a1a9a
                                            • Instruction Fuzzy Hash: 69514E75E012499FCB14DFA9C858AEFBFFAEF89300F10841AE415E7250DB749945CBA1
                                            Function 056E8830 Relevance: .1, Instructions: 148COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 63488abd56c4097fa79015b405d0bade58c92cd74448231f63d3ba2ac451a3cc
                                            • Instruction ID: 8fb5311af33bf8461991e6e1820a802751bd079dcb4d1118e80deeaf3cb953d0
                                            • Opcode Fuzzy Hash: 63488abd56c4097fa79015b405d0bade58c92cd74448231f63d3ba2ac451a3cc
                                            • Instruction Fuzzy Hash: 59511771D1070ACFCB41EFA8C880999FBB5FF49310B14975AE859AB255EB70E985CB80
                                            Function 056E17F8 Relevance: .1, Instructions: 115COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6a4e56c0a107b81691498956cde33d7b52ad3b907de420dd1d6167c80f76954c
                                            • Instruction ID: 60f62d4d1d22c875e66a6c516ce0b54b26ac49b8c34c8678efd7af5aa30740a3
                                            • Opcode Fuzzy Hash: 6a4e56c0a107b81691498956cde33d7b52ad3b907de420dd1d6167c80f76954c
                                            • Instruction Fuzzy Hash: 884136B1C013498FDB10DFA9C994ACDBFB5BF48304F64811AD418AB251D7755A8ACF91
                                            Function 056E6AF3 Relevance: .1, Instructions: 104COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fa568954db366673f9cefe3d5ab1da3f9333855508735728569129c3ffe6bf10
                                            • Instruction ID: f87fc409be21eec01aafd6da5019c88a23f087fb8a7f4e3ed9fca9d8140696fb
                                            • Opcode Fuzzy Hash: fa568954db366673f9cefe3d5ab1da3f9333855508735728569129c3ffe6bf10
                                            • Instruction Fuzzy Hash: E2413031A11709CFCB04EF68C484A9DF7B6FF89304F10856DE5156B365EB71A946CB41
                                            Function 056E6B00 Relevance: .1, Instructions: 101COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3e7448a0e58af1c93433c7822f549fc797be2624c79ff2edcf8d37ec070cc5f0
                                            • Instruction ID: 63cb3ea5d3bd7d1835dc266d169e723e120367fe796d5242b1e7bd525328f890
                                            • Opcode Fuzzy Hash: 3e7448a0e58af1c93433c7822f549fc797be2624c79ff2edcf8d37ec070cc5f0
                                            • Instruction Fuzzy Hash: BF414E31A10709CFCB04EF68C4849ADF7B6FF89304F00856DE1166B325EB71A946CB81
                                            Function 056E79C7 Relevance: .1, Instructions: 99COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c5ad23bbaa0ab742b8002fff3d9c02d320e5167d28d10591e80e714fe4d13a97
                                            • Instruction ID: 55c63009719e0bd1e56858c00892537bd9d0941515596a36fd00bbb32671826b
                                            • Opcode Fuzzy Hash: c5ad23bbaa0ab742b8002fff3d9c02d320e5167d28d10591e80e714fe4d13a97
                                            • Instruction Fuzzy Hash: EA412B74A062468FC714CF28C585A99FBF1FF49310B1986A9E40ADB752E731ED42CB90
                                            Function 056E1824 Relevance: .1, Instructions: 99COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 515f235f34eb3e61c3be666d361eacae56e9d06e5da84da5134d3d335655a4b9
                                            • Instruction ID: 7581a2872868359514f7695cdb244c3373e6f904a50cdac83f2a299647fee822
                                            • Opcode Fuzzy Hash: 515f235f34eb3e61c3be666d361eacae56e9d06e5da84da5134d3d335655a4b9
                                            • Instruction Fuzzy Hash: BD41F5B1D01609CBDB14CF9AC584ADEFBB5FF48304F64812AD409BB214D7756989CF91
                                            Function 056E28B5 Relevance: .1, Instructions: 98COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4ba0c88160310d44368d0e17f25d25871be06815a8abd893cdf0240f19692c2d
                                            • Instruction ID: 38690626746db175691eb9405170005ec68519e896cfdf2112f2058203353ef9
                                            • Opcode Fuzzy Hash: 4ba0c88160310d44368d0e17f25d25871be06815a8abd893cdf0240f19692c2d
                                            • Instruction Fuzzy Hash: FF4112B1C01609CFDB14CFA9C585ADDFBB6BF08304F64812AD409BB210D7756A8ACF90
                                            Function 056E69E8 Relevance: .1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0a039ce7217665a7c0111f99fb00061b9e8619f4609c8a3dab28dd59cf2d5154
                                            • Instruction ID: e02baf3118b5456f40575bd9774e49776309f310e919f61632645a7ffc8d996a
                                            • Opcode Fuzzy Hash: 0a039ce7217665a7c0111f99fb00061b9e8619f4609c8a3dab28dd59cf2d5154
                                            • Instruction Fuzzy Hash: FE31B432B02219CFCF04EB68E8548DDF7B6FF88214B158569E506A7320EF31AD42CB84
                                            Function 056E4778 Relevance: .1, Instructions: 96COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f2002bc5c89f5ac91c3216f5217752169e658508a825b947a7b6405dada8b87b
                                            • Instruction ID: 55d636e71c213b7f16ad3f644f770b155296a5ab70010eb70169074f59b0976d
                                            • Opcode Fuzzy Hash: f2002bc5c89f5ac91c3216f5217752169e658508a825b947a7b6405dada8b87b
                                            • Instruction Fuzzy Hash: D341F975A0124A9FCB40DF68D88499AFBB5FF49314B148699E918AB321E730E985CF90
                                            Function 056E2428 Relevance: .1, Instructions: 95COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2480b2725808527507882f588164cfbd720dec348162be3be48aaa59e13a7d72
                                            • Instruction ID: edbae49ca9e623dc74ef77a5284ecd8accc94688564fe8e896ae3bdb0d7238ff
                                            • Opcode Fuzzy Hash: 2480b2725808527507882f588164cfbd720dec348162be3be48aaa59e13a7d72
                                            • Instruction Fuzzy Hash: 9F31EA76E0635A4FDB05DB7CC9605EDBBF7EF85200F044167C505E7291DA388905C7A2
                                            Function 056E1434 Relevance: .1, Instructions: 95COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9d515dd530694a0f90c3acf698a8f1a32c1d189c2e03da50b016d803f2ed9482
                                            • Instruction ID: b98590cf59e7f44759f74b32c559b0e121094d27fb343b06ab8ad287a028b872
                                            • Opcode Fuzzy Hash: 9d515dd530694a0f90c3acf698a8f1a32c1d189c2e03da50b016d803f2ed9482
                                            • Instruction Fuzzy Hash: 8141BEB4D013589BDB14CF9AC888ADEFBB6FF48710F20822AE418BB254D7756845CF90
                                            Function 056E25D5 Relevance: .1, Instructions: 93COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 87771b6a616a082b7ad9993f3ca5eae561b232e66b2aaaff752808b73e61e1e0
                                            • Instruction ID: 44eaa11d1cb15aeef7f6a06017704f3935ecf4ea34129a89c1303784cf4cd91d
                                            • Opcode Fuzzy Hash: 87771b6a616a082b7ad9993f3ca5eae561b232e66b2aaaff752808b73e61e1e0
                                            • Instruction Fuzzy Hash: DD41BDB4D013589FDB14CFAAC985A9EFBB5BF48704F20822AE418BB254D7746846CF90
                                            Function 056E4788 Relevance: .1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 60442e582f302bb0c13d15092b16737fb7e2370c99fbe32f86f1af98a3e1133f
                                            • Instruction ID: de7668a4b3887aca76ae2c89c2078b924c2a786290552b20ea9736dfa7da7083
                                            • Opcode Fuzzy Hash: 60442e582f302bb0c13d15092b16737fb7e2370c99fbe32f86f1af98a3e1133f
                                            • Instruction Fuzzy Hash: D741E575A0120ADFCB40DF69D88499AFBB5FF49314B14C659E918AB311E730E985CF90
                                            Function 056E3FF4 Relevance: .1, Instructions: 89COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c768c5d11ee838f6b3e46f0dbacf57dde9c99f8b4ce010070234b2aa1db9dae5
                                            • Instruction ID: 2c53d6148e88f3f02c71899196c8cb6f12dd481e7ce4b2950d03689d017f6ad9
                                            • Opcode Fuzzy Hash: c768c5d11ee838f6b3e46f0dbacf57dde9c99f8b4ce010070234b2aa1db9dae5
                                            • Instruction Fuzzy Hash: 962173323162008FC7149B2DD884AAD3BE5FF95725B1985BAE14BCF766EA35DC04CB90
                                            Function 056E2A38 Relevance: .1, Instructions: 86COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7974d399abe757e2c3808bebeeac5e4f49c8725bdfa89f3e8936b91c587aab2c
                                            • Instruction ID: 8590d43dad691d4f22dbd3723dbc805a77627cfb72fa8d1d5d7defbac0ec189c
                                            • Opcode Fuzzy Hash: 7974d399abe757e2c3808bebeeac5e4f49c8725bdfa89f3e8936b91c587aab2c
                                            • Instruction Fuzzy Hash: 9A215C71B025499BCB10DBA9CD15ABFBBFAEFC9700F10816AE515E3250EA709A05C7A1
                                            Function 056EEA60 Relevance: .1, Instructions: 85COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 30e6091540d8b304db52a809aa9bfe56e36d66d9456829610065a9657d44373a
                                            • Instruction ID: e9828840198bc9194b4e521c400c57fd8046266d4aba7f2f2cdeb5e04edb9138
                                            • Opcode Fuzzy Hash: 30e6091540d8b304db52a809aa9bfe56e36d66d9456829610065a9657d44373a
