Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe
Analysis ID:1465503
MD5:1bf19b9cf38e2316c53af9ecfdf2142b
SHA1:1fcae3591288df36927b66fcb3422e14ba12b234
SHA256:a2f6bbeb5c2756cfd0a71196e98f0b4f71e58101b3e39342015aad98d70d0f31
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe (PID: 6580 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe" MD5: 1BF19B9CF38E2316C53AF9ECFDF2142B)
    • powershell.exe (PID: 6576 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7272 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe (PID: 7092 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe" MD5: 1BF19B9CF38E2316C53AF9ECFDF2142B)
      • WerFault.exe (PID: 7380 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7092 -s 196 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2026512273.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.2026512273.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2de83:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x173e2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe PID: 6580JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        4.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2de83:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x173e2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        4.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          4.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2d083:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x165e2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, ParentProcessId: 6580, ParentProcessName: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe", ProcessId: 6576, ProcessName: powershell.exe
          Sigma detected: Powershell Defender Exclusion
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, ParentProcessId: 6580, ParentProcessName: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe", ProcessId: 6576, ProcessName: powershell.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, ParentProcessId: 6580, ParentProcessName: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe", ProcessId: 6576, ProcessName: powershell.exe

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeAvira: detected
          Multi AV Scanner detection for submitted file
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeReversingLabs: Detection: 28%
          Yara detected FormBook
          Source: Yara matchFile source: 4.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.2026512273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeJoe Sandbox ML: detected
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1787571267.0000000002F31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeString found in binary or memory: http://www.opcom.ro/rapoarte/export_csv_raportPIPsiVolumTranzactionat_PI.php?zi=
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeString found in binary or memory: http://www.opcom.ro/rapoarte/export_xml_PIPsiVolTranPI.php?zi=
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 4.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.2026512273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 4.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 4.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.2026512273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0042B313 NtClose,4_2_0042B313
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0040A7CF NtReadFile,4_2_0040A7CF
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0040A7ED NtReadFile,4_2_0040A7ED
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01042DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_01042DF0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01044340 NtSetContextThread,4_2_01044340
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01044650 NtSuspendThread,4_2_01044650
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01042B60 NtClose,4_2_01042B60
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01042B80 NtQueryInformationFile,4_2_01042B80
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01042BA0 NtEnumerateValueKey,4_2_01042BA0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01042BE0 NtQueryValueKey,4_2_01042BE0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01042BF0 NtAllocateVirtualMemory,4_2_01042BF0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01042AB0 NtWaitForSingleObject,4_2_01042AB0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01042AD0 NtReadFile,4_2_01042AD0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01042AF0 NtWriteFile,4_2_01042AF0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01042D00 NtSetInformationFile,4_2_01042D00
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01042D10 NtMapViewOfSection,4_2_01042D10
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01042D30 NtUnmapViewOfSection,4_2_01042D30
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01042DB0 NtEnumerateKey,4_2_01042DB0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01042DD0 NtDelayExecution,4_2_01042DD0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01042C00 NtQueryInformationProcess,4_2_01042C00
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01042C60 NtCreateKey,4_2_01042C60
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01042C70 NtFreeVirtualMemory,4_2_01042C70
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01042CA0 NtQueryInformationToken,4_2_01042CA0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01042CC0 NtQueryVirtualMemory,4_2_01042CC0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01042CF0 NtOpenProcess,4_2_01042CF0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01042F30 NtCreateSection,4_2_01042F30
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01042F60 NtCreateProcessEx,4_2_01042F60
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01042F90 NtProtectVirtualMemory,4_2_01042F90
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01042FA0 NtQuerySection,4_2_01042FA0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01042FB0 NtResumeThread,4_2_01042FB0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01042FE0 NtCreateFile,4_2_01042FE0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01042E30 NtWriteVirtualMemory,4_2_01042E30
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01042E80 NtReadVirtualMemory,4_2_01042E80
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01042EA0 NtAdjustPrivilegesToken,4_2_01042EA0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01042EE0 NtQueueApcThread,4_2_01042EE0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01043010 NtOpenDirectoryObject,4_2_01043010
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01043090 NtSetValueKey,4_2_01043090
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010435C0 NtCreateMutant,4_2_010435C0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010439B0 NtGetContextThread,4_2_010439B0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01043D10 NtOpenProcessToken,4_2_01043D10
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01043D70 NtOpenThread,4_2_01043D70
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 0_2_02C749BB0_2_02C749BB
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 0_2_02C700400_2_02C70040
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 0_2_02C700070_2_02C70007
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 0_2_02C769780_2_02C76978
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0040E0434_2_0040E043
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_004030674_2_00403067
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_004010F04_2_004010F0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_004030B04_2_004030B0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_004012A04_2_004012A0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_004025404_2_00402540
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0040FD9A4_2_0040FD9A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0040FDA34_2_0040FDA3
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_004167534_2_00416753
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0042D7734_2_0042D773
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0040FFC34_2_0040FFC3
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010001004_2_01000100
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010AA1184_2_010AA118
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010981584_2_01098158
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010D01AA4_2_010D01AA
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010C41A24_2_010C41A2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010C81CC4_2_010C81CC
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010A20004_2_010A2000
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010CA3524_2_010CA352
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010D03E64_2_010D03E6
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0101E3F04_2_0101E3F0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010B02744_2_010B0274
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010902C04_2_010902C0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010105354_2_01010535
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010D05914_2_010D0591
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010B44204_2_010B4420
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010C24464_2_010C2446
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010BE4F64_2_010BE4F6
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010347504_2_01034750
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010107704_2_01010770
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0100C7C04_2_0100C7C0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0102C6E04_2_0102C6E0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FF68B84_2_00FF68B8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010269624_2_01026962
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010129A04_2_010129A0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010DA9A64_2_010DA9A6
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0101A8404_2_0101A840
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010128404_2_01012840
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103E8F04_2_0103E8F0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010CAB404_2_010CAB40
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010C6BD74_2_010C6BD7
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0100EA804_2_0100EA80
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0101AD004_2_0101AD00
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010ACD1F4_2_010ACD1F
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01028DBF4_2_01028DBF
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0100ADE04_2_0100ADE0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01010C004_2_01010C00
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010B0CB54_2_010B0CB5
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01000CF24_2_01000CF2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01052F284_2_01052F28
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01030F304_2_01030F30
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010B2F304_2_010B2F30
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01084F404_2_01084F40
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0108EFA04_2_0108EFA0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01002FC84_2_01002FC8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010CEE264_2_010CEE26
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01010E594_2_01010E59
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01022E904_2_01022E90
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010CCE934_2_010CCE93
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010CEEDB4_2_010CEEDB
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010DB16B4_2_010DB16B
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0104516C4_2_0104516C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0101B1B04_2_0101B1B0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FFF1724_2_00FFF172
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010170C04_2_010170C0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010BF0CC4_2_010BF0CC
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010C70E94_2_010C70E9
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010CF0E04_2_010CF0E0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010C132D4_2_010C132D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0105739A4_2_0105739A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010152A04_2_010152A0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FFD34C4_2_00FFD34C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0102B2C04_2_0102B2C0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010B12ED4_2_010B12ED
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010C75714_2_010C7571
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010AD5B04_2_010AD5B0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010D95C34_2_010D95C3
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010CF43F4_2_010CF43F
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010014604_2_01001460
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010CF7B04_2_010CF7B0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010556304_2_01055630
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010C16CC4_2_010C16CC
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010A59104_2_010A5910
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010199504_2_01019950
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0102B9504_2_0102B950
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0107D8004_2_0107D800
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010138E04_2_010138E0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010CFB764_2_010CFB76
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0102FB804_2_0102FB80
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01085BF04_2_01085BF0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0104DBF94_2_0104DBF9
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010CFA494_2_010CFA49
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010C7A464_2_010C7A46
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01083A6C4_2_01083A6C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01055AA04_2_01055AA0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010ADAAC4_2_010ADAAC
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010B1AA34_2_010B1AA3
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010BDAC64_2_010BDAC6
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01013D404_2_01013D40
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010C1D5A4_2_010C1D5A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010C7D734_2_010C7D73
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0102FDC04_2_0102FDC0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01089C324_2_01089C32
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010CFCF24_2_010CFCF2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010CFF094_2_010CFF09
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01011F924_2_01011F92
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010CFFB14_2_010CFFB1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FD3FD54_2_00FD3FD5
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FD3FD24_2_00FD3FD2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01019EB04_2_01019EB0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: String function: 01045130 appears 58 times
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: String function: 0108F290 appears 105 times
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: String function: 00FFB970 appears 265 times
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: String function: 0107EA12 appears 86 times
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: String function: 01057E54 appears 108 times
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7092 -s 196
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1810235337.0000000007E28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1786338803.00000000010EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000000.1766836867.0000000000A08000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameQxkB.exe, vs SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1800962300.0000000007740000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1787571267.0000000002F81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1789720390.000000000410E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1810824811.0000000007F00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000004.00000002.2027035047.00000000010FD000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeBinary or memory string: OriginalFilenameQxkB.exe, vs SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 4.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 4.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.2026512273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.7740000.8.raw.unpack, z4LpfGv01ne7UPQfiZ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.42b0cc0.6.raw.unpack, z4LpfGv01ne7UPQfiZ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.42b0cc0.6.raw.unpack, YYbExWCfH0l9s2xqMN.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.42b0cc0.6.raw.unpack, YYbExWCfH0l9s2xqMN.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.42b0cc0.6.raw.unpack, YYbExWCfH0l9s2xqMN.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.7740000.8.raw.unpack, YYbExWCfH0l9s2xqMN.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.7740000.8.raw.unpack, YYbExWCfH0l9s2xqMN.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.7740000.8.raw.unpack, YYbExWCfH0l9s2xqMN.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.4334ce0.5.raw.unpack, YYbExWCfH0l9s2xqMN.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.4334ce0.5.raw.unpack, YYbExWCfH0l9s2xqMN.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.4334ce0.5.raw.unpack, YYbExWCfH0l9s2xqMN.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.4334ce0.5.raw.unpack, z4LpfGv01ne7UPQfiZ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.30f46e8.0.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.73a0000.7.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.31158b8.1.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/11@0/0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6724:120:WilError_03
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7092
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1cv3okj0.b1b.ps1Jump to behavior
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeReversingLabs: Detection: 28%
          Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe"
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7092 -s 196
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe"Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe"Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, OptionsWindow.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.42b0cc0.6.raw.unpack, YYbExWCfH0l9s2xqMN.cs.Net Code: NOmpDKKDCJ System.Reflection.Assembly.Load(byte[])
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.7740000.8.raw.unpack, YYbExWCfH0l9s2xqMN.cs.Net Code: NOmpDKKDCJ System.Reflection.Assembly.Load(byte[])
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.4334ce0.5.raw.unpack, YYbExWCfH0l9s2xqMN.cs.Net Code: NOmpDKKDCJ System.Reflection.Assembly.Load(byte[])
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00401898 push ebp; ret 4_2_0040189E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_004018A5 push esi; ret 4_2_004018A7
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_004018AF push edi; ret 4_2_004018B0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0040D1F8 pushad ; retf 4_2_0040D1BA
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0040D188 pushad ; retf 4_2_0040D1BA
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0041428B push 56DD2A11h; retf 4_2_00414290
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00403360 push eax; ret 4_2_00403362
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00413B98 push edx; iretd 4_2_00413BE8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_004164ED push edi; ret 4_2_004164FE
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_004164F3 push edi; ret 4_2_004164FE
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00406CF7 pushad ; retf 4_2_00406D01
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00407549 pushfd ; iretd 4_2_0040754A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_004185DD pushad ; ret 4_2_004185E9
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_004165F0 push es; iretd 4_2_004165FC
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00404E73 pushad ; retf 4_2_00404E75
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00418701 push edi; ret 4_2_0041870C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00418703 push edi; ret 4_2_0041870C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00401734 push cs; iretd 4_2_00401735
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FD225F pushad ; ret 4_2_00FD27F9
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FD27FA pushad ; ret 4_2_00FD27F9
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010009AD push ecx; mov dword ptr [esp], ecx4_2_010009B6
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FD283D push eax; iretd 4_2_00FD2858
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FD1368 push eax; iretd 4_2_00FD1369
          Source: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeStatic PE information: section name: .text entropy: 7.968605701945629
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.42b0cc0.6.raw.unpack, XHy2YHxYFy24G9efMi.csHigh entropy of concatenated method names: 'xAdOBjWEQf', 'DjGObeq7aB', 'DgFO9fDKEP', 'oMnOUMn6of', 'KDNOmgM1oW', 'pfH9GQWxHl', 'u4M90gIvjc', 'fAo9yPqNuy', 'qCw9K8HSy8', 'XpG9FbCn3V'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.42b0cc0.6.raw.unpack, HG7aVPjV0Xm5cb5HsE.csHigh entropy of concatenated method names: 'NXAejqyAda', 'reneWxh1jK', 'cc0eppsCN3', 'L59eTkdA7W', 'AHtebcVQCN', 'nxse9EshRP', 'OMfeOf6rfu', 'ar0ZyoKQSw', 'IkoZKiZswZ', 'dv7ZFJYYSQ'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.42b0cc0.6.raw.unpack, UuH2s48SCWJNtdlBDd.csHigh entropy of concatenated method names: 'VYHVxiibqB', 'BCHVrQesBD', 'A0WVXK7RFM', 'PbRVi7JTkv', 'qd9Vq2Mwxo', 'eQKV6tsXX2', 'PKEVw4mh0o', 'FdsVZpySBn', 'kAZVexuRdi', 'TouVoOCVMS'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.42b0cc0.6.raw.unpack, z4LpfGv01ne7UPQfiZ.csHigh entropy of concatenated method names: 'a3YbQXLgxw', 'oLybSlBow7', 'D5mbsHg0lq', 'x2gbgcW3ox', 'OIlbGg4QYy', 'y8Gb0ml0Hb', 'Jhobylv1om', 'OafbKmZVhg', 'EBPbFmec0b', 'vWnbILm4p9'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.42b0cc0.6.raw.unpack, c9x0sbzteSxca5gh7D.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'T9deM7ALKp', 'YY1eqtQUdj', 'PuMe6TNliW', 'eEFewcq1x6', 'ANgeZw5VGM', 'QiaeegxpW4', 'TP5eoEgUAl'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.42b0cc0.6.raw.unpack, mRKblgOsAnWsdNmVw6R.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'piBoQt1Dgq', 'MdCoS3MTLi', 'PFaosBFjXd', 'sHxogW7LgK', 'FNcoGlhorJ', 'bIKo0ObT5a', 'ul0oyumqJR'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.42b0cc0.6.raw.unpack, MY4KpsIamSgHxeAJnH.csHigh entropy of concatenated method names: 'Qa3jUySfP9', 'wCDjmHU7YG', 'JE8jf0avAd', 'tlejabO7jM', 'a4tjqiy4Qm', 'fDtj6WxI2K', 'k1TRAUGGd2NpGs9a62', 'L1EqBeXUVYRn6WxWKt', 'AGyjj1dkGR', 'wE4jWd37OK'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.42b0cc0.6.raw.unpack, wZstEDOOdO8UStShk9K.csHigh entropy of concatenated method names: 'ToString', 'Rm3oW8L5UJ', 'dv7opPvxwC', 'BKXoB2o3si', 'auUoTqxQ5D', 't4Iob3vMmK', 'C16oVuZZKi', 'uDyo9nichX', 'eWyfyLk8Jd2obMaibEl', 'BL3rQEkYSASUksrauWf'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.42b0cc0.6.raw.unpack, VvEVcgOJbUS9KqyvNFG.csHigh entropy of concatenated method names: 'mhjeRoAfAN', 'G02e4REZTV', 'FSEeDQ4q8f', 'LAmexpWcO6', 'wUReLhtt04', 'AOxerkiTIN', 'H0leHaIgPU', 'nHGeXiRrF5', 'k1geiZkvG0', 'iHUedV3rIX'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.42b0cc0.6.raw.unpack, BqkP0k5ZX0aNudYmmI.csHigh entropy of concatenated method names: 'RtmqJ3uRAO', 'MxxqA0pLws', 'x8LqQcT9mw', 'xE5qSINixH', 'to7qks9d9n', 'bLtq2wenpO', 'VnOqPp85Hx', 'EQgqYlyN7E', 'dUOqhWNc6y', 'rZTqvdVM5T'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.42b0cc0.6.raw.unpack, YYbExWCfH0l9s2xqMN.csHigh entropy of concatenated method names: 'H0cWBdvuuO', 'hj5WTm6ahE', 'FBEWbLfHV8', 'HmJWVA3JLr', 'bL8W9cS6GJ', 'JOaWOmWSH8', 'dw5WUDUidf', 'I4HWmiH1eR', 'SfRWlhJHyH', 'x4PWflcjUa'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.42b0cc0.6.raw.unpack, MwdYqBQb52Up6ZsPIH.csHigh entropy of concatenated method names: 'R4o9LBIgdk', 'D3Z9HmPOg9', 'uJFV2Ewt3E', 'tBkVP1wx8G', 'x0oVY4Asoe', 'SDSVh3nYMU', 'DryVvL8NGj', 'iuoVErxgpQ', 'SC1VtSHjVW', 'wnlVJ5y5DT'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.42b0cc0.6.raw.unpack, K8DvWO0OQ0y0P2HYYP.csHigh entropy of concatenated method names: 'WCRDFyV5i', 'b00xNKIqj', 'HPArcxWQu', 'EsiHQfkVA', 'm3MiKb2al', 'P4nd7Sjnf', 'FZI1BIiunDI5WHZHSD', 'AX1DWQJby4SDJa1C0f', 'UPOZPBeuv', 's5doqMJdU'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.42b0cc0.6.raw.unpack, D4xcGkbLla45hKFYJW.csHigh entropy of concatenated method names: 'GQxUR2OqsH', 'Tw6U4Z7KiY', 'JbDUD59yQO', 'cY7Uxi9jvr', 