                                            • Instruction Fuzzy Hash: CC312D30A0260A9FCB14DF68D588A9EB7F6FF48710F14862DD416AB754DB71EC49CB90
                                            Function 056E27B8 Relevance: .1, Instructions: 84COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c3312455d2c1f68c33ba55059f742ccc5776d5fead00470778b4b6879aeedbec
                                            • Instruction ID: e06ea1a2cf12e7d0bf3e8b62ccb266d32910a373564d6add2553bab220175035
                                            • Opcode Fuzzy Hash: c3312455d2c1f68c33ba55059f742ccc5776d5fead00470778b4b6879aeedbec
                                            • Instruction Fuzzy Hash: 8D21B4717012048FC750EF79C48899BBBFAEF95200B14896AD606DB360EF71EC09CB91
                                            Function 056E7949 Relevance: .1, Instructions: 77COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 58a2358d471ed13e9221c5c83fba3ba71cc1ed933fbc09d7a2adfafa2bcf44a8
                                            • Instruction ID: 2da6ff41fc94fa83b718d4b3339055f3ede0ba49ca876a5abaf9215e4b55d891
                                            • Opcode Fuzzy Hash: 58a2358d471ed13e9221c5c83fba3ba71cc1ed933fbc09d7a2adfafa2bcf44a8
                                            • Instruction Fuzzy Hash: 5431D0316052508FC715DF2CD548A99BBF1FF49318B1845A9E44ACB7B2DB35EC02CB80
                                            Function 014FD4C4 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2032206405.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_14fd000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d447fe8e7b97a225b24992be69cc88fe75f3ce9b6ad8a821244daa2b31b96ae7
                                            • Instruction ID: f608b6a66f60dd023d2379134d88047d8fe777c894d241ef5e6e4d4b8a25fd7c
                                            • Opcode Fuzzy Hash: d447fe8e7b97a225b24992be69cc88fe75f3ce9b6ad8a821244daa2b31b96ae7
                                            • Instruction Fuzzy Hash: FD21F171900244DFDB05DF98D984B27BF65FB88318F20C56EEA090B366C33AD416CAA2
                                            Function 0150D1D4 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2032237395.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_150d000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 16d6b83ef02005c0056d88082bf4512ba1bc82c0dfe1f0f1013cc0ee91526747
                                            • Instruction ID: d8245c7b4f4161fb8b647aa12bd6122872a1741e78f3c6ded81969a8291d194a
                                            • Opcode Fuzzy Hash: 16d6b83ef02005c0056d88082bf4512ba1bc82c0dfe1f0f1013cc0ee91526747
                                            • Instruction Fuzzy Hash: 5E21F571504205EFDB06DFD8D5C0B26BBB5FB84324F20C96DE9094F296C33AD406CA61
                                            Function 0150D01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2032237395.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_150d000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f5c3c4f83e4ff8c322c2c36bdb6fc124a02e7417bc5e64169e2be48dd941e21f
                                            • Instruction ID: e2824ebf8fc180ca8cccf2d23d6bb1106fba8dd70aae9b0edac5eb384f5fd19d
                                            • Opcode Fuzzy Hash: f5c3c4f83e4ff8c322c2c36bdb6fc124a02e7417bc5e64169e2be48dd941e21f
                                            • Instruction Fuzzy Hash: B9210071604204DFDB16DFE8D990B26BFB5FB88314F20C969D90E4F296D33AD406CA62
                                            Function 056E99F0 Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 46812112d4dc5b5bb2bc48cefe93240d06aa31dad475b5a4f5b5cd740103d5a7
                                            • Instruction ID: e529791242ba0049d00e62207b4990a98aef2c1f984c7ee82fce5c1b4db186fd
                                            • Opcode Fuzzy Hash: 46812112d4dc5b5bb2bc48cefe93240d06aa31dad475b5a4f5b5cd740103d5a7
                                            • Instruction Fuzzy Hash: 4C215332A106099FCB10EF6CD84599AFBF5FF59310B50C26AE958A7314EB30E994CBD1
                                            Function 056ED0F4 Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 13db359db5e1bc067839dff96498190a05b5a59d79b036cae122e1aeac59ed9d
                                            • Instruction ID: 7ff0b08590162e1f5898372c3d1be9f48e5a935477f3f40fc3e64972e757aa4e
                                            • Opcode Fuzzy Hash: 13db359db5e1bc067839dff96498190a05b5a59d79b036cae122e1aeac59ed9d
                                            • Instruction Fuzzy Hash: CE31C3B0D02218DFDB20DF99C989BDEBBF5AB08314F24841AE404BB754C7755945CFA1
                                            Function 056E9EAC Relevance: .1, Instructions: 67COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5f952452e620b3ab1346103c6e65133f930445ba0981e6705f0ba7a4b809fd16
                                            • Instruction ID: 1f7f29c9c3236477b757463ecb141b255137ff743ffac251c72b2c3ce4ad8924
                                            • Opcode Fuzzy Hash: 5f952452e620b3ab1346103c6e65133f930445ba0981e6705f0ba7a4b809fd16
                                            • Instruction Fuzzy Hash: 0231C0B0D022189FDB20DF9AC988BDEBBF5BB08314F24801AE408BB244C7B55885CF95
                                            Function 056E27A8 Relevance: .1, Instructions: 64COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 87daefd031db990d032f8f59d7f06deb40c0175b059de383b2c6903c82b3227d
                                            • Instruction ID: 7b5cd6fbc87ee57f64cdf3345cb47b5dce6701cc8666565a08f2cc2cb9d7fb6a
                                            • Opcode Fuzzy Hash: 87daefd031db990d032f8f59d7f06deb40c0175b059de383b2c6903c82b3227d
                                            • Instruction Fuzzy Hash: 8D11B4717012058FCB00EF69C48599BB7FAEF84744F04896AD646DB360EB70EC09CB91
                                            Function 0150D006 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2032237395.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_150d000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 653ad99cd2e7246af734618c237ee6e9a344e848f9ec54541cc706dd632af729
                                            • Instruction ID: 7b454239f2fcd3e247036596b5b93cd030a9550a6db5e2792cab81ed9e80107c
                                            • Opcode Fuzzy Hash: 653ad99cd2e7246af734618c237ee6e9a344e848f9ec54541cc706dd632af729
                                            • Instruction Fuzzy Hash: 372192755093808FDB03CFA4D994715BF71FB46214F28C5DAD8498F6A7C33A980ACB62
                                            Function 056EBAA1 Relevance: .1, Instructions: 61COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3b32b28d6dc43917272508215e98a1be0d83f7f3dce1877c955bf5ece3aacd95
                                            • Instruction ID: e50ddb40498c612a818061b1bdecc7ba124583977b1a252d9b986b8821b6d52e
                                            • Opcode Fuzzy Hash: 3b32b28d6dc43917272508215e98a1be0d83f7f3dce1877c955bf5ece3aacd95
                                            • Instruction Fuzzy Hash: A0216A76901B5587EB009F2DD844381B365FF95324F19867ADD4D3B302EB71B984C7A4
                                            Function 056ECF40 Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 62014e5e59601f9791cc6a12defeb2eb3bee1eb788db8eb67fafb941c5a82b18
                                            • Instruction ID: 362cec3110210b9fe46ffd2a6f82193c0474e37c844e7f90e3743288db9ae65d
                                            • Opcode Fuzzy Hash: 62014e5e59601f9791cc6a12defeb2eb3bee1eb788db8eb67fafb941c5a82b18
                                            • Instruction Fuzzy Hash: C7119E71A0220A5FDB20DF7988459BFBBB7EFC4660B24892DE415D7344EB308D01C760
                                            Function 056E58C1 Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 513daead91ca04ab5480c6e18e07d1d991d8862b9f62c52bb5542c7fe6bc3fcd
                                            • Instruction ID: 2c4eb8c322b8fc61e61cac972ca8acee31f94147fd717877cb37f7d713f02c78
                                            • Opcode Fuzzy Hash: 513daead91ca04ab5480c6e18e07d1d991d8862b9f62c52bb5542c7fe6bc3fcd
                                            • Instruction Fuzzy Hash: 1811E1323562004FD7148A2DCC85AA93BE6EF85724F1880BAE14BCF7A6DA75DC04CB90
                                            Function 014FD4BF Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2032206405.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_14fd000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                            • Instruction ID: a44132581639455b7412612f109209c20b0b7c0931e64052339193ebebc8b20a
                                            • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                            • Instruction Fuzzy Hash: AB11CD72804280CFCB02CF54D9C4B16BF61FB88214F24C6AAD9490B366C336D45ADBA2
                                            Function 056EBAB0 Relevance: .1, Instructions: 54COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ede253b5df20b985983c59b570f75b8a9fb2c4e9a7944084bc6436415620b7f3
                                            • Instruction ID: 8345bd7d3df7bf86092650a93333621486e972c94c7d03001905c6cd619a91de
                                            • Opcode Fuzzy Hash: ede253b5df20b985983c59b570f75b8a9fb2c4e9a7944084bc6436415620b7f3
                                            • Instruction Fuzzy Hash: B8116776A01B5187EB009F2DD844281B3A5FFA5328F19867ACD4C3F312EB717984CBA0