'nbSULNVMIQ', 'McDUrvPYHe', 'NuXUH7S5be', 'tfgUXgTxuV', 'eOEUilFxv1', 'xbTUdDK6qF'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.42b0cc0.6.raw.unpack, HxDMCrXANoRhtpQhBW.csHigh entropy of concatenated method names: 'ejyZTTNqaP', 'RpXZbwPIni', 'qReZVpcsjj', 'KqKZ9EdB5i', 'FDEZOCwcqG', 'UjPZUlS4kM', 'eqjZmLOAN9', 'T4kZlK0Jk4', 'M2FZflq9Ye', 'wArZaLr05a'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.42b0cc0.6.raw.unpack, IeUPqcO0nZapYk52TTu.csHigh entropy of concatenated method names: 'qhZoRcKfHO', 'eeVo479tjL', 'u3JoDy7mV4', 'zUtR7MkzGT34Y9N90Zk', 'hxdwqpUyh0umHb05kjn', 'V1ixAHUqUignrTgC59G', 'LFEtJCUfO9PR2GTQ6bX'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.42b0cc0.6.raw.unpack, SsMTLe7AVnYmeASBrl.csHigh entropy of concatenated method names: 'vp6UTgMEe0', 'i3ZUVLHbeT', 'sEUUOWHJr5', 'v2XOIx5XMG', 'OwgOznESdQ', 'E7XUc11cbf', 'zBfUj2vhYt', 'Vj0UuAdc1l', 'mDIUWoNXbs', 'X1YUpnK3mp'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.42b0cc0.6.raw.unpack, PxjwFjHAKrLliCyxoA.csHigh entropy of concatenated method names: 'Dispose', 'BqFjFJl0B6', 'CGpukGbtjd', 'yV988Gti4L', 'JPljIyDkOg', 'k1Zjzg4fiA', 'ProcessDialogKey', 'ck5uc7njui', 'q7mujyFePO', 'z35uu0LHEl'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.42b0cc0.6.raw.unpack, agkHnU2eDnE8C5Pykt.csHigh entropy of concatenated method names: 'IH5ZNw2Vsg', 'WChZkQKa6v', 'OJVZ2jStQI', 'rAkZPPECYQ', 'sf6ZQntUjE', 'fpvZY4Kf6L', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.42b0cc0.6.raw.unpack, IN7jgBLcbwBerHgPAZ.csHigh entropy of concatenated method names: 'vPkwKRQfcY', 'wqXwIX6xw4', 'OUgZcYHRlj', 'lsDZjIoyQ3', 'W2kwnJuinT', 'LlBwAOZS3v', 'W6bw5fp7in', 'NBFwQpZqQT', 'bj1wSnMkvn', 'zsJwso5BdV'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.42b0cc0.6.raw.unpack, Iuy6ipwaqnEwp9u50e.csHigh entropy of concatenated method names: 'BBwMX0I5BJ', 'dfwMiB6jpT', 'WbbMNBUeeP', 'gGZMkVJNP0', 'hM8MPQ5FOm', 'SHqMYUtALJ', 'sXJMvVv2a9', 'midME7wleJ', 'AdgMJg7bnu', 'PsIMnfyFyl'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.7740000.8.raw.unpack, XHy2YHxYFy24G9efMi.csHigh entropy of concatenated method names: 'xAdOBjWEQf', 'DjGObeq7aB', 'DgFO9fDKEP', 'oMnOUMn6of', 'KDNOmgM1oW', 'pfH9GQWxHl', 'u4M90gIvjc', 'fAo9yPqNuy', 'qCw9K8HSy8', 'XpG9FbCn3V'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.7740000.8.raw.unpack, HG7aVPjV0Xm5cb5HsE.csHigh entropy of concatenated method names: 'NXAejqyAda', 'reneWxh1jK', 'cc0eppsCN3', 'L59eTkdA7W', 'AHtebcVQCN', 'nxse9EshRP', 'OMfeOf6rfu', 'ar0ZyoKQSw', 'IkoZKiZswZ', 'dv7ZFJYYSQ'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.7740000.8.raw.unpack, UuH2s48SCWJNtdlBDd.csHigh entropy of concatenated method names: 'VYHVxiibqB', 'BCHVrQesBD', 'A0WVXK7RFM', 'PbRVi7JTkv', 'qd9Vq2Mwxo', 'eQKV6tsXX2', 'PKEVw4mh0o', 'FdsVZpySBn', 'kAZVexuRdi', 'TouVoOCVMS'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.7740000.8.raw.unpack, z4LpfGv01ne7UPQfiZ.csHigh entropy of concatenated method names: 'a3YbQXLgxw', 'oLybSlBow7', 'D5mbsHg0lq', 'x2gbgcW3ox', 'OIlbGg4QYy', 'y8Gb0ml0Hb', 'Jhobylv1om', 'OafbKmZVhg', 'EBPbFmec0b', 'vWnbILm4p9'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.7740000.8.raw.unpack, c9x0sbzteSxca5gh7D.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'T9deM7ALKp', 'YY1eqtQUdj', 'PuMe6TNliW', 'eEFewcq1x6', 'ANgeZw5VGM', 'QiaeegxpW4', 'TP5eoEgUAl'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.7740000.8.raw.unpack, mRKblgOsAnWsdNmVw6R.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'piBoQt1Dgq', 'MdCoS3MTLi', 'PFaosBFjXd', 'sHxogW7LgK', 'FNcoGlhorJ', 'bIKo0ObT5a', 'ul0oyumqJR'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.7740000.8.raw.unpack, MY4KpsIamSgHxeAJnH.csHigh entropy of concatenated method names: 'Qa3jUySfP9', 'wCDjmHU7YG', 'JE8jf0avAd', 'tlejabO7jM', 'a4tjqiy4Qm', 'fDtj6WxI2K', 'k1TRAUGGd2NpGs9a62', 'L1EqBeXUVYRn6WxWKt', 'AGyjj1dkGR', 'wE4jWd37OK'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.7740000.8.raw.unpack, wZstEDOOdO8UStShk9K.csHigh entropy of concatenated method names: 'ToString', 'Rm3oW8L5UJ', 'dv7opPvxwC', 'BKXoB2o3si', 'auUoTqxQ5D', 't4Iob3vMmK', 'C16oVuZZKi', 'uDyo9nichX', 'eWyfyLk8Jd2obMaibEl', 'BL3rQEkYSASUksrauWf'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.7740000.8.raw.unpack, VvEVcgOJbUS9KqyvNFG.csHigh entropy of concatenated method names: 'mhjeRoAfAN', 'G02e4REZTV', 'FSEeDQ4q8f', 'LAmexpWcO6', 'wUReLhtt04', 'AOxerkiTIN', 'H0leHaIgPU', 'nHGeXiRrF5', 'k1geiZkvG0', 'iHUedV3rIX'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.7740000.8.raw.unpack, BqkP0k5ZX0aNudYmmI.csHigh entropy of concatenated method names: 'RtmqJ3uRAO', 'MxxqA0pLws', 'x8LqQcT9mw', 'xE5qSINixH', 'to7qks9d9n', 'bLtq2wenpO', 'VnOqPp85Hx', 'EQgqYlyN7E', 'dUOqhWNc6y', 'rZTqvdVM5T'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.7740000.8.raw.unpack, YYbExWCfH0l9s2xqMN.csHigh entropy of concatenated method names: 'H0cWBdvuuO', 'hj5WTm6ahE', 'FBEWbLfHV8', 'HmJWVA3JLr', 'bL8W9cS6GJ', 'JOaWOmWSH8', 'dw5WUDUidf', 'I4HWmiH1eR', 'SfRWlhJHyH', 'x4PWflcjUa'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.7740000.8.raw.unpack, MwdYqBQb52Up6ZsPIH.csHigh entropy of concatenated method names: 'R4o9LBIgdk', 'D3Z9HmPOg9', 'uJFV2Ewt3E', 'tBkVP1wx8G', 'x0oVY4Asoe', 'SDSVh3nYMU', 'DryVvL8NGj', 'iuoVErxgpQ', 'SC1VtSHjVW', 'wnlVJ5y5DT'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.7740000.8.raw.unpack, K8DvWO0OQ0y0P2HYYP.csHigh entropy of concatenated method names: 'WCRDFyV5i', 'b00xNKIqj', 'HPArcxWQu', 'EsiHQfkVA', 'm3MiKb2al', 'P4nd7Sjnf', 'FZI1BIiunDI5WHZHSD', 'AX1DWQJby4SDJa1C0f', 'UPOZPBeuv', 's5doqMJdU'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.7740000.8.raw.unpack, D4xcGkbLla45hKFYJW.csHigh entropy of concatenated method names: 'GQxUR2OqsH', 'Tw6U4Z7KiY', 'JbDUD59yQO', 'cY7Uxi9jvr', 'nbSULNVMIQ', 'McDUrvPYHe', 'NuXUH7S5be', 'tfgUXgTxuV', 'eOEUilFxv1', 'xbTUdDK6qF'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.7740000.8.raw.unpack, HxDMCrXANoRhtpQhBW.csHigh entropy of concatenated method names: 'ejyZTTNqaP', 'RpXZbwPIni', 'qReZVpcsjj', 'KqKZ9EdB5i', 'FDEZOCwcqG', 'UjPZUlS4kM', 'eqjZmLOAN9', 'T4kZlK0Jk4', 'M2FZflq9Ye', 'wArZaLr05a'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.7740000.8.raw.unpack, IeUPqcO0nZapYk52TTu.csHigh entropy of concatenated method names: 'qhZoRcKfHO', 'eeVo479tjL', 'u3JoDy7mV4', 'zUtR7MkzGT34Y9N90Zk', 'hxdwqpUyh0umHb05kjn', 'V1ixAHUqUignrTgC59G', 'LFEtJCUfO9PR2GTQ6bX'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.7740000.8.raw.unpack, SsMTLe7AVnYmeASBrl.csHigh entropy of concatenated method names: 'vp6UTgMEe0', 'i3ZUVLHbeT', 'sEUUOWHJr5', 'v2XOIx5XMG', 'OwgOznESdQ', 'E7XUc11cbf', 'zBfUj2vhYt', 'Vj0UuAdc1l', 'mDIUWoNXbs', 'X1YUpnK3mp'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.7740000.8.raw.unpack, PxjwFjHAKrLliCyxoA.csHigh entropy of concatenated method names: 'Dispose', 'BqFjFJl0B6', 'CGpukGbtjd', 'yV988Gti4L', 'JPljIyDkOg', 'k1Zjzg4fiA', 'ProcessDialogKey', 'ck5uc7njui', 'q7mujyFePO', 'z35uu0LHEl'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.7740000.8.raw.unpack, agkHnU2eDnE8C5Pykt.csHigh entropy of concatenated method names: 'IH5ZNw2Vsg', 'WChZkQKa6v', 'OJVZ2jStQI', 'rAkZPPECYQ', 'sf6ZQntUjE', 'fpvZY4Kf6L', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.7740000.8.raw.unpack, IN7jgBLcbwBerHgPAZ.csHigh entropy of concatenated method names: 'vPkwKRQfcY', 'wqXwIX6xw4', 'OUgZcYHRlj', 'lsDZjIoyQ3', 'W2kwnJuinT', 'LlBwAOZS3v', 'W6bw5fp7in', 'NBFwQpZqQT', 'bj1wSnMkvn', 'zsJwso5BdV'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.7740000.8.raw.unpack, Iuy6ipwaqnEwp9u50e.csHigh entropy of concatenated method names: 'BBwMX0I5BJ', 'dfwMiB6jpT', 'WbbMNBUeeP', 'gGZMkVJNP0', 'hM8MPQ5FOm', 'SHqMYUtALJ', 'sXJMvVv2a9', 'midME7wleJ', 'AdgMJg7bnu', 'PsIMnfyFyl'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.4334ce0.5.raw.unpack, XHy2YHxYFy24G9efMi.csHigh entropy of concatenated method names: 'xAdOBjWEQf', 'DjGObeq7aB', 'DgFO9fDKEP', 'oMnOUMn6of', 'KDNOmgM1oW', 'pfH9GQWxHl', 'u4M90gIvjc', 'fAo9yPqNuy', 'qCw9K8HSy8', 'XpG9FbCn3V'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.4334ce0.5.raw.unpack, HG7aVPjV0Xm5cb5HsE.csHigh entropy of concatenated method names: 'NXAejqyAda', 'reneWxh1jK', 'cc0eppsCN3', 'L59eTkdA7W', 'AHtebcVQCN', 'nxse9EshRP', 'OMfeOf6rfu', 'ar0ZyoKQSw', 'IkoZKiZswZ', 'dv7ZFJYYSQ'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.4334ce0.5.raw.unpack, UuH2s48SCWJNtdlBDd.csHigh entropy of concatenated method names: 'VYHVxiibqB', 'BCHVrQesBD', 'A0WVXK7RFM', 'PbRVi7JTkv', 'qd9Vq2Mwxo', 'eQKV6tsXX2', 'PKEVw4mh0o', 'FdsVZpySBn', 'kAZVexuRdi', 'TouVoOCVMS'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.4334ce0.5.raw.unpack, z4LpfGv01ne7UPQfiZ.csHigh entropy of concatenated method names: 'a3YbQXLgxw', 'oLybSlBow7', 'D5mbsHg0lq', 'x2gbgcW3ox', 'OIlbGg4QYy', 'y8Gb0ml0Hb', 'Jhobylv1om', 'OafbKmZVhg', 'EBPbFmec0b', 'vWnbILm4p9'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.4334ce0.5.raw.unpack, c9x0sbzteSxca5gh7D.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'T9deM7ALKp', 'YY1eqtQUdj', 'PuMe6TNliW', 'eEFewcq1x6', 'ANgeZw5VGM', 'QiaeegxpW4', 'TP5eoEgUAl'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.4334ce0.5.raw.unpack, mRKblgOsAnWsdNmVw6R.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'piBoQt1Dgq', 'MdCoS3MTLi', 'PFaosBFjXd', 'sHxogW7LgK', 'FNcoGlhorJ', 'bIKo0ObT5a', 'ul0oyumqJR'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.4334ce0.5.raw.unpack, MY4KpsIamSgHxeAJnH.csHigh entropy of concatenated method names: 'Qa3jUySfP9', 'wCDjmHU7YG', 'JE8jf0avAd', 'tlejabO7jM', 'a4tjqiy4Qm', 'fDtj6WxI2K', 'k1TRAUGGd2NpGs9a62', 'L1EqBeXUVYRn6WxWKt', 'AGyjj1dkGR', 'wE4jWd37OK'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.4334ce0.5.raw.unpack, wZstEDOOdO8UStShk9K.csHigh entropy of concatenated method names: 'ToString', 'Rm3oW8L5UJ', 'dv7opPvxwC', 'BKXoB2o3si', 'auUoTqxQ5D', 't4Iob3vMmK', 'C16oVuZZKi', 'uDyo9nichX', 'eWyfyLk8Jd2obMaibEl', 'BL3rQEkYSASUksrauWf'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.4334ce0.5.raw.unpack, VvEVcgOJbUS9KqyvNFG.csHigh entropy of concatenated method names: 'mhjeRoAfAN', 'G02e4REZTV', 'FSEeDQ4q8f', 'LAmexpWcO6', 'wUReLhtt04', 'AOxerkiTIN', 'H0leHaIgPU', 'nHGeXiRrF5', 'k1geiZkvG0', 'iHUedV3rIX'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.4334ce0.5.raw.unpack, BqkP0k5ZX0aNudYmmI.csHigh entropy of concatenated method names: 'RtmqJ3uRAO', 'MxxqA0pLws', 'x8LqQcT9mw', 'xE5qSINixH', 'to7qks9d9n', 'bLtq2wenpO', 'VnOqPp85Hx', 'EQgqYlyN7E', 'dUOqhWNc6y', 'rZTqvdVM5T'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.4334ce0.5.raw.unpack, YYbExWCfH0l9s2xqMN.csHigh entropy of concatenated method names: 'H0cWBdvuuO', 'hj5WTm6ahE', 'FBEWbLfHV8', 'HmJWVA3JLr', 'bL8W9cS6GJ', 'JOaWOmWSH8', 'dw5WUDUidf', 'I4HWmiH1eR', 'SfRWlhJHyH', 'x4PWflcjUa'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.4334ce0.5.raw.unpack, MwdYqBQb52Up6ZsPIH.csHigh entropy of concatenated method names: 'R4o9LBIgdk', 'D3Z9HmPOg9', 'uJFV2Ewt3E', 'tBkVP1wx8G', 'x0oVY4Asoe', 'SDSVh3nYMU', 'DryVvL8NGj', 'iuoVErxgpQ', 'SC1VtSHjVW', 'wnlVJ5y5DT'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.4334ce0.5.raw.unpack, K8DvWO0OQ0y0P2HYYP.csHigh entropy of concatenated method names: 'WCRDFyV5i', 'b00xNKIqj', 'HPArcxWQu', 'EsiHQfkVA', 'm3MiKb2al', 'P4nd7Sjnf', 'FZI1BIiunDI5WHZHSD', 'AX1DWQJby4SDJa1C0f', 'UPOZPBeuv', 's5doqMJdU'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.4334ce0.5.raw.unpack, D4xcGkbLla45hKFYJW.csHigh entropy of concatenated method names: 'GQxUR2OqsH', 'Tw6U4Z7KiY', 'JbDUD59yQO', 'cY7Uxi9jvr', 'nbSULNVMIQ', 'McDUrvPYHe', 'NuXUH7S5be', 'tfgUXgTxuV', 'eOEUilFxv1', 'xbTUdDK6qF'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.4334ce0.5.raw.unpack, HxDMCrXANoRhtpQhBW.csHigh entropy of concatenated method names: 'ejyZTTNqaP', 'RpXZbwPIni', 'qReZVpcsjj', 'KqKZ9EdB5i', 'FDEZOCwcqG', 'UjPZUlS4kM', 'eqjZmLOAN9', 'T4kZlK0Jk4', 'M2FZflq9Ye', 'wArZaLr05a'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.4334ce0.5.raw.unpack, IeUPqcO0nZapYk52TTu.csHigh entropy of concatenated method names: 'qhZoRcKfHO', 'eeVo479tjL', 'u3JoDy7mV4', 'zUtR7MkzGT34Y9N90Zk', 'hxdwqpUyh0umHb05kjn', 'V1ixAHUqUignrTgC59G', 'LFEtJCUfO9PR2GTQ6bX'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.4334ce0.5.raw.unpack, SsMTLe7AVnYmeASBrl.csHigh entropy of concatenated method names: 'vp6UTgMEe0', 'i3ZUVLHbeT', 'sEUUOWHJr5', 'v2XOIx5XMG', 'OwgOznESdQ', 'E7XUc11cbf', 'zBfUj2vhYt', 'Vj0UuAdc1l', 'mDIUWoNXbs', 'X1YUpnK3mp'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.4334ce0.5.raw.unpack, PxjwFjHAKrLliCyxoA.csHigh entropy of concatenated method names: 'Dispose', 'BqFjFJl0B6', 'CGpukGbtjd', 'yV988Gti4L', 'JPljIyDkOg', 'k1Zjzg4fiA', 'ProcessDialogKey', 'ck5uc7njui', 'q7mujyFePO', 'z35uu0LHEl'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.4334ce0.5.raw.unpack, agkHnU2eDnE8C5Pykt.csHigh entropy of concatenated method names: 'IH5ZNw2Vsg', 'WChZkQKa6v', 'OJVZ2jStQI', 'rAkZPPECYQ', 'sf6ZQntUjE', 'fpvZY4Kf6L', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.4334ce0.5.raw.unpack, IN7jgBLcbwBerHgPAZ.csHigh entropy of concatenated method names: 'vPkwKRQfcY', 'wqXwIX6xw4', 'OUgZcYHRlj', 'lsDZjIoyQ3', 'W2kwnJuinT', 'LlBwAOZS3v', 'W6bw5fp7in', 'NBFwQpZqQT', 'bj1wSnMkvn', 'zsJwso5BdV'
          Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.4334ce0.5.raw.unpack, Iuy6ipwaqnEwp9u50e.csHigh entropy of concatenated method names: 'BBwMX0I5BJ', 'dfwMiB6jpT', 'WbbMNBUeeP', 'gGZMkVJNP0', 'hM8MPQ5FOm', 'SHqMYUtALJ', 'sXJMvVv2a9', 'midME7wleJ', 'AdgMJg7bnu', 'PsIMnfyFyl'

          Hooking and other Techniques for Hiding and Protection

          barindex
          Loading BitLocker PowerShell Module
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe PID: 6580, type: MEMORYSTR
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeMemory allocated: 2C10000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeMemory allocated: 2F30000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeMemory allocated: 2C10000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeMemory allocated: 7F10000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeMemory allocated: 8F10000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeMemory allocated: 91C0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeMemory allocated: A1C0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0104096E rdtsc 4_2_0104096E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5570Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1461Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeAPI coverage: 0.3 %
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe TID: 6660Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7236Thread sleep time: -6456360425798339s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7224Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: Amcache.hve.8.drBinary or memory string: VMware
          Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
          Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
          Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
          Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
          Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
          Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
          Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: Amcache.hve.8.drBinary or memory string: vmci.sys
          Source: Amcache.hve.8.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
          Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
          Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
          Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: Amcache.hve.8.drBinary or memory string: VMware20,1
          Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
          Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
          Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
          Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
          Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
          Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
          Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
          Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
          Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
          Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
          Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0104096E rdtsc 4_2_0104096E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01042DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_01042DF0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010AE10E mov eax, dword ptr fs:[00000030h]4_2_010AE10E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010AE10E mov ecx, dword ptr fs:[00000030h]4_2_010AE10E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010AE10E mov eax, dword ptr fs:[00000030h]4_2_010AE10E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010AE10E mov eax, dword ptr fs:[00000030h]4_2_010AE10E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010AE10E mov ecx, dword ptr fs:[00000030h]4_2_010AE10E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010AE10E mov eax, dword ptr fs:[00000030h]4_2_010AE10E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010AE10E mov eax, dword ptr fs:[00000030h]4_2_010AE10E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010AE10E mov ecx, dword ptr fs:[00000030h]4_2_010AE10E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010AE10E mov eax, dword ptr fs:[00000030h]4_2_010AE10E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010AE10E mov ecx, dword ptr fs:[00000030h]4_2_010AE10E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FFC0F0 mov eax, dword ptr fs:[00000030h]4_2_00FFC0F0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010AA118 mov ecx, dword ptr fs:[00000030h]4_2_010AA118
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010AA118 mov eax, dword ptr fs:[00000030h]4_2_010AA118
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010AA118 mov eax, dword ptr fs:[00000030h]4_2_010AA118
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010AA118 mov eax, dword ptr fs:[00000030h]4_2_010AA118
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010C0115 mov eax, dword ptr fs:[00000030h]4_2_010C0115
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FFA0E3 mov ecx, dword ptr fs:[00000030h]4_2_00FFA0E3
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01030124 mov eax, dword ptr fs:[00000030h]4_2_01030124
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01094144 mov eax, dword ptr fs:[00000030h]4_2_01094144
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01094144 mov eax, dword ptr fs:[00000030h]4_2_01094144
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01094144 mov ecx, dword ptr fs:[00000030h]4_2_01094144
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01094144 mov eax, dword ptr fs:[00000030h]4_2_01094144
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01094144 mov eax, dword ptr fs:[00000030h]4_2_01094144
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01098158 mov eax, dword ptr fs:[00000030h]4_2_01098158
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01006154 mov eax, dword ptr fs:[00000030h]4_2_01006154
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01006154 mov eax, dword ptr fs:[00000030h]4_2_01006154
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FF80A0 mov eax, dword ptr fs:[00000030h]4_2_00FF80A0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010D4164 mov eax, dword ptr fs:[00000030h]4_2_010D4164
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010D4164 mov eax, dword ptr fs:[00000030h]4_2_010D4164
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01040185 mov eax, dword ptr fs:[00000030h]4_2_01040185
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010BC188 mov eax, dword ptr fs:[00000030h]4_2_010BC188
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010BC188 mov eax, dword ptr fs:[00000030h]4_2_010BC188
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010A4180 mov eax, dword ptr fs:[00000030h]4_2_010A4180
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010A4180 mov eax, dword ptr fs:[00000030h]4_2_010A4180
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0108019F mov eax, dword ptr fs:[00000030h]4_2_0108019F
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0108019F mov eax, dword ptr fs:[00000030h]4_2_0108019F
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0108019F mov eax, dword ptr fs:[00000030h]4_2_0108019F
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0108019F mov eax, dword ptr fs:[00000030h]4_2_0108019F
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010C61C3 mov eax, dword ptr fs:[00000030h]4_2_010C61C3
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010C61C3 mov eax, dword ptr fs:[00000030h]4_2_010C61C3
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0107E1D0 mov eax, dword ptr fs:[00000030h]4_2_0107E1D0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0107E1D0 mov eax, dword ptr fs:[00000030h]4_2_0107E1D0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0107E1D0 mov ecx, dword ptr fs:[00000030h]4_2_0107E1D0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0107E1D0 mov eax, dword ptr fs:[00000030h]4_2_0107E1D0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0107E1D0 mov eax, dword ptr fs:[00000030h]4_2_0107E1D0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FFA020 mov eax, dword ptr fs:[00000030h]4_2_00FFA020
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FFC020 mov eax, dword ptr fs:[00000030h]4_2_00FFC020
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010D61E5 mov eax, dword ptr fs:[00000030h]4_2_010D61E5
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010301F8 mov eax, dword ptr fs:[00000030h]4_2_010301F8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01084000 mov ecx, dword ptr fs:[00000030h]4_2_01084000
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010A2000 mov eax, dword ptr fs:[00000030h]4_2_010A2000
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010A2000 mov eax, dword ptr fs:[00000030h]4_2_010A2000
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010A2000 mov eax, dword ptr fs:[00000030h]4_2_010A2000
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010A2000 mov eax, dword ptr fs:[00000030h]4_2_010A2000
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010A2000 mov eax, dword ptr fs:[00000030h]4_2_010A2000
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010A2000 mov eax, dword ptr fs:[00000030h]4_2_010A2000
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010A2000 mov eax, dword ptr fs:[00000030h]4_2_010A2000
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010A2000 mov eax, dword ptr fs:[00000030h]4_2_010A2000
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0101E016 mov eax, dword ptr fs:[00000030h]4_2_0101E016
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0101E016 mov eax, dword ptr fs:[00000030h]4_2_0101E016
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0101E016 mov eax, dword ptr fs:[00000030h]4_2_0101E016
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0101E016 mov eax, dword ptr fs:[00000030h]4_2_0101E016
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01096030 mov eax, dword ptr fs:[00000030h]4_2_01096030
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01002050 mov eax, dword ptr fs:[00000030h]4_2_01002050
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01086050 mov eax, dword ptr fs:[00000030h]4_2_01086050
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FFA197 mov eax, dword ptr fs:[00000030h]4_2_00FFA197
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FFA197 mov eax, dword ptr fs:[00000030h]4_2_00FFA197
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FFA197 mov eax, dword ptr fs:[00000030h]4_2_00FFA197
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0102C073 mov eax, dword ptr fs:[00000030h]4_2_0102C073
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0100208A mov eax, dword ptr fs:[00000030h]4_2_0100208A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010980A8 mov eax, dword ptr fs:[00000030h]4_2_010980A8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FFC156 mov eax, dword ptr fs:[00000030h]4_2_00FFC156
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010C60B8 mov eax, dword ptr fs:[00000030h]4_2_010C60B8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010C60B8 mov ecx, dword ptr fs:[00000030h]4_2_010C60B8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010820DE mov eax, dword ptr fs:[00000030h]4_2_010820DE
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010860E0 mov eax, dword ptr fs:[00000030h]4_2_010860E0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010080E9 mov eax, dword ptr fs:[00000030h]4_2_010080E9
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010420F0 mov ecx, dword ptr fs:[00000030h]4_2_010420F0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103A30B mov eax, dword ptr fs:[00000030h]4_2_0103A30B
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103A30B mov eax, dword ptr fs:[00000030h]4_2_0103A30B
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103A30B mov eax, dword ptr fs:[00000030h]4_2_0103A30B
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01020310 mov ecx, dword ptr fs:[00000030h]4_2_01020310
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010D8324 mov eax, dword ptr fs:[00000030h]4_2_010D8324