                                            Function 0150D1CF Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2032237395.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_150d000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                            • Instruction ID: 9b375344561d33a3aa773ccc21295464065180e438129e408be79cf8934271f1
                                            • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                            • Instruction Fuzzy Hash: E711BB75504280DFDB02CF98C5C4B19BFB1FB84224F24C6A9D8494F696C33AD40ACB62
                                            Function 056E717B Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9589f47dfdf8854071464f8c8a412039eb00c1f83ca11a59a9ab97294246921f
                                            • Instruction ID: ff8ec3c8f894e0e4bf2c988f635bd753fec7a7849ba604fe2be4106ac1bc3f8b
                                            • Opcode Fuzzy Hash: 9589f47dfdf8854071464f8c8a412039eb00c1f83ca11a59a9ab97294246921f
                                            • Instruction Fuzzy Hash: B101D4323056118BC6259A1DF848AAAB7EAFFC8661B18012EF506C7768DF349C46C790
                                            Function 056E2044 Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b14b22d82c42d8be106921128e578e5e13fe8d2f1bf2af6080ec79649005b166
                                            • Instruction ID: 3950ee46b160db77c93b201620fa9e405d074377be6483e78e7e26ee122fd409
                                            • Opcode Fuzzy Hash: b14b22d82c42d8be106921128e578e5e13fe8d2f1bf2af6080ec79649005b166
                                            • Instruction Fuzzy Hash: FC11F0B5D046089FDB20DF9AD444B9EFBF9EB48320F10841AE959A7310D3B8A944CFA1
                                            Function 056E2D58 Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 51ca6129c42c1488f64f9ac504601ef22a881cc84c24c9c90f0ca5df31e20943
                                            • Instruction ID: 4c7d071174a11ec8bf6abc3bde7fb3bf24aa2adb602fd43a3afc1747e004e3d8
                                            • Opcode Fuzzy Hash: 51ca6129c42c1488f64f9ac504601ef22a881cc84c24c9c90f0ca5df31e20943
                                            • Instruction Fuzzy Hash: CD11F0B5C006489FDB10DFAAC845B9EFBF9EB48320F14851AE918A7310D378A545CFA1
                                            Function 056E1BF8 Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: be1dcdf59ac6e7ccfe444b7bb3605d10a3f62de4eb6883846692c7779913bbb2
                                            • Instruction ID: 459208523da5313ed4d088c6e2f979641f15050010f80645080ebe14576caf30
                                            • Opcode Fuzzy Hash: be1dcdf59ac6e7ccfe444b7bb3605d10a3f62de4eb6883846692c7779913bbb2
                                            • Instruction Fuzzy Hash: D711F0B5D046488FDB20DF9AC444B9EFBF9EB48320F10841AE919A7310D3B8A944CFA5
                                            Function 056E9C8C Relevance: .0, Instructions: 50COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c442aa3601109a9c16dadb99e40170ffaf7176b64d3884776ff6b285775a32ef
                                            • Instruction ID: a311d55a9111e46ee69a6777d6ff49a49e264013c07e6a5279e97ae0fe878295
                                            • Opcode Fuzzy Hash: c442aa3601109a9c16dadb99e40170ffaf7176b64d3884776ff6b285775a32ef
                                            • Instruction Fuzzy Hash: 4701D4317572159FD7205E35E48876ABEDAFB693AAF50083AF107C2280CF34C996C754
                                            Function 056EB051 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ea22541770338de2c2bbee6f44e6e22139c2ed5d97f6c7ecc046caa29b6f1da4
                                            • Instruction ID: ad2f94ed665ceabb97822c6696d97b9ff06fb0783d2e20790084641a24af0e15
                                            • Opcode Fuzzy Hash: ea22541770338de2c2bbee6f44e6e22139c2ed5d97f6c7ecc046caa29b6f1da4
                                            • Instruction Fuzzy Hash: 8B01A1307012058FC715DF29D484A6AB7E6FFC9201B18456DD40ACB764CB31EC06CB50
                                            Function 056E41F0 Relevance: .0, Instructions: 48COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a302d26e5b62976d6f73c8f10d5885714457991721c32d3a8391abe030dd273c
                                            • Instruction ID: ba0493a1fac9260e8b177ce1f07f745c964e676f0da21d4b1b3f7d09816b0e1a
                                            • Opcode Fuzzy Hash: a302d26e5b62976d6f73c8f10d5885714457991721c32d3a8391abe030dd273c
                                            • Instruction Fuzzy Hash: A71122B58013488FCB20DFAAC485B9EFBF8EB48320F10841AD958A7304C339A944CFA5
                                            Function 056E3DC8 Relevance: .0, Instructions: 47COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a10ae2b6d36131216c89a0de965d32ddf290182d711f902ada8cca96f2f4fe14
                                            • Instruction ID: d4d8ea4f1adaf6b1136f06a2daba77e720ae0491265e606f622d84ac3e45314e
                                            • Opcode Fuzzy Hash: a10ae2b6d36131216c89a0de965d32ddf290182d711f902ada8cca96f2f4fe14
                                            • Instruction Fuzzy Hash: E41106B59052488FDB20DF9AC444BDEFBF4EB48310F208459D519A7354C779A944CFA5
                                            Function 056E32B0 Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 13fed07b8944eb7188b3d1321f91e12f6a6b2111340c6b99b465c33ef500cdf0
                                            • Instruction ID: b8b93012bea947af9f6d4fea624c7dd52eba42b93d0ee0024138fa0eb8bc19d5
                                            • Opcode Fuzzy Hash: 13fed07b8944eb7188b3d1321f91e12f6a6b2111340c6b99b465c33ef500cdf0
                                            • Instruction Fuzzy Hash: 13F0A476B0311D9BCF15A6A8DCA56FEB7BFEB89A10F51002CD705A3340DA201E06C3D9
                                            Function 056EB060 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fa44fc7ce5cfee246acb4672ef6a396f9e1505162e9582ceb352204ea21cc5e1
                                            • Instruction ID: b439948dafc17bcf769238c17c07b6b11f6abdb9963c649d92902b1a5be95109
                                            • Opcode Fuzzy Hash: fa44fc7ce5cfee246acb4672ef6a396f9e1505162e9582ceb352204ea21cc5e1
                                            • Instruction Fuzzy Hash: 79017C307012108FC719EF29E488D2AB7EAFFC9611714886EE01ACB768CB71EC05CB60
                                            Function 056E6D28 Relevance: .0, Instructions: 44COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 545a48081684f2b09a42c817a3f4baaae283849982503dfc4c0949987af16996
                                            • Instruction ID: ec5abf14916613d95f8a3ea38ccf0e686fa5c03cd9743135f45e6c0bdb34cb19
                                            • Opcode Fuzzy Hash: 545a48081684f2b09a42c817a3f4baaae283849982503dfc4c0949987af16996
                                            • Instruction Fuzzy Hash: 34015A31602B189FCB24EE38D45465AB7F6EF95305F908A2DD8428B760EB70E942CB80
                                            Function 056E6D38 Relevance: .0, Instructions: 44COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 96713a711c4597f62abee93a7d6eb8c95ca3ba17b9aa425f686c4d795a4cd9ca
                                            • Instruction ID: ce437f18300b02accae49dff707d199097d8712be8b4c52831d1b34f54e779e5
                                            • Opcode Fuzzy Hash: 96713a711c4597f62abee93a7d6eb8c95ca3ba17b9aa425f686c4d795a4cd9ca
                                            • Instruction Fuzzy Hash: 4C014C31602714DFCB24EF39D45455A77F6BF95305B50C96ED4468B760EB70E941CB80
                                            Function 056E70F8 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e3208b22363b4d50e0f9e32c5f413a245be12110e2c4a25997172a2a7a7725f8
                                            • Instruction ID: 5c3a9f4f127fccec15fd5a6cfe3c2391043aabcfaf66431515071d7b21c9bfe2
                                            • Opcode Fuzzy Hash: e3208b22363b4d50e0f9e32c5f413a245be12110e2c4a25997172a2a7a7725f8
                                            • Instruction Fuzzy Hash: 2C01A2327067448BCB127A74C8144EEBBB5EFD2510F19456ED84A67311DB30A946C796
                                            Function 056EC539 Relevance: .0, Instructions: 41COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b22ef72e790ac8076bae479abae32fae8286ce2e6ae5e38baa9e841e44bbe0e3
                                            • Instruction ID: c5d4151b2463ffc5670233b9225b6a94a373aaa36c2cffb022a779f858a6885c
                                            • Opcode Fuzzy Hash: b22ef72e790ac8076bae479abae32fae8286ce2e6ae5e38baa9e841e44bbe0e3
                                            • Instruction Fuzzy Hash: CD01D1334012089AC700CB14EC09B42FBF9EF84358F08C496E908DB221E336E553DB91
                                            Function 056E46D8 Relevance: .0, Instructions: 40COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 43bef6289c02133e0f3f566b892a169237f3519082fd0029cd09e90a47a39727
                                            • Instruction ID: 1242f5d988ff94d4964e10c7466a3cfaf9bc68f86865795687c12b9ad36f193b
                                            • Opcode Fuzzy Hash: 43bef6289c02133e0f3f566b892a169237f3519082fd0029cd09e90a47a39727
                                            • Instruction Fuzzy Hash: 9301D671D0060DDFCB40EFACC545A9DBBF4EF49610F1486AAE859EB321E770AA44CB81
                                            Function 056E32C0 Relevance: .0, Instructions: 40COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 33c378176640a3db0fe979db991831274de952d100296f85fad7709de7a1ca3c
                                            • Instruction ID: 9807ee67d34dfca6751e02a3034b3be1e09ae9694953a1539e01ae4b37a32ab6