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010D8324 mov ecx, dword ptr fs:[00000030h]4_2_010D8324
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010D8324 mov eax, dword ptr fs:[00000030h]4_2_010D8324
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010D8324 mov eax, dword ptr fs:[00000030h]4_2_010D8324
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01082349 mov eax, dword ptr fs:[00000030h]4_2_01082349
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01082349 mov eax, dword ptr fs:[00000030h]4_2_01082349
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01082349 mov eax, dword ptr fs:[00000030h]4_2_01082349
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01082349 mov eax, dword ptr fs:[00000030h]4_2_01082349
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01082349 mov eax, dword ptr fs:[00000030h]4_2_01082349
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01082349 mov eax, dword ptr fs:[00000030h]4_2_01082349
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01082349 mov eax, dword ptr fs:[00000030h]4_2_01082349
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01082349 mov eax, dword ptr fs:[00000030h]4_2_01082349
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01082349 mov eax, dword ptr fs:[00000030h]4_2_01082349
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01082349 mov eax, dword ptr fs:[00000030h]4_2_01082349
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01082349 mov eax, dword ptr fs:[00000030h]4_2_01082349
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01082349 mov eax, dword ptr fs:[00000030h]4_2_01082349
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01082349 mov eax, dword ptr fs:[00000030h]4_2_01082349
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01082349 mov eax, dword ptr fs:[00000030h]4_2_01082349
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01082349 mov eax, dword ptr fs:[00000030h]4_2_01082349
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010D634F mov eax, dword ptr fs:[00000030h]4_2_010D634F
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0108035C mov eax, dword ptr fs:[00000030h]4_2_0108035C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0108035C mov eax, dword ptr fs:[00000030h]4_2_0108035C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0108035C mov eax, dword ptr fs:[00000030h]4_2_0108035C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0108035C mov ecx, dword ptr fs:[00000030h]4_2_0108035C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0108035C mov eax, dword ptr fs:[00000030h]4_2_0108035C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0108035C mov eax, dword ptr fs:[00000030h]4_2_0108035C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010A8350 mov ecx, dword ptr fs:[00000030h]4_2_010A8350
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010CA352 mov eax, dword ptr fs:[00000030h]4_2_010CA352
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010A437C mov eax, dword ptr fs:[00000030h]4_2_010A437C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0102438F mov eax, dword ptr fs:[00000030h]4_2_0102438F
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0102438F mov eax, dword ptr fs:[00000030h]4_2_0102438F
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FF826B mov eax, dword ptr fs:[00000030h]4_2_00FF826B
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FFA250 mov eax, dword ptr fs:[00000030h]4_2_00FFA250
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0100A3C0 mov eax, dword ptr fs:[00000030h]4_2_0100A3C0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0100A3C0 mov eax, dword ptr fs:[00000030h]4_2_0100A3C0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0100A3C0 mov eax, dword ptr fs:[00000030h]4_2_0100A3C0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0100A3C0 mov eax, dword ptr fs:[00000030h]4_2_0100A3C0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0100A3C0 mov eax, dword ptr fs:[00000030h]4_2_0100A3C0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0100A3C0 mov eax, dword ptr fs:[00000030h]4_2_0100A3C0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010083C0 mov eax, dword ptr fs:[00000030h]4_2_010083C0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010083C0 mov eax, dword ptr fs:[00000030h]4_2_010083C0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010083C0 mov eax, dword ptr fs:[00000030h]4_2_010083C0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010083C0 mov eax, dword ptr fs:[00000030h]4_2_010083C0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FF823B mov eax, dword ptr fs:[00000030h]4_2_00FF823B
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010BC3CD mov eax, dword ptr fs:[00000030h]4_2_010BC3CD
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010863C0 mov eax, dword ptr fs:[00000030h]4_2_010863C0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010AE3DB mov eax, dword ptr fs:[00000030h]4_2_010AE3DB
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010AE3DB mov eax, dword ptr fs:[00000030h]4_2_010AE3DB
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010AE3DB mov ecx, dword ptr fs:[00000030h]4_2_010AE3DB
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010AE3DB mov eax, dword ptr fs:[00000030h]4_2_010AE3DB
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010A43D4 mov eax, dword ptr fs:[00000030h]4_2_010A43D4
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010A43D4 mov eax, dword ptr fs:[00000030h]4_2_010A43D4
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010103E9 mov eax, dword ptr fs:[00000030h]4_2_010103E9
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010103E9 mov eax, dword ptr fs:[00000030h]4_2_010103E9
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010103E9 mov eax, dword ptr fs:[00000030h]4_2_010103E9
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010103E9 mov eax, dword ptr fs:[00000030h]4_2_010103E9
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010103E9 mov eax, dword ptr fs:[00000030h]4_2_010103E9
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010103E9 mov eax, dword ptr fs:[00000030h]4_2_010103E9
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010103E9 mov eax, dword ptr fs:[00000030h]4_2_010103E9
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010103E9 mov eax, dword ptr fs:[00000030h]4_2_010103E9
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0101E3F0 mov eax, dword ptr fs:[00000030h]4_2_0101E3F0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0101E3F0 mov eax, dword ptr fs:[00000030h]4_2_0101E3F0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0101E3F0 mov eax, dword ptr fs:[00000030h]4_2_0101E3F0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010363FF mov eax, dword ptr fs:[00000030h]4_2_010363FF
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01088243 mov eax, dword ptr fs:[00000030h]4_2_01088243
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01088243 mov ecx, dword ptr fs:[00000030h]4_2_01088243
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010D625D mov eax, dword ptr fs:[00000030h]4_2_010D625D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01006259 mov eax, dword ptr fs:[00000030h]4_2_01006259
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010BA250 mov eax, dword ptr fs:[00000030h]4_2_010BA250
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010BA250 mov eax, dword ptr fs:[00000030h]4_2_010BA250
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01004260 mov eax, dword ptr fs:[00000030h]4_2_01004260
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01004260 mov eax, dword ptr fs:[00000030h]4_2_01004260
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01004260 mov eax, dword ptr fs:[00000030h]4_2_01004260
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FF8397 mov eax, dword ptr fs:[00000030h]4_2_00FF8397
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FF8397 mov eax, dword ptr fs:[00000030h]4_2_00FF8397
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FF8397 mov eax, dword ptr fs:[00000030h]4_2_00FF8397
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FFE388 mov eax, dword ptr fs:[00000030h]4_2_00FFE388
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FFE388 mov eax, dword ptr fs:[00000030h]4_2_00FFE388
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FFE388 mov eax, dword ptr fs:[00000030h]4_2_00FFE388
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010B0274 mov eax, dword ptr fs:[00000030h]4_2_010B0274
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010B0274 mov eax, dword ptr fs:[00000030h]4_2_010B0274
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010B0274 mov eax, dword ptr fs:[00000030h]4_2_010B0274
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010B0274 mov eax, dword ptr fs:[00000030h]4_2_010B0274
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010B0274 mov eax, dword ptr fs:[00000030h]4_2_010B0274
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010B0274 mov eax, dword ptr fs:[00000030h]4_2_010B0274
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010B0274 mov eax, dword ptr fs:[00000030h]4_2_010B0274
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010B0274 mov eax, dword ptr fs:[00000030h]4_2_010B0274
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010B0274 mov eax, dword ptr fs:[00000030h]4_2_010B0274
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010B0274 mov eax, dword ptr fs:[00000030h]4_2_010B0274
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010B0274 mov eax, dword ptr fs:[00000030h]4_2_010B0274
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010B0274 mov eax, dword ptr fs:[00000030h]4_2_010B0274
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103E284 mov eax, dword ptr fs:[00000030h]4_2_0103E284
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103E284 mov eax, dword ptr fs:[00000030h]4_2_0103E284
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01080283 mov eax, dword ptr fs:[00000030h]4_2_01080283
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01080283 mov eax, dword ptr fs:[00000030h]4_2_01080283
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01080283 mov eax, dword ptr fs:[00000030h]4_2_01080283
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010102A0 mov eax, dword ptr fs:[00000030h]4_2_010102A0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010102A0 mov eax, dword ptr fs:[00000030h]4_2_010102A0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010962A0 mov eax, dword ptr fs:[00000030h]4_2_010962A0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010962A0 mov ecx, dword ptr fs:[00000030h]4_2_010962A0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010962A0 mov eax, dword ptr fs:[00000030h]4_2_010962A0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010962A0 mov eax, dword ptr fs:[00000030h]4_2_010962A0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010962A0 mov eax, dword ptr fs:[00000030h]4_2_010962A0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010962A0 mov eax, dword ptr fs:[00000030h]4_2_010962A0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0100A2C3 mov eax, dword ptr fs:[00000030h]4_2_0100A2C3
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0100A2C3 mov eax, dword ptr fs:[00000030h]4_2_0100A2C3
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0100A2C3 mov eax, dword ptr fs:[00000030h]4_2_0100A2C3
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0100A2C3 mov eax, dword ptr fs:[00000030h]4_2_0100A2C3
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0100A2C3 mov eax, dword ptr fs:[00000030h]4_2_0100A2C3
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010D62D6 mov eax, dword ptr fs:[00000030h]4_2_010D62D6
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010102E1 mov eax, dword ptr fs:[00000030h]4_2_010102E1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010102E1 mov eax, dword ptr fs:[00000030h]4_2_010102E1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010102E1 mov eax, dword ptr fs:[00000030h]4_2_010102E1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FFC310 mov ecx, dword ptr fs:[00000030h]4_2_00FFC310
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01096500 mov eax, dword ptr fs:[00000030h]4_2_01096500
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010D4500 mov eax, dword ptr fs:[00000030h]4_2_010D4500
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010D4500 mov eax, dword ptr fs:[00000030h]4_2_010D4500
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010D4500 mov eax, dword ptr fs:[00000030h]4_2_010D4500
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010D4500 mov eax, dword ptr fs:[00000030h]4_2_010D4500
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010D4500 mov eax, dword ptr fs:[00000030h]4_2_010D4500
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010D4500 mov eax, dword ptr fs:[00000030h]4_2_010D4500
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010D4500 mov eax, dword ptr fs:[00000030h]4_2_010D4500
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01010535 mov eax, dword ptr fs:[00000030h]4_2_01010535
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01010535 mov eax, dword ptr fs:[00000030h]4_2_01010535
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01010535 mov eax, dword ptr fs:[00000030h]4_2_01010535
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01010535 mov eax, dword ptr fs:[00000030h]4_2_01010535
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01010535 mov eax, dword ptr fs:[00000030h]4_2_01010535
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01010535 mov eax, dword ptr fs:[00000030h]4_2_01010535
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0102E53E mov eax, dword ptr fs:[00000030h]4_2_0102E53E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0102E53E mov eax, dword ptr fs:[00000030h]4_2_0102E53E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0102E53E mov eax, dword ptr fs:[00000030h]4_2_0102E53E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0102E53E mov eax, dword ptr fs:[00000030h]4_2_0102E53E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0102E53E mov eax, dword ptr fs:[00000030h]4_2_0102E53E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01008550 mov eax, dword ptr fs:[00000030h]4_2_01008550
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01008550 mov eax, dword ptr fs:[00000030h]4_2_01008550
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103656A mov eax, dword ptr fs:[00000030h]4_2_0103656A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103656A mov eax, dword ptr fs:[00000030h]4_2_0103656A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103656A mov eax, dword ptr fs:[00000030h]4_2_0103656A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01002582 mov eax, dword ptr fs:[00000030h]4_2_01002582
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01002582 mov ecx, dword ptr fs:[00000030h]4_2_01002582
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01034588 mov eax, dword ptr fs:[00000030h]4_2_01034588
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103E59C mov eax, dword ptr fs:[00000030h]4_2_0103E59C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FF645D mov eax, dword ptr fs:[00000030h]4_2_00FF645D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010805A7 mov eax, dword ptr fs:[00000030h]4_2_010805A7
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010805A7 mov eax, dword ptr fs:[00000030h]4_2_010805A7
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010805A7 mov eax, dword ptr fs:[00000030h]4_2_010805A7
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010245B1 mov eax, dword ptr fs:[00000030h]4_2_010245B1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010245B1 mov eax, dword ptr fs:[00000030h]4_2_010245B1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103E5CF mov eax, dword ptr fs:[00000030h]4_2_0103E5CF
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103E5CF mov eax, dword ptr fs:[00000030h]4_2_0103E5CF
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010065D0 mov eax, dword ptr fs:[00000030h]4_2_010065D0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103A5D0 mov eax, dword ptr fs:[00000030h]4_2_0103A5D0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103A5D0 mov eax, dword ptr fs:[00000030h]4_2_0103A5D0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FFC427 mov eax, dword ptr fs:[00000030h]4_2_00FFC427
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FFE420 mov eax, dword ptr fs:[00000030h]4_2_00FFE420
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FFE420 mov eax, dword ptr fs:[00000030h]4_2_00FFE420
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FFE420 mov eax, dword ptr fs:[00000030h]4_2_00FFE420
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010025E0 mov eax, dword ptr fs:[00000030h]4_2_010025E0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0102E5E7 mov eax, dword ptr fs:[00000030h]4_2_0102E5E7
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0102E5E7 mov eax, dword ptr fs:[00000030h]4_2_0102E5E7
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0102E5E7 mov eax, dword ptr fs:[00000030h]4_2_0102E5E7
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0102E5E7 mov eax, dword ptr fs:[00000030h]4_2_0102E5E7
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0102E5E7 mov eax, dword ptr fs:[00000030h]4_2_0102E5E7
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0102E5E7 mov eax, dword ptr fs:[00000030h]4_2_0102E5E7
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0102E5E7 mov eax, dword ptr fs:[00000030h]4_2_0102E5E7
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0102E5E7 mov eax, dword ptr fs:[00000030h]4_2_0102E5E7
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103C5ED mov eax, dword ptr fs:[00000030h]4_2_0103C5ED
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103C5ED mov eax, dword ptr fs:[00000030h]4_2_0103C5ED
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01038402 mov eax, dword ptr fs:[00000030h]4_2_01038402
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01038402 mov eax, dword ptr fs:[00000030h]4_2_01038402
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01038402 mov eax, dword ptr fs:[00000030h]4_2_01038402
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01086420 mov eax, dword ptr fs:[00000030h]4_2_01086420
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01086420 mov eax, dword ptr fs:[00000030h]4_2_01086420
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01086420 mov eax, dword ptr fs:[00000030h]4_2_01086420
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01086420 mov eax, dword ptr fs:[00000030h]4_2_01086420
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01086420 mov eax, dword ptr fs:[00000030h]4_2_01086420
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01086420 mov eax, dword ptr fs:[00000030h]4_2_01086420
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01086420 mov eax, dword ptr fs:[00000030h]4_2_01086420
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103A430 mov eax, dword ptr fs:[00000030h]4_2_0103A430
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103E443 mov eax, dword ptr fs:[00000030h]4_2_0103E443
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103E443 mov eax, dword ptr fs:[00000030h]4_2_0103E443
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103E443 mov eax, dword ptr fs:[00000030h]4_2_0103E443
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103E443 mov eax, dword ptr fs:[00000030h]4_2_0103E443
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103E443 mov eax, dword ptr fs:[00000030h]4_2_0103E443
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103E443 mov eax, dword ptr fs:[00000030h]4_2_0103E443
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103E443 mov eax, dword ptr fs:[00000030h]4_2_0103E443
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103E443 mov eax, dword ptr fs:[00000030h]4_2_0103E443
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0102245A mov eax, dword ptr fs:[00000030h]4_2_0102245A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010BA456 mov eax, dword ptr fs:[00000030h]4_2_010BA456
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0108C460 mov ecx, dword ptr fs:[00000030h]4_2_0108C460
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0102A470 mov eax, dword ptr fs:[00000030h]4_2_0102A470
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0102A470 mov eax, dword ptr fs:[00000030h]4_2_0102A470
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0102A470 mov eax, dword ptr fs:[00000030h]4_2_0102A470
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010BA49A mov eax, dword ptr fs:[00000030h]4_2_010BA49A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010064AB mov eax, dword ptr fs:[00000030h]4_2_010064AB
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010344B0 mov ecx, dword ptr fs:[00000030h]4_2_010344B0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0108A4B0 mov eax, dword ptr fs:[00000030h]4_2_0108A4B0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010004E5 mov ecx, dword ptr fs:[00000030h]4_2_010004E5
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103C700 mov eax, dword ptr fs:[00000030h]4_2_0103C700
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01000710 mov eax, dword ptr fs:[00000030h]4_2_01000710
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01030710 mov eax, dword ptr fs:[00000030h]4_2_01030710
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103C720 mov eax, dword ptr fs:[00000030h]4_2_0103C720
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103C720 mov eax, dword ptr fs:[00000030h]4_2_0103C720
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0107C730 mov eax, dword ptr fs:[00000030h]4_2_0107C730
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103273C mov eax, dword ptr fs:[00000030h]4_2_0103273C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103273C mov ecx, dword ptr fs:[00000030h]4_2_0103273C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103273C mov eax, dword ptr fs:[00000030h]4_2_0103273C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103674D mov esi, dword ptr fs:[00000030h]4_2_0103674D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103674D mov eax, dword ptr fs:[00000030h]4_2_0103674D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103674D mov eax, dword ptr fs:[00000030h]4_2_0103674D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01000750 mov eax, dword ptr fs:[00000030h]4_2_01000750
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01042750 mov eax, dword ptr fs:[00000030h]4_2_01042750
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01042750 mov eax, dword ptr fs:[00000030h]4_2_01042750
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0108E75D mov eax, dword ptr fs:[00000030h]4_2_0108E75D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01084755 mov eax, dword ptr fs:[00000030h]4_2_01084755
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01008770 mov eax, dword ptr fs:[00000030h]4_2_01008770
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01010770 mov eax, dword ptr fs:[00000030h]4_2_01010770
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01010770 mov eax, dword ptr fs:[00000030h]4_2_01010770
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01010770 mov eax, dword ptr fs:[00000030h]4_2_01010770
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01010770 mov eax, dword ptr fs:[00000030h]4_2_01010770
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01010770 mov eax, dword ptr fs:[00000030h]4_2_01010770
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01010770 mov eax, dword ptr fs:[00000030h]4_2_01010770
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01010770 mov eax, dword ptr fs:[00000030h]4_2_01010770
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01010770 mov eax, dword ptr fs:[00000030h]4_2_01010770
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01010770 mov eax, dword ptr fs:[00000030h]4_2_01010770
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01010770 mov eax, dword ptr fs:[00000030h]4_2_01010770
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01010770 mov eax, dword ptr fs:[00000030h]4_2_01010770
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01010770 mov eax, dword ptr fs:[00000030h]4_2_01010770
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010A678E mov eax, dword ptr fs:[00000030h]4_2_010A678E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010B47A0 mov eax, dword ptr fs:[00000030h]4_2_010B47A0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010007AF mov eax, dword ptr fs:[00000030h]4_2_010007AF
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0100C7C0 mov eax, dword ptr fs:[00000030h]4_2_0100C7C0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010807C3 mov eax, dword ptr fs:[00000030h]4_2_010807C3
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0108E7E1 mov eax, dword ptr fs:[00000030h]4_2_0108E7E1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010227ED mov eax, dword ptr fs:[00000030h]4_2_010227ED
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010227ED mov eax, dword ptr fs:[00000030h]4_2_010227ED
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010227ED mov eax, dword ptr fs:[00000030h]4_2_010227ED
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010047FB mov eax, dword ptr fs:[00000030h]4_2_010047FB
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010047FB mov eax, dword ptr fs:[00000030h]4_2_010047FB