                                            • Opcode Fuzzy Hash: 33c378176640a3db0fe979db991831274de952d100296f85fad7709de7a1ca3c
                                            • Instruction Fuzzy Hash: 1BF06275B0211E9B8B05A6A89C654FEBBBFAB89510B41002CD705A7340CA300B15C7D9
                                            Function 056E3FD4 Relevance: .0, Instructions: 40COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6eeff945a92c5ac223e3ba49fc0f7cf3513a88ed57f80e40fcb4abbfa3cbf4c6
                                            • Instruction ID: e4f702c3083d4b29be2cf73f64984f15e5805bbfc3eec07360d8d5d855e14e13
                                            • Opcode Fuzzy Hash: 6eeff945a92c5ac223e3ba49fc0f7cf3513a88ed57f80e40fcb4abbfa3cbf4c6
                                            • Instruction Fuzzy Hash: 7EF0E93130B2218BCA24DA2FA454A7E77EAFFC4655715442EE803C7750EFA0DC46C760
                                            Function 056E5308 Relevance: .0, Instructions: 39COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3fb220c71990d61b62c31d4910031f376d7e454be4e21a8f724d52e609e0b874
                                            • Instruction ID: 1adee6e3719fd5d1016098ca7427f7c213e1922575f7728cd51c00fd378c709f
                                            • Opcode Fuzzy Hash: 3fb220c71990d61b62c31d4910031f376d7e454be4e21a8f724d52e609e0b874
                                            • Instruction Fuzzy Hash: 58F0F63130B2104BCF1AA638A52813DB7F66FD5601B09407EE806CB790EF65CC03C34A
                                            Function 056E53A3 Relevance: .0, Instructions: 38COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fcd051f8d9c023a74a71b76dbe891384ba0e6313f515cb01fda5e56a0140b1ec
                                            • Instruction ID: dc7627199d3ae831c577ed7ca51b44fb00344fc007eed976c8748016e884425f
                                            • Opcode Fuzzy Hash: fcd051f8d9c023a74a71b76dbe891384ba0e6313f515cb01fda5e56a0140b1ec
                                            • Instruction Fuzzy Hash: 88F02E3130B22187CA24992AE405F7E77EAEF81A59B19002EE403C7B40EFA0EC42C770
                                            Function 056E7510 Relevance: .0, Instructions: 37COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ee3ceda4a98f221c304bbe73880bc5f53c057de0c96b4ea7f2f97650df192883
                                            • Instruction ID: a67e20c536b9ad83b05f3c1c16167c1eb3e41982920c623a69c1354b0b34f0e3
                                            • Opcode Fuzzy Hash: ee3ceda4a98f221c304bbe73880bc5f53c057de0c96b4ea7f2f97650df192883
                                            • Instruction Fuzzy Hash: E3F03A363046154F8A249B6EF884C5ABBEAEFC4265300467AE20A87725CE61DC0AC790
                                            Function 056E7108 Relevance: .0, Instructions: 37COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3863d5f5483e80608836f8aadd58acb4527a45594f0f263c6a16b340d6113ee8
                                            • Instruction ID: c54531fe6f4b841ddbaed4ca437e11229dd765149578e3b40cef0cecd8c6648a
                                            • Opcode Fuzzy Hash: 3863d5f5483e80608836f8aadd58acb4527a45594f0f263c6a16b340d6113ee8
                                            • Instruction Fuzzy Hash: 23F0CD31B02704CBCB11BAB8C8044EEB7B6EFD2611F05466DD84A27300EF30A992C7D9
                                            Function 056E5318 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5f550c52f84780f230de6186356b60f3e232ec4bd197ccfbd71dc225491c9e8a
                                            • Instruction ID: 44242cfb2f084d30dcb17775aff8db3e617bf3906607103107e908f0409f95e1
                                            • Opcode Fuzzy Hash: 5f550c52f84780f230de6186356b60f3e232ec4bd197ccfbd71dc225491c9e8a
                                            • Instruction Fuzzy Hash: 7DF0823131762047CF1AA639A51863DB6EAAFC4A15B19403DE407CB790EFB5DC02C799
                                            Function 056E7500 Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3573953c1b78bf089c7293cad72bbd87fb244eaa6e63b95029d061b473c19191
                                            • Instruction ID: 3b0b2667e266ec96428fb953138b99ef6844a5dc8d42fd37a9e70423349c7f70
                                            • Opcode Fuzzy Hash: 3573953c1b78bf089c7293cad72bbd87fb244eaa6e63b95029d061b473c19191
                                            • Instruction Fuzzy Hash: D3F024313053414FC7105B69E884C0A7BF9EF8121130041BAE10ACB332CE60DC09C390
                                            Function 056E46E8 Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
                                            • Instruction ID: 4243ceffdd30f352615e2fe6667d750750fc4abca0ae9b7f9b7c733986b7bd1f
                                            • Opcode Fuzzy Hash: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
                                            • Instruction Fuzzy Hash: 0601B675D00609DFCB40EFACC54589DBBF4FF49210B1185AAE859EB321E770AA44CF91
                                            Function 056E7980 Relevance: .0, Instructions: 28COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0c77f13553434a5b6b34bbc358a52911ec5caf279ca23cc2ef7b9ffa0f2f8dad
                                            • Instruction ID: fe3ef2ff689162658ff0cc4fdca1c9145b188ec20f9c6c2cd37457d07d9c4482
                                            • Opcode Fuzzy Hash: 0c77f13553434a5b6b34bbc358a52911ec5caf279ca23cc2ef7b9ffa0f2f8dad
                                            • Instruction Fuzzy Hash: DBF0F234240610CFC718DB2CE598C597BEAFF4AB1975145A9E10ACB732CB72EC44CB80
                                            Function 056E2750 Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 526e3163a7d15cf886b50eb0a6ff7c4fc4bbe0f7de9657ff3eff1c42aecd9c89
                                            • Instruction ID: 254a5b7a02a8f4a7c7ef032a38d944cd95e522b8b2510ac48b11125149831ed7
                                            • Opcode Fuzzy Hash: 526e3163a7d15cf886b50eb0a6ff7c4fc4bbe0f7de9657ff3eff1c42aecd9c89
                                            • Instruction Fuzzy Hash: 0BE06D70A1150CEFCB00EFA8F906A6CBFB9EB55600F5082A9D805E3361DE366E44DB56
                                            Function 056E52D0 Relevance: .0, Instructions: 25COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2ae9cfe525934df9804e738f27c85a749849b2ab576310f5d695bead14353ebd
                                            • Instruction ID: 3cf2fecf9048b0b28ecb49d853df8d9f5c31c98fa9769104b979dacadd8614fd
                                            • Opcode Fuzzy Hash: 2ae9cfe525934df9804e738f27c85a749849b2ab576310f5d695bead14353ebd
                                            • Instruction Fuzzy Hash: 46E08632351B185FC71CDA1CE841B4AB7EADF49714B248A79F005C7761D750FD068684
                                            Function 056EFC38 Relevance: .0, Instructions: 24COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8a36618c38125c3008e4ee66c6bc29245d74793d26e486109a7a8329112eab02
                                            • Instruction ID: ae1cf8e97a560c1f1edb28d607c4e67f1079be06f8097776d3ca10e230d24c8d
                                            • Opcode Fuzzy Hash: 8a36618c38125c3008e4ee66c6bc29245d74793d26e486109a7a8329112eab02
                                            • Instruction Fuzzy Hash: 16F03275D0920CBFCB11EFA0D94688DBFB4EF48200F2181EAE849E7255EA305B18CB81
                                            Function 056E2760 Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8cf6f39cdb826e3325fb7c7181cc7135f93fb810944945ae9654507c2e2e333b
                                            • Instruction ID: ce305fc7fb49636fbdf1c561f3ecc5129340def1862029150e66d03b013aa414
                                            • Opcode Fuzzy Hash: 8cf6f39cdb826e3325fb7c7181cc7135f93fb810944945ae9654507c2e2e333b
                                            • Instruction Fuzzy Hash: 90E04F70A00208EFCB00DFE8F50585C7FB9EF55240B108169D805A3324DF366E04DB55
                                            Function 056E52E0 Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e9dc2d281fcdbd19b0ba3852056eeb2d62619099500f0215173eeea7ab923735
                                            • Instruction ID: 04fe9bc1d85d5b74f785a1f91517d03fdfcfaab09158f54fe0beda78b1bcee76
                                            • Opcode Fuzzy Hash: e9dc2d281fcdbd19b0ba3852056eeb2d62619099500f0215173eeea7ab923735
                                            • Instruction Fuzzy Hash: 87D017303157149F8728DA1CE840C5AB7EEAF8821032486AAF00AC7760EAA0EC058684
                                            Function 056EFC48 Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ed2360ce1d9f9dc4b231d74ce34c4048b97dcccf20c14e00a01ec223ef5fc857
                                            • Instruction ID: ce413583ca3ce42ce22a3736de9fd137e8bf08c8f7a6e56fff822e64f2648894
                                            • Opcode Fuzzy Hash: ed2360ce1d9f9dc4b231d74ce34c4048b97dcccf20c14e00a01ec223ef5fc857
                                            • Instruction Fuzzy Hash: 20E07E75D0420CFFCB50EFA4D9458DDBBB9EB48200F1082AAA809A6204EA706B15DF80
                                            Function 056E83E0 Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5e0214d6ba4473bd4ac1cd5020e0f8eb174b51ce775dff74203bc8d90099919b
                                            • Instruction ID: c5a54fc4173aa8760664dd82cdf3719f3ad87f00ada26e4e08e34c75acae4c94
                                            • Opcode Fuzzy Hash: 5e0214d6ba4473bd4ac1cd5020e0f8eb174b51ce775dff74203bc8d90099919b
                                            • Instruction Fuzzy Hash: B8D0223020720ACBCB3857E8A004676339DEF40209B090028F40FC3E00EB1AEC82D242
                                            Function 056E83D3 Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1b2984c82039c2f175b0f3e02252845fe72665a5f98ff61056d394676e88817d
                                            • Instruction ID: 00c1fe6c9dff2462a2b014701737db4024cc80c7f447f6d03da906a41d645861
                                            • Opcode Fuzzy Hash: 1b2984c82039c2f175b0f3e02252845fe72665a5f98ff61056d394676e88817d
                                            • Instruction Fuzzy Hash: 62D0223210B60DCBCB2857E0D506772B36AEB6060AF2E0028EC0BC3A01EB19EC03D242
                                            Function 056ECE38 Relevance: .0, Instructions: 13COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bd08b42a56fa0e290348d8835503e4d2ac309f8065709f1a7331e88f0c98fb66
                                            • Instruction ID: 6338c9a8131ffe254ac6080d1bbc5f7270718cc1c587e397ba0249e0c33c0bd6
                                            • Opcode Fuzzy Hash: bd08b42a56fa0e290348d8835503e4d2ac309f8065709f1a7331e88f0c98fb66
                                            • Instruction Fuzzy Hash: C1C08C3F00380C6EC200DA20C843B08FAE0EB22600F84CA9091409AA71C321D81C9B06
                                            Function 056EC548 Relevance: .0, Instructions: 10COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c8fdc59c64e5008b6974936f257797ed2cc69abd8e33c161ad578bf1fc4f45ee
                                            • Instruction ID: 929772262961e5a9e074e32de16ac74e0f0cb8a795c14c5b9e876c4456ee7ace
                                            • Opcode Fuzzy Hash: c8fdc59c64e5008b6974936f257797ed2cc69abd8e33c161ad578bf1fc4f45ee
                                            • Instruction Fuzzy Hash: 99C0EA3A040108AF8B426B80E908C85BBAAEB482507098491A6098A032D7629564EB51
                                            Function 056EBFCC Relevance: .0, Instructions: 9COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 130811bd2c027f27560e0484f30dae062ca46eb32c8ba74c63d283908d84e5d9
                                            • Instruction ID: a9864b5681be166b21541d2c2886474c5b5f373f574e6d06ac0d4d247dab3f78
                                            • Opcode Fuzzy Hash: 130811bd2c027f27560e0484f30dae062ca46eb32c8ba74c63d283908d84e5d9
                                            • Instruction Fuzzy Hash: 5FC04C361471089E9641E754C544D25BAD5FF55300B408855A244851348721C91DEB06

                                            Non-executed Functions

                                            Function 076D2FC0 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2043862241.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_76d0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @\
                                            • API String ID: 0-1181013065
                                            • Opcode ID: 62212cff9044b9e536b1b395a991da61fee2eef100c996b46efa382a5c45530c
                                            • Instruction ID: 772121f98b4e66e605c4318997de96a246470e6e139424cb4bc52b0c32f9f1b5
                                            • Opcode Fuzzy Hash: 62212cff9044b9e536b1b395a991da61fee2eef100c996b46efa382a5c45530c
                                            • Instruction Fuzzy Hash: 85E1F5B4E10219CFCB15CFA9C5809AEBBB2FF89305F248169D415AB356DB31AD81CF61
                                            Function 076D2FB1 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2043862241.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_76d0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @\
                                            • API String ID: 0-1181013065
                                            • Opcode ID: e79cb5da56450f1991bd6ade839cd17dd172aefda8c8a7a255bf9b9532e8b752
                                            • Instruction ID: 28a4d249694f1ceaaccab9ffc93b3a5c11c371f40854c54ad9b4b2440b385483
                                            • Opcode Fuzzy Hash: e79cb5da56450f1991bd6ade839cd17dd172aefda8c8a7a255bf9b9532e8b752
                                            • Instruction Fuzzy Hash: 3051E7B4E1021A8FCB15CFA9C9805AEBBF6EF89305F248169D419A7315DB31AE41CF61
                                            Function 076D9588 Relevance: .4, Instructions: 407COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2043862241.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_76d0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7a46f11aec50dcf2b533c0a133b0970996e31a46c4506ffff493d864fdd2ab8e
                                            • Instruction ID: a513786c19ab4c4c46ca9b73139ab2493eda6bc3504f81759667b0587f377025
                                            • Opcode Fuzzy Hash: 7a46f11aec50dcf2b533c0a133b0970996e31a46c4506ffff493d864fdd2ab8e
                                            • Instruction Fuzzy Hash: C0E185B0B017028FDB29DB7AC454B6AB7EAEF8A700F14846DD1469B3A0DB35ED01CB51
                                            Function 076D33F8 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2043862241.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_76d0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f6492f2f8a0e585419173d57459811ec37b6a6b61415c997d6a69d929703da14
                                            • Instruction ID: d7cfdac8e388b1dbdec444e337227bd4cfbf79c7662425922e22861e8b6040d7
                                            • Opcode Fuzzy Hash: f6492f2f8a0e585419173d57459811ec37b6a6b61415c997d6a69d929703da14
                                            • Instruction Fuzzy Hash: 2BE1D6B4E101198FCB14CFA9C5849AEBBF2FF89305F248169D415AB356DB31AD81CFA1
                                            Function 076D2B88 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2043862241.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_76d0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 39e22f42c453a7c78cc9004273db28a7fd2daa034087cefadeb080e91473daf6
                                            • Instruction ID: ce6ccc4629a20a75e57dfc5832fa48acb1176d19d389d1103bd80b6e8b98d5f2
                                            • Opcode Fuzzy Hash: 39e22f42c453a7c78cc9004273db28a7fd2daa034087cefadeb080e91473daf6
                                            • Instruction Fuzzy Hash: 7BE1E8B4E101198FCB14CFA9C5909AEBBF2FF89305F248169D415AB356DB30AD81CFA1
                                            Function 076D4AD0 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2043862241.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_76d0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2f2696a4a65292e267a222a2dacb87610d121bd3652d43b12e185be446d66882
                                            • Instruction ID: 1e37b5b9a786f36a7b13a56c8efd8e808d923b01a7455958172c5a460eeee2bc
                                            • Opcode Fuzzy Hash: 2f2696a4a65292e267a222a2dacb87610d121bd3652d43b12e185be446d66882
                                            • Instruction Fuzzy Hash: 64E1F6B4E101599FCB14CFA9C5809AEBBF2FF89305F248169D815AB356DB31AD81CF60
                                            Function 076D4698 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2043862241.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_76d0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6b4c82560f19d1a1af36bda590c34e222ac37e4b0ff56812d69a9f00e66c6849
                                            • Instruction ID: 14ea667d813bf73ee274c3a23c1a48daca07ece3ebf5eedfd101732ee917d6de
                                            • Opcode Fuzzy Hash: 6b4c82560f19d1a1af36bda590c34e222ac37e4b0ff56812d69a9f00e66c6849
                                            • Instruction Fuzzy Hash: 8DE1E9B4E101598FCB14CFA9D5809AEBBF2FF89305F248169D815AB356DB30AD41CFA1
                                            Function 056EDECF Relevance: .3, Instructions: 270COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a9f1f3bd3c69f42df6e04ea4c43b863e730fcd3555a6f710fbadc7bd1950706f
                                            • Instruction ID: 68f49d4746cf4b8b44a126e721e223826c0a62fb54d534feed9f88476e152dcc
                                            • Opcode Fuzzy Hash: a9f1f3bd3c69f42df6e04ea4c43b863e730fcd3555a6f710fbadc7bd1950706f
                                            • Instruction Fuzzy Hash: FBD10931D1075A8ACB11EF68E994A9DB7B1FFA5200F11C79AE0093B624EF706AC5CF41
                                            Function 056EDEE0 Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2035495030.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_56e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 62033c356361b8fce62ae34214ac77b229e34b2160d1e77d413e47f6c5e9665b
                                            • Instruction ID: 0a1b4d1658a8b93e5b9421000dc0431680ec72388ed5df8dd4572ac04355167b
                                            • Opcode Fuzzy Hash: 62033c356361b8fce62ae34214ac77b229e34b2160d1e77d413e47f6c5e9665b
                                            • Instruction Fuzzy Hash: E4D1F931D2075A8ACB11EF68D994A9DB7B1FFA5200F11C79AE1093B224EF706AC5CF41
                                            Function 017ED4FC Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2032437842.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_17e0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1cdd3f953b0d402c8947a64612a995bc362bc3b42903c6b2a787edc3e3f58f97
                                            • Instruction ID: a33feb06df1d6fbf0dedc52a588224efccc7db24c37a086a728ad7b674380913
                                            • Opcode Fuzzy Hash: 1cdd3f953b0d402c8947a64612a995bc362bc3b42903c6b2a787edc3e3f58f97
                                            • Instruction Fuzzy Hash: D6A15F32E002098FCF05DFB9C84859EFBF2FF99304B25856AE905AB665DB71D916CB40