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0101260B mov eax, dword ptr fs:[00000030h]4_2_0101260B
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0101260B mov eax, dword ptr fs:[00000030h]4_2_0101260B
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0101260B mov eax, dword ptr fs:[00000030h]4_2_0101260B
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0101260B mov eax, dword ptr fs:[00000030h]4_2_0101260B
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0101260B mov eax, dword ptr fs:[00000030h]4_2_0101260B
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0101260B mov eax, dword ptr fs:[00000030h]4_2_0101260B
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0101260B mov eax, dword ptr fs:[00000030h]4_2_0101260B
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0107E609 mov eax, dword ptr fs:[00000030h]4_2_0107E609
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01042619 mov eax, dword ptr fs:[00000030h]4_2_01042619
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01036620 mov eax, dword ptr fs:[00000030h]4_2_01036620
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01038620 mov eax, dword ptr fs:[00000030h]4_2_01038620
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0101E627 mov eax, dword ptr fs:[00000030h]4_2_0101E627
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0100262C mov eax, dword ptr fs:[00000030h]4_2_0100262C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0101C640 mov eax, dword ptr fs:[00000030h]4_2_0101C640
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010C866E mov eax, dword ptr fs:[00000030h]4_2_010C866E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010C866E mov eax, dword ptr fs:[00000030h]4_2_010C866E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103A660 mov eax, dword ptr fs:[00000030h]4_2_0103A660
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103A660 mov eax, dword ptr fs:[00000030h]4_2_0103A660
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01032674 mov eax, dword ptr fs:[00000030h]4_2_01032674
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01004690 mov eax, dword ptr fs:[00000030h]4_2_01004690
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01004690 mov eax, dword ptr fs:[00000030h]4_2_01004690
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103C6A6 mov eax, dword ptr fs:[00000030h]4_2_0103C6A6
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010366B0 mov eax, dword ptr fs:[00000030h]4_2_010366B0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103A6C7 mov ebx, dword ptr fs:[00000030h]4_2_0103A6C7
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103A6C7 mov eax, dword ptr fs:[00000030h]4_2_0103A6C7
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0107E6F2 mov eax, dword ptr fs:[00000030h]4_2_0107E6F2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0107E6F2 mov eax, dword ptr fs:[00000030h]4_2_0107E6F2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0107E6F2 mov eax, dword ptr fs:[00000030h]4_2_0107E6F2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0107E6F2 mov eax, dword ptr fs:[00000030h]4_2_0107E6F2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010806F1 mov eax, dword ptr fs:[00000030h]4_2_010806F1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010806F1 mov eax, dword ptr fs:[00000030h]4_2_010806F1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0107E908 mov eax, dword ptr fs:[00000030h]4_2_0107E908
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0107E908 mov eax, dword ptr fs:[00000030h]4_2_0107E908
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0108C912 mov eax, dword ptr fs:[00000030h]4_2_0108C912
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0108892A mov eax, dword ptr fs:[00000030h]4_2_0108892A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0109892B mov eax, dword ptr fs:[00000030h]4_2_0109892B
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010D4940 mov eax, dword ptr fs:[00000030h]4_2_010D4940
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01080946 mov eax, dword ptr fs:[00000030h]4_2_01080946
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01026962 mov eax, dword ptr fs:[00000030h]4_2_01026962
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01026962 mov eax, dword ptr fs:[00000030h]4_2_01026962
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01026962 mov eax, dword ptr fs:[00000030h]4_2_01026962
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0104096E mov eax, dword ptr fs:[00000030h]4_2_0104096E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0104096E mov edx, dword ptr fs:[00000030h]4_2_0104096E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0104096E mov eax, dword ptr fs:[00000030h]4_2_0104096E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010A4978 mov eax, dword ptr fs:[00000030h]4_2_010A4978
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010A4978 mov eax, dword ptr fs:[00000030h]4_2_010A4978
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0108C97C mov eax, dword ptr fs:[00000030h]4_2_0108C97C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010129A0 mov eax, dword ptr fs:[00000030h]4_2_010129A0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010129A0 mov eax, dword ptr fs:[00000030h]4_2_010129A0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010129A0 mov eax, dword ptr fs:[00000030h]4_2_010129A0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010129A0 mov eax, dword ptr fs:[00000030h]4_2_010129A0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010129A0 mov eax, dword ptr fs:[00000030h]4_2_010129A0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010129A0 mov eax, dword ptr fs:[00000030h]4_2_010129A0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010129A0 mov eax, dword ptr fs:[00000030h]4_2_010129A0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010129A0 mov eax, dword ptr fs:[00000030h]4_2_010129A0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010129A0 mov eax, dword ptr fs:[00000030h]4_2_010129A0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010129A0 mov eax, dword ptr fs:[00000030h]4_2_010129A0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010129A0 mov eax, dword ptr fs:[00000030h]4_2_010129A0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010129A0 mov eax, dword ptr fs:[00000030h]4_2_010129A0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010129A0 mov eax, dword ptr fs:[00000030h]4_2_010129A0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010009AD mov eax, dword ptr fs:[00000030h]4_2_010009AD
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010009AD mov eax, dword ptr fs:[00000030h]4_2_010009AD
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010889B3 mov esi, dword ptr fs:[00000030h]4_2_010889B3
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010889B3 mov eax, dword ptr fs:[00000030h]4_2_010889B3
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010889B3 mov eax, dword ptr fs:[00000030h]4_2_010889B3
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010969C0 mov eax, dword ptr fs:[00000030h]4_2_010969C0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0100A9D0 mov eax, dword ptr fs:[00000030h]4_2_0100A9D0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0100A9D0 mov eax, dword ptr fs:[00000030h]4_2_0100A9D0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0100A9D0 mov eax, dword ptr fs:[00000030h]4_2_0100A9D0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0100A9D0 mov eax, dword ptr fs:[00000030h]4_2_0100A9D0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0100A9D0 mov eax, dword ptr fs:[00000030h]4_2_0100A9D0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0100A9D0 mov eax, dword ptr fs:[00000030h]4_2_0100A9D0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010349D0 mov eax, dword ptr fs:[00000030h]4_2_010349D0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010CA9D3 mov eax, dword ptr fs:[00000030h]4_2_010CA9D3
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0108E9E0 mov eax, dword ptr fs:[00000030h]4_2_0108E9E0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010329F9 mov eax, dword ptr fs:[00000030h]4_2_010329F9
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010329F9 mov eax, dword ptr fs:[00000030h]4_2_010329F9
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0108C810 mov eax, dword ptr fs:[00000030h]4_2_0108C810
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010A483A mov eax, dword ptr fs:[00000030h]4_2_010A483A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010A483A mov eax, dword ptr fs:[00000030h]4_2_010A483A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103A830 mov eax, dword ptr fs:[00000030h]4_2_0103A830
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01022835 mov eax, dword ptr fs:[00000030h]4_2_01022835
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01022835 mov eax, dword ptr fs:[00000030h]4_2_01022835
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01022835 mov eax, dword ptr fs:[00000030h]4_2_01022835
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01022835 mov ecx, dword ptr fs:[00000030h]4_2_01022835
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01022835 mov eax, dword ptr fs:[00000030h]4_2_01022835
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01022835 mov eax, dword ptr fs:[00000030h]4_2_01022835
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01012840 mov ecx, dword ptr fs:[00000030h]4_2_01012840
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01030854 mov eax, dword ptr fs:[00000030h]4_2_01030854
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01004859 mov eax, dword ptr fs:[00000030h]4_2_01004859
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01004859 mov eax, dword ptr fs:[00000030h]4_2_01004859
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01096870 mov eax, dword ptr fs:[00000030h]4_2_01096870
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01096870 mov eax, dword ptr fs:[00000030h]4_2_01096870
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0108E872 mov eax, dword ptr fs:[00000030h]4_2_0108E872
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0108E872 mov eax, dword ptr fs:[00000030h]4_2_0108E872
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01000887 mov eax, dword ptr fs:[00000030h]4_2_01000887
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0108C89D mov eax, dword ptr fs:[00000030h]4_2_0108C89D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0102E8C0 mov eax, dword ptr fs:[00000030h]4_2_0102E8C0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010D08C0 mov eax, dword ptr fs:[00000030h]4_2_010D08C0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FF8918 mov eax, dword ptr fs:[00000030h]4_2_00FF8918
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FF8918 mov eax, dword ptr fs:[00000030h]4_2_00FF8918
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010CA8E4 mov eax, dword ptr fs:[00000030h]4_2_010CA8E4
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103C8F9 mov eax, dword ptr fs:[00000030h]4_2_0103C8F9
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103C8F9 mov eax, dword ptr fs:[00000030h]4_2_0103C8F9
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010D4B00 mov eax, dword ptr fs:[00000030h]4_2_010D4B00
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0107EB1D mov eax, dword ptr fs:[00000030h]4_2_0107EB1D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0107EB1D mov eax, dword ptr fs:[00000030h]4_2_0107EB1D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0107EB1D mov eax, dword ptr fs:[00000030h]4_2_0107EB1D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0107EB1D mov eax, dword ptr fs:[00000030h]4_2_0107EB1D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0107EB1D mov eax, dword ptr fs:[00000030h]4_2_0107EB1D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0107EB1D mov eax, dword ptr fs:[00000030h]4_2_0107EB1D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0107EB1D mov eax, dword ptr fs:[00000030h]4_2_0107EB1D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0107EB1D mov eax, dword ptr fs:[00000030h]4_2_0107EB1D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0107EB1D mov eax, dword ptr fs:[00000030h]4_2_0107EB1D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0102EB20 mov eax, dword ptr fs:[00000030h]4_2_0102EB20
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0102EB20 mov eax, dword ptr fs:[00000030h]4_2_0102EB20
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010C8B28 mov eax, dword ptr fs:[00000030h]4_2_010C8B28
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010C8B28 mov eax, dword ptr fs:[00000030h]4_2_010C8B28