                                            Function 076D4689 Relevance: .1, Instructions: 133COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2043862241.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_76d0000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d61247c743b15bdb689c2212c576dc0ea66c688d043cbdb7875776be0a0fc821
                                            • Instruction ID: 6e457dadcfcb73c4798a5fdb80d2c77b0c3e1680c9c0d120e51b1eeda4ddf8d5
                                            • Opcode Fuzzy Hash: d61247c743b15bdb689c2212c576dc0ea66c688d043cbdb7875776be0a0fc821
                                            • Instruction Fuzzy Hash: B15109B4E102598FCB14CFA9D5805AEFBF2EF89305F248169D809A7315DB319D41CFA1

                                            Executed Functions

                                            Function 00E49BE2 Relevance: 2.7, Instructions: 2748COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e4a9b4fb1ac9c204dc4f3dddb0436fe5f9c549579cd26c59ac73c23cdf0cb4ad
                                            • Instruction ID: 1ee4e2f054422566037258a6014e9d757b22f8053cb19a6368d9d145f08b7a38
                                            • Opcode Fuzzy Hash: e4a9b4fb1ac9c204dc4f3dddb0436fe5f9c549579cd26c59ac73c23cdf0cb4ad
                                            • Instruction Fuzzy Hash: FF53F631C10B1A8ACB51EF68C8945A9F7B1FF99300F11D79AE4587B121FB70AAD5CB81
                                            Function 00E4CDA0 Relevance: 2.3, Instructions: 2314COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 46ffd790606e5df293b83b87bc5b6c7976a788be883cc102cb81053f4b2daafe
                                            • Instruction ID: ff32d50991d92f404e6b74901b668657ddea90692e60f7daff3054550e99768f
                                            • Opcode Fuzzy Hash: 46ffd790606e5df293b83b87bc5b6c7976a788be883cc102cb81053f4b2daafe
                                            • Instruction Fuzzy Hash: 07332C31D107198EDB11EF68C8946ADF7B1FF99300F15D69AE448B7221EB70AAC5CB81
                                            Function 00E44A98 Relevance: .3, Instructions: 266COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 83193554ee1c25125eadf8e03d41d31364e73ad63ea8fdd121083b985c4a5500
                                            • Instruction ID: cc37f0f484785322a74442a9d9a042f95dd29e26533bc94983037303852ea660
                                            • Opcode Fuzzy Hash: 83193554ee1c25125eadf8e03d41d31364e73ad63ea8fdd121083b985c4a5500
                                            • Instruction Fuzzy Hash: 08B13EB1F002098FDB10CFA9D9857ADBBF2EF88358F149529D415F7294EB749845CB81
                                            Function 00E43E80 Relevance: .2, Instructions: 238COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6fee63bd60c7db4db6977d0d9c7382fcdb7ee227c65e4b71f8b167e58707d75a
                                            • Instruction ID: 025ca9bcc092bd39fcab2b6c662119a02bdc741c9f5aa9a227f4b1e0b074a4c9
                                            • Opcode Fuzzy Hash: 6fee63bd60c7db4db6977d0d9c7382fcdb7ee227c65e4b71f8b167e58707d75a
                                            • Instruction Fuzzy Hash: 7E913CB0E002099FDF14CFA9D9857DDBBF2AF88318F149129E415B7394EB749985CB81
                                            Function 00E4F2E5 Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: PH]q
                                            • API String ID: 0-3168235125
                                            • Opcode ID: fc46035e9d5807c72575de0cbd552345b6a5324e3794a44e5d0ab7792a3e5544
                                            • Instruction ID: dd424a7c0bec89bbd36184ba8d4bc512832aa3be3b138c43cf4636240baf7b74
                                            • Opcode Fuzzy Hash: fc46035e9d5807c72575de0cbd552345b6a5324e3794a44e5d0ab7792a3e5544
                                            • Instruction Fuzzy Hash: 5141C930B002018FCB19AF34E56466F7BA6AF89B04B244578E406EB395DF38DD06CBA5
                                            Function 00E46B99 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LR]q
                                            • API String ID: 0-3081347316
                                            • Opcode ID: 38551c39a2a1c007af7e2537b06144a308f09b5a6abbb0ff7232b7d4aa79cb51
                                            • Instruction ID: 51b827e5c331eae3afca8f3bbfde75ec0433db4d4f31142494eb43c059b3083d
                                            • Opcode Fuzzy Hash: 38551c39a2a1c007af7e2537b06144a308f09b5a6abbb0ff7232b7d4aa79cb51
                                            • Instruction Fuzzy Hash: 8C11A5307082409FC716AF7CD46469D7BF6EFC6710B1048AED089CB2A1EA365D45C7A2
                                            Function 00E47900 Relevance: .6, Instructions: 557COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5e84b2f95eed17e4d56bfb5395fd7c263f03df87c4fbf584892cb81bb56791e0
                                            • Instruction ID: 765b2261f5477ba73a33f42068d7e0cb54b3abead8ecc300357cdf13023079f2
                                            • Opcode Fuzzy Hash: 5e84b2f95eed17e4d56bfb5395fd7c263f03df87c4fbf584892cb81bb56791e0
                                            • Instruction Fuzzy Hash: 901229307202139FCF29AE38E54562936A7FB85355B104A39E045DB3A9DF35EC87CBA1
                                            Function 00E49441 Relevance: .4, Instructions: 438COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a31ce2d135fa361d107af6ebd394cad9b854f830a27ae6e7996a639c9d6079e6
                                            • Instruction ID: 7ee1dba3ce0208148778bddca711a34d1442525696b00719dd60677fda300136
                                            • Opcode Fuzzy Hash: a31ce2d135fa361d107af6ebd394cad9b854f830a27ae6e7996a639c9d6079e6
                                            • Instruction Fuzzy Hash: 2BF18134A001058FCB14DF68E584AAEB7B2FF89314F218569E809FB396DB35DD42CB91
                                            Function 00E44A8E Relevance: .3, Instructions: 263COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 79158ba91c7bb6d8104f961b1f7c6f4dbe02ef0ec241f9e99d12162cfcbfbf25
                                            • Instruction ID: cde46625991d33ab36fa5e0d4535fb515025d16591feb06dab70875b4d4e5092
                                            • Opcode Fuzzy Hash: 79158ba91c7bb6d8104f961b1f7c6f4dbe02ef0ec241f9e99d12162cfcbfbf25
                                            • Instruction Fuzzy Hash: 63B12CB0E00209CFDB10CFA9E98579DBBF1EF88358F149129D819F7294EB749885CB81
                                            Function 00E43E74 Relevance: .2, Instructions: 237COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7d80a8664e7c9c2415355fac07f54fe4fde143961ea05b864e3d09f60272fbbd
                                            • Instruction ID: a92cde2202614053147c1c10e6cca439e9bce81a29622c54547f211713c6f7e9
                                            • Opcode Fuzzy Hash: 7d80a8664e7c9c2415355fac07f54fe4fde143961ea05b864e3d09f60272fbbd
                                            • Instruction Fuzzy Hash: 2DA12AB0E00209DFDF10CFA9D9857DDBBF1AF88318F149129E415B7294EB749985CB91
                                            Function 00E49888 Relevance: .2, Instructions: 214COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 54da8087bdfd6cde73ab9ed5fd617f6e93613ce1b69d82ee2dd29eb7b83c181d
                                            • Instruction ID: 6cc316e6689280b8e14550c62c26882952a803a1af410d25b90ab9636a5259f0
                                            • Opcode Fuzzy Hash: 54da8087bdfd6cde73ab9ed5fd617f6e93613ce1b69d82ee2dd29eb7b83c181d
                                            • Instruction Fuzzy Hash: 83818D71A002058FDB14DF69E884B9EBBF6FF88314F148269E909AB396D770DD45CB90
                                            Function 00E44806 Relevance: .2, Instructions: 182COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3fd5265b6803970955753ce2d5c6d8769871113cb3bc7db2216ad050435f8315
                                            • Instruction ID: 1f519fe9a3447394df514e637d68453f4846dac5971869a5da47e14f89828d1b
                                            • Opcode Fuzzy Hash: 3fd5265b6803970955753ce2d5c6d8769871113cb3bc7db2216ad050435f8315
                                            • Instruction Fuzzy Hash: 84717AB0E00249DFDB14CFA9D881BDEBBF2BF88318F149129E415B7294EB349845DB95
                                            Function 00E44810 Relevance: .2, Instructions: 180COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a298e282fd36121c5e7d8cda692cf96f6aeaa114b4af96af6507e114f9ea521c
                                            • Instruction ID: 3275416f91fc535a50a6436c362ccd1a98e1dcba438be6f800c1b69ef63e1128
                                            • Opcode Fuzzy Hash: a298e282fd36121c5e7d8cda692cf96f6aeaa114b4af96af6507e114f9ea521c
                                            • Instruction Fuzzy Hash: 3F717BB0E00249CFDB14CFA9D88179EBBF2BF88318F149129E415B7294EB349841DB95
                                            Function 00E46CD5 Relevance: .1, Instructions: 134COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0272b98ae472ecbb8178797ade9775b6f806c6ec83f8ecb374296c95f03ba136
                                            • Instruction ID: b5a606511119517a127b34b6881aabfa8d531283143a2a7ce1a27b99a102728a
                                            • Opcode Fuzzy Hash: 0272b98ae472ecbb8178797ade9775b6f806c6ec83f8ecb374296c95f03ba136
                                            • Instruction Fuzzy Hash: EE511374E102188FDB14DFA9D885B9DBBF1FF49304F14812AE819BB394D774A844CB96
                                            Function 00E46CE0 Relevance: .1, Instructions: 132COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2436955c8835f8ab734e0b82fea6ab8b9ccd9cad9ee39687b0658657e3534a7d
                                            • Instruction ID: e4cebc9e5c24b9b939d957ebee81844e77b7328a80dd4574e8aed64f9a57168f
                                            • Opcode Fuzzy Hash: 2436955c8835f8ab734e0b82fea6ab8b9ccd9cad9ee39687b0658657e3534a7d
                                            • Instruction Fuzzy Hash: 08512474E002188FDB14DFA9D885B9DBBF1BF49304F148129E819BB394D774A844CB96
                                            Function 00E4112A Relevance: .1, Instructions: 116COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ad8c98b32ef40c255aa237cb7bc4c3d4e5a07b1110b372b1a67b80b9c7e98cc9
                                            • Instruction ID: 4d570d23570bdec9806aecc7364eef82fc26e4c757430ff52efb8d687d8e079a
                                            • Opcode Fuzzy Hash: ad8c98b32ef40c255aa237cb7bc4c3d4e5a07b1110b372b1a67b80b9c7e98cc9
                                            • Instruction Fuzzy Hash: 4851BA329722438FCB0AEF28F9909563F65FB96304700896DD0419B37ADBB86909DF91
                                            Function 00E41138 Relevance: .1, Instructions: 112COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e6730ee0af0d185e5a6a4d77eabac030c0906f0470897d1614a0cdffb250bf9f
                                            • Instruction ID: 7cf3cd41fefe14ec04b568e51ce4f5852e04fd7f5f4a92111e03639bb966cb48
                                            • Opcode Fuzzy Hash: e6730ee0af0d185e5a6a4d77eabac030c0906f0470897d1614a0cdffb250bf9f
                                            • Instruction Fuzzy Hash: 3F51A932A322438FCB09FF28F9909563F65BB96304700896DD0419B33ADBA86909DF91
                                            Function 00E4F1A9 Relevance: .1, Instructions: 99COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 86f226703cd7682d796c2f3c8540b1f077bdd8486076a492f1132e66594551d3
                                            • Instruction ID: b04716ebf30f02f96b96a3d02860cfbe701f4c28131698fddca3bc6c506cbab0
                                            • Opcode Fuzzy Hash: 86f226703cd7682d796c2f3c8540b1f077bdd8486076a492f1132e66594551d3
                                            • Instruction Fuzzy Hash: 3E318D75E002069FCB19CFA5D85469EB7B2FF89704F108929E806E7360DB70AD42CB51
                                            Function 00E426DC Relevance: .1, Instructions: 94COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 786aa4a5d39770a13d2f79c7a7ac7ad3f4f90250c3a040843b84e6f7e1bdff9b
                                            • Instruction ID: 9f39e9197d72dca87f0d513833dc4bc520069d648a35e48c307bbd07ff08904a
                                            • Opcode Fuzzy Hash: 786aa4a5d39770a13d2f79c7a7ac7ad3f4f90250c3a040843b84e6f7e1bdff9b
                                            • Instruction Fuzzy Hash: D341FEB1D00348DFDB14CFA9C884AEEBFB5FF48314F64802AE409AB254DB75A945CB90
                                            Function 00E45097 Relevance: .1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f660bd504ab14dce21221429dee663b8eb773bfcf216922a55a5aa68de2f78ef
                                            • Instruction ID: a751c174d7f444626c51b7d8c388a4720a21129ec8f63925a95261342e14672a
                                            • Opcode Fuzzy Hash: f660bd504ab14dce21221429dee663b8eb773bfcf216922a55a5aa68de2f78ef
                                            • Instruction Fuzzy Hash: 7A315A31A11B56CFDF14EB74D8506AD77F2AF89344B2004ACD442BB3A5DB369D45CB90
                                            Function 00E4F1B8 Relevance: .1, Instructions: 91COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0f452906a20b140470d82b11137c15937e3fbd826df0b3a37948399b8f7e0286
                                            • Instruction ID: 8c5ccb2a549245c5668c8a62562906181bad7740c02497cfa7d7fb5b47b0085a
                                            • Opcode Fuzzy Hash: 0f452906a20b140470d82b11137c15937e3fbd826df0b3a37948399b8f7e0286
                                            • Instruction Fuzzy Hash: EC317C35E1060A9BCB19CFA4D85469EB7F2EF89704F10C929E806E7354DB70AC46CB51
                                            Function 00E426E8 Relevance: .1, Instructions: 90COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4ac43f4cac3f02da07a41f7dd7082ef63fbe80a4c331627c4ea8444fa8e04942
                                            • Instruction ID: d2c8c17e07cba154cf2c1d6d2464b9b3a93b90309e2ea2ba68b97909e85ea624
                                            • Opcode Fuzzy Hash: 4ac43f4cac3f02da07a41f7dd7082ef63fbe80a4c331627c4ea8444fa8e04942
                                            • Instruction Fuzzy Hash: CB41ECB0D00348DFDB14DFA9C484ADEBFB5FF48314F64802AE909AB254DB75A945CB90
                                            Function 00E450A8 Relevance: .1, Instructions: 89COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7f9e5d5e4c10d3e0d1b70946a664f4cec673815af70fb21ae0fd17ddeb4a0e38
                                            • Instruction ID: afad601faaf60e6b87cf38f16b8e4246db618f850a8589abe60d2084c87f6baf
                                            • Opcode Fuzzy Hash: 7f9e5d5e4c10d3e0d1b70946a664f4cec673815af70fb21ae0fd17ddeb4a0e38
                                            • Instruction Fuzzy Hash: D1318B31A01A06CFDF14EB74D8506AE77F2AB89344F2004ACD406BB3A5DB36DC45CB90
                                            Function 00E4169F Relevance: .1, Instructions: 88COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 79f0995333c5a5fc8b5ac63b984e5a5dab4605fe6c857a32121fe63cb05d96e7
                                            • Instruction ID: fab97854919637a05c92bf0ed50342560590620d47ea4e165b1a840ea5e1d277
                                            • Opcode Fuzzy Hash: 79f0995333c5a5fc8b5ac63b984e5a5dab4605fe6c857a32121fe63cb05d96e7
                                            • Instruction Fuzzy Hash: 4631E8355301424FDF26EB38F848B993B65EB56318F0195EAD005CB36AE768CC86CB92
                                            Function 00E49247 Relevance: .1, Instructions: 83COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 58e091f0c0841f02b416ba219694e2a288857dd717cf0ef7e2da23adb4c54d6f
                                            • Instruction ID: 3bc37cda43a57c5470117ed0f5d0d2e227ea8b0342332ed36ad23fd8038dcffd
                                            • Opcode Fuzzy Hash: 58e091f0c0841f02b416ba219694e2a288857dd717cf0ef7e2da23adb4c54d6f
                                            • Instruction Fuzzy Hash: 9C317F31E1020A9BCB05CFA5E4406DEB7B2FF89304F148629E805BB391DBB19D46CB91
                                            Function 00E49258 Relevance: .1, Instructions: 78COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e89f8d59af061ac1b45b81f9595870f351799e1c85bd002c784e1322a7c63622
                                            • Instruction ID: 8b9e4f7a35ff51e370eba4e300da6849a11b05572229e59fa5c52885a326e582
                                            • Opcode Fuzzy Hash: e89f8d59af061ac1b45b81f9595870f351799e1c85bd002c784e1322a7c63622
                                            • Instruction Fuzzy Hash: 59216B31E1020A9BCB09CFA5E44069EB7B2BF8A304F14C619E805BB391DBB09C46CB91
                                            Function 00E49148 Relevance: .1, Instructions: 77COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fcb90f40a78911a25ef1b5e435e044396c0943d1d19defb41264298d2677a054
                                            • Instruction ID: 3f896fc9f8771d00c822f27cec69467432754f25257e6b42d2a4b728fd08dc84
                                            • Opcode Fuzzy Hash: fcb90f40a78911a25ef1b5e435e044396c0943d1d19defb41264298d2677a054
                                            • Instruction Fuzzy Hash: 0F217F31E012069BCB18CF68E8545DFB7B2AF89314F20862AE816F7351DB70AD46CB91
                                            Function 00E44F8A Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 44a3cd8ea985d1c63eea3f83fbb4924ee20484a55f42affa05382aa4c0513b27
                                            • Instruction ID: 481a557fad0570e116cee21679e09850e1b56d834cdf07146f878085990b4f1d
                                            • Opcode Fuzzy Hash: 44a3cd8ea985d1c63eea3f83fbb4924ee20484a55f42affa05382aa4c0513b27
                                            • Instruction Fuzzy Hash: 95214835B00205CFCB54EB74D958AAE7BF1FF89304B1005A8E406EB3A5EB369D01CBA0
                                            Function 00E41878 Relevance: .1, Instructions: 74COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9d544980af817e97feb72f4ece2f73ad8b406e25e21e31ae2038466de0f9d177
                                            • Instruction ID: 1fd9fa9178cbc30096a3d7af1f6022ea2e05e54fd6c3f519f23aab056e55a2e0
                                            • Opcode Fuzzy Hash: 9d544980af817e97feb72f4ece2f73ad8b406e25e21e31ae2038466de0f9d177
                                            • Instruction Fuzzy Hash: 80213730A10245CFDF18EB74D5257AE7BF1AF89345F2004A8D106FB2A0EB369D80CB61
                                            Function 00DAD01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3281979035.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_dad000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e986171b3d4e970108b1b228592ad50c0ad0f9d4ad34fbba8c83eda17d120caa
                                            • Instruction ID: 2b0ebb2874dbe07e46f21b2b1dbdd50d968ea47dde608de15b555d43898ac5b8
                                            • Opcode Fuzzy Hash: e986171b3d4e970108b1b228592ad50c0ad0f9d4ad34fbba8c83eda17d120caa
                                            • Instruction Fuzzy Hash: E121F271604204DFCB14DF24D984B26BF66FB89314F24C569E94A4B696C33AD807CA75
                                            Function 00E49158 Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 05e13431db15afffefa3d511d27dee3b42d696048892cafeb96c35fc5f46c362
                                            • Instruction ID: 376ae15517ffdde036f761b44bf2ff74612a9f077ccba4404af94d937617af2f
                                            • Opcode Fuzzy Hash: 05e13431db15afffefa3d511d27dee3b42d696048892cafeb96c35fc5f46c362
                                            • Instruction Fuzzy Hash: 60215031E0020A9BDB19CF64E85459FB7B2AF89314F21861AE815F7351DBB0AD45CB91
                                            Function 00E41382 Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 738a17b622ae87470c9c0fa5396b40c5fd83be931cb6f0439d103ae8b06437a1
                                            • Instruction ID: 5206d5770393cc76930a9bd7f2b26669ff771aa085b023c7f8d263e3d9caf45e
                                            • Opcode Fuzzy Hash: 738a17b622ae87470c9c0fa5396b40c5fd83be931cb6f0439d103ae8b06437a1
                                            • Instruction Fuzzy Hash: 8221AF306202028FDF3A6A28F48832D3B66EB52319F5018BDE016E7399D76DCCC0C762
                                            Function 00E41888 Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4cbc40b0264f5557eaed05a775298a1c65d7f2d82fbe090ed9ee5a30501e699f
                                            • Instruction ID: ee5f416e25ac78c1ad3c522b8c15a68cb940ddd7493e973d98bbb31f117da931
                                            • Opcode Fuzzy Hash: 4cbc40b0264f5557eaed05a775298a1c65d7f2d82fbe090ed9ee5a30501e699f
                                            • Instruction Fuzzy Hash: 1F215C30B00245CFDF18EB64D5257AE77F6AB89345F2004A8D106FB364DB369D84CBA1
                                            Function 00E416B0 Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a095f21af4928335af934174d8ee613247e3095b2d44a5d540432386efc81669
                                            • Instruction ID: 6e7a888495d94e2ab99ae3567c3d39ef384feaf359e724b875f55e88e6efb033
                                            • Opcode Fuzzy Hash: a095f21af4928335af934174d8ee613247e3095b2d44a5d540432386efc81669
                                            • Instruction Fuzzy Hash: BC2151356301034FDF26EB28F988B593769EB55318F109A75D00AC736ADB78DC86CB92
                                            Function 00E44F98 Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 885fab6f747a898d65187aa03262799d43febfac8da8d41b09c1d694c4b0f79d
                                            • Instruction ID: 9966780db0227bb3e036c2377e3abd30cc67eaafc5fa44b55482e1717a04629f
                                            • Opcode Fuzzy Hash: 885fab6f747a898d65187aa03262799d43febfac8da8d41b09c1d694c4b0f79d
                                            • Instruction Fuzzy Hash: 35212835B00605CFCB14EB78E958BAE7BF1AF89304B104568E406EB3A5DB369D05CBA0
                                            Function 00DAD005 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3281979035.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_dad000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 691c5e50fd8b929f6e307725d86e9108211debfb7ee84ee30b4a912bb186cb8b
                                            • Instruction ID: 3eee1cd8beddb56fa9b5eff9ccbba247fa7f8dff6d5691685c41f3430fd0289d
                                            • Opcode Fuzzy Hash: 691c5e50fd8b929f6e307725d86e9108211debfb7ee84ee30b4a912bb186cb8b
                                            • Instruction Fuzzy Hash: 602162755093C08FDB16CF24D994715BF72EB46314F28C5EAD8498F6A7C33A980ACB62
                                            Function 00E40848 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fa7972c10f28d1a0f4bf5f588a211911c6e70efff6816068019941576567f6fb
                                            • Instruction ID: c303d05dde7dfab8240a5ae2fb57780ca608c03c9299a31a807c605b6c30f436
                                            • Opcode Fuzzy Hash: fa7972c10f28d1a0f4bf5f588a211911c6e70efff6816068019941576567f6fb
                                            • Instruction Fuzzy Hash: E511C430B202058FDF586A79F60472E7695EF8A318F205939D206EF392DA35CC858BD0
                                            Function 00E40838 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 532b7c75ec8f821e26bc36ca1e23f7b60cd761d1dd6c283ebbf8f9ba15837dc3
                                            • Instruction ID: 56625691e9f03779cd0b16c6376bd93ef6def34109aca93af9b71d0ffd418fc9
                                            • Opcode Fuzzy Hash: 532b7c75ec8f821e26bc36ca1e23f7b60cd761d1dd6c283ebbf8f9ba15837dc3
                                            • Instruction Fuzzy Hash: 1D110A30B143058FEF596B75F60036D7694DF8A318F11597AD206EF282DA79CD818BD1
                                            Function 00E417C0 Relevance: .1, Instructions: 60COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 485f6b535f26adbdba80f8b449e4d5f8eefd1712ae48457c3104869e62dc42a3
                                            • Instruction ID: 087015fd7a4c8e2951213311b6ce1c5b5e111d375db36b738d3e0af124827c8a
                                            • Opcode Fuzzy Hash: 485f6b535f26adbdba80f8b449e4d5f8eefd1712ae48457c3104869e62dc42a3
                                            • Instruction Fuzzy Hash: 06112976F003119FCF14AB78A84869F7FE5EB89754F100479E945E3304EA348982CB81
                                            Function 00E41488 Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ebf34b0fcd5f32d727debc71c0d7029b5d99dcb88bb1e069ffac183291838530
                                            • Instruction ID: 5287531580682c5e39533b8b93b436804414563d24dc86b8d506508225904887
                                            • Opcode Fuzzy Hash: ebf34b0fcd5f32d727debc71c0d7029b5d99dcb88bb1e069ffac183291838530
                                            • Instruction Fuzzy Hash: 0E115E31E002159FCF25AFB8A4511AEBBF5EB48324B2010B9E905F7241E735ED828B91
                                            Function 00E41498 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 17ca763e6ccc9167257d9c3a4f8f785163057cdd332fc4d2255d3843bea5e655
                                            • Instruction ID: 24d0c1250fb80f9b997a2e3c85a122c9cb8f68a311908bdc483c2547e4c5a25c
                                            • Opcode Fuzzy Hash: 17ca763e6ccc9167257d9c3a4f8f785163057cdd332fc4d2255d3843bea5e655
                                            • Instruction Fuzzy Hash: CA016D31B012148FCF21EFB8A4511AE7BF5EB48314B2414B9E906F7201E735E8818BA1
                                            Function 00E480E8 Relevance: .0, Instructions: 39COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: af60fbacb6fa372c36d2c7820c05a2ada23cd4d6924f1c90bb729f92ec8bcf77
                                            • Instruction ID: 8d8556fbc62420533417cee4a1e4dea5b9c01f843c2fe4d19141d31cdf3eabf3
                                            • Opcode Fuzzy Hash: af60fbacb6fa372c36d2c7820c05a2ada23cd4d6924f1c90bb729f92ec8bcf77
                                            • Instruction Fuzzy Hash: 05011E3196020B9FCF06FFB8F94599D7BB5EF45304B0045B9D0099B366DA399E09CBA1
                                            Function 00E41524 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f71aedb27ba86f8372e4159943a0908a0f77133288847e7da79a5b831f538083
                                            • Instruction ID: 4f7a324904b06b910bb5c4b8e8e3ab161e94941a15c8014721835217ac020e66
                                            • Opcode Fuzzy Hash: f71aedb27ba86f8372e4159943a0908a0f77133288847e7da79a5b831f538083
                                            • Instruction Fuzzy Hash: DDF0F632A041508FCF228BE8A4911EC7BB1EEA832171950E7D442FB212D239E886D711
                                            Function 00E47088 Relevance: .0, Instructions: 34COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8c4ba6fd461587a2855841ca41c87b98a05d29d6c5e1373c878e0e92139b5716
                                            • Instruction ID: 9a20101bfbd3817182cc4bc74ad3af0260ab7d158a8e8af096ddb76277608103
                                            • Opcode Fuzzy Hash: 8c4ba6fd461587a2855841ca41c87b98a05d29d6c5e1373c878e0e92139b5716
                                            • Instruction Fuzzy Hash: 0FF0C439B001148FCB18EB64D598A6D77B2EF88315F5144A8E5069B3A4CB35AD42CB41
                                            Function 00E480F8 Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bbb0e1bb9f07b27a26843d7fbe017f9138a1871554b3a5b1ca1130d0ffbf628b
                                            • Instruction ID: 962db69f01468919954097a1a0fc929e68c820b9d72fc5f8067c5d51129e47d4
                                            • Opcode Fuzzy Hash: bbb0e1bb9f07b27a26843d7fbe017f9138a1871554b3a5b1ca1130d0ffbf628b
                                            • Instruction Fuzzy Hash: 30F0BB3596010A9FCF0AFFB8F945A9D7BB9EB44304F108678D0099B359DA35AE098B91
                                            Function 00E49B18 Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000003.00000002.3282297303.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_3_2_e40000_SecuriteInfo.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 787de67edb8c43d408bd8e0c53cccff6d29bc4abce39e33ab6b7b8dad2e351e2
                                            • Instruction ID: bfe5afa46b7968ae85050cad90101da9205af076246e89cedc830e602a2c0918
                                            • Opcode Fuzzy Hash: 787de67edb8c43d408bd8e0c53cccff6d29bc4abce39e33ab6b7b8dad2e351e2
                                            • Instruction Fuzzy Hash: DCE02233D08314AFCB19CE76AC054C7BFB0EB8636071289ABD440E7013E3310510C6A1