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010B4B4B mov eax, dword ptr fs:[00000030h]4_2_010B4B4B
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010B4B4B mov eax, dword ptr fs:[00000030h]4_2_010B4B4B
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010A8B42 mov eax, dword ptr fs:[00000030h]4_2_010A8B42
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01096B40 mov eax, dword ptr fs:[00000030h]4_2_01096B40
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01096B40 mov eax, dword ptr fs:[00000030h]4_2_01096B40
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010CAB40 mov eax, dword ptr fs:[00000030h]4_2_010CAB40
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010AEB50 mov eax, dword ptr fs:[00000030h]4_2_010AEB50
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010D2B57 mov eax, dword ptr fs:[00000030h]4_2_010D2B57
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010D2B57 mov eax, dword ptr fs:[00000030h]4_2_010D2B57
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010D2B57 mov eax, dword ptr fs:[00000030h]4_2_010D2B57
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010D2B57 mov eax, dword ptr fs:[00000030h]4_2_010D2B57
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010B4BB0 mov eax, dword ptr fs:[00000030h]4_2_010B4BB0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010B4BB0 mov eax, dword ptr fs:[00000030h]4_2_010B4BB0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01010BBE mov eax, dword ptr fs:[00000030h]4_2_01010BBE
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01010BBE mov eax, dword ptr fs:[00000030h]4_2_01010BBE
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01020BCB mov eax, dword ptr fs:[00000030h]4_2_01020BCB
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01020BCB mov eax, dword ptr fs:[00000030h]4_2_01020BCB
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01020BCB mov eax, dword ptr fs:[00000030h]4_2_01020BCB
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01000BCD mov eax, dword ptr fs:[00000030h]4_2_01000BCD
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01000BCD mov eax, dword ptr fs:[00000030h]4_2_01000BCD
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01000BCD mov eax, dword ptr fs:[00000030h]4_2_01000BCD
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010AEBD0 mov eax, dword ptr fs:[00000030h]4_2_010AEBD0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01008BF0 mov eax, dword ptr fs:[00000030h]4_2_01008BF0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01008BF0 mov eax, dword ptr fs:[00000030h]4_2_01008BF0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01008BF0 mov eax, dword ptr fs:[00000030h]4_2_01008BF0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0108CBF0 mov eax, dword ptr fs:[00000030h]4_2_0108CBF0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0102EBFC mov eax, dword ptr fs:[00000030h]4_2_0102EBFC
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0108CA11 mov eax, dword ptr fs:[00000030h]4_2_0108CA11
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103CA24 mov eax, dword ptr fs:[00000030h]4_2_0103CA24
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0102EA2E mov eax, dword ptr fs:[00000030h]4_2_0102EA2E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01024A35 mov eax, dword ptr fs:[00000030h]4_2_01024A35
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01024A35 mov eax, dword ptr fs:[00000030h]4_2_01024A35
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103CA38 mov eax, dword ptr fs:[00000030h]4_2_0103CA38
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01006A50 mov eax, dword ptr fs:[00000030h]4_2_01006A50
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01006A50 mov eax, dword ptr fs:[00000030h]4_2_01006A50
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01006A50 mov eax, dword ptr fs:[00000030h]4_2_01006A50
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01006A50 mov eax, dword ptr fs:[00000030h]4_2_01006A50
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01006A50 mov eax, dword ptr fs:[00000030h]4_2_01006A50
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01006A50 mov eax, dword ptr fs:[00000030h]4_2_01006A50
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01006A50 mov eax, dword ptr fs:[00000030h]4_2_01006A50
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01010A5B mov eax, dword ptr fs:[00000030h]4_2_01010A5B
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01010A5B mov eax, dword ptr fs:[00000030h]4_2_01010A5B
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010AEA60 mov eax, dword ptr fs:[00000030h]4_2_010AEA60
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103CA6F mov eax, dword ptr fs:[00000030h]4_2_0103CA6F
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103CA6F mov eax, dword ptr fs:[00000030h]4_2_0103CA6F
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0103CA6F mov eax, dword ptr fs:[00000030h]4_2_0103CA6F
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0107CA72 mov eax, dword ptr fs:[00000030h]4_2_0107CA72
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0107CA72 mov eax, dword ptr fs:[00000030h]4_2_0107CA72
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0100EA80 mov eax, dword ptr fs:[00000030h]4_2_0100EA80
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0100EA80 mov eax, dword ptr fs:[00000030h]4_2_0100EA80
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0100EA80 mov eax, dword ptr fs:[00000030h]4_2_0100EA80
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0100EA80 mov eax, dword ptr fs:[00000030h]4_2_0100EA80
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0100EA80 mov eax, dword ptr fs:[00000030h]4_2_0100EA80
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0100EA80 mov eax, dword ptr fs:[00000030h]4_2_0100EA80
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0100EA80 mov eax, dword ptr fs:[00000030h]4_2_0100EA80
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0100EA80 mov eax, dword ptr fs:[00000030h]4_2_0100EA80
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_0100EA80 mov eax, dword ptr fs:[00000030h]4_2_0100EA80
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_00FFCB7E mov eax, dword ptr fs:[00000030h]4_2_00FFCB7E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_010D4A80 mov eax, dword ptr fs:[00000030h]4_2_010D4A80
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01038A90 mov edx, dword ptr fs:[00000030h]4_2_01038A90
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeCode function: 4_2_01008AA0 mov eax, dword ptr fs:[00000030h]4_2_01008AA0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Adds a directory exclusion to Windows Defender
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe"
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe"Jump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe"Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe"Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
          Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
          Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
          Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 4.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.2026512273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 4.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.2026512273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
          DLL Side-Loading          		111
          Process Injection          		1
          Masquerading          		OS Credential Dumping31
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading          		11
          Disable or Modify Tools          		LSASS Memory1
          Process Discovery          		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)41
          Virtualization/Sandbox Evasion          		Security Account Manager41
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
          Process Injection          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          File and Directory Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
          Obfuscated Files or Information          		Cached Domain Credentials12
          System Information Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
          Software Packing          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 1465503 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 01/07/2024 Architecture: WINDOWS Score: 100 24 Malicious sample detected (through community Yara rule) 2->24 26 Antivirus / Scanner detection for submitted sample 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 6 other signatures 2->30 7 SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe 4 2->7         started        process3 file4 22 SecuriteInfo.com.W...16176.20864.exe.log, ASCII 7->22 dropped 32 Adds a directory exclusion to Windows Defender 7->32 34 Injects a PE file into a foreign processes 7->34 11 powershell.exe 23 7->11         started        14 SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe 7->14         started        signatures5 process6 signatures7 36 Loading BitLocker PowerShell Module 11->36 16 WmiPrvSE.exe 11->16         started        18 conhost.exe 11->18         started        20 WerFault.exe 21 16 14->20         started        process8

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe29%ReversingLabsByteCode-MSIL.Trojan.XWorm
          SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe100%AviraHEUR/AGEN.1308761
          SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
          http://www.fontbureau.com0%URL Reputationsafe
          http://www.fontbureau.com/designersG0%URL Reputationsafe
          http://www.fontbureau.com/designers/?0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.fontbureau.com/designers?0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://upx.sf.net0%URL Reputationsafe
          http://www.fontbureau.com/designers0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.fontbureau.com/designers80%URL Reputationsafe
          http://www.fonts.com0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.apache.org/licenses/LICENSE-2.0SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.fontbureau.comSecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.fontbureau.com/designersGSecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.fontbureau.com/designers/?SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.founder.com.cn/cn/bTheSecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.fontbureau.com/designers?SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.tiro.comSecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://upx.sf.netAmcache.hve.8.drfalse
          • URL Reputation: safe
          		unknown
          http://www.fontbureau.com/designersSecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.goodfont.co.krSecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.carterandcone.comlSecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.sajatypeworks.comSecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.typography.netDSecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.fontbureau.com/designers/cabarga.htmlNSecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.founder.com.cn/cn/cTheSecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.galapagosdesign.com/staff/dennis.htmSecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.founder.com.cn/cnSecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.fontbureau.com/designers/frere-user.htmlSecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.jiyu-kobo.co.jp/SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.galapagosdesign.com/DPleaseSecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.fontbureau.com/designers8SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.fonts.comSecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.sandoll.co.krSecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.urwpp.deDPleaseSecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.zhongyicts.com.cnSecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1787571267.0000000002F31000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.sakkal.comSecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe, 00000000.00000002.1799217462.0000000006FB2000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1465503
          Start date and time:2024-07-01 18:24:08 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 7m 16s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:13
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@8/11@0/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 92%
          • Number of executed functions: 34
          • Number of non-executed functions: 268
          Cookbook Comments:
          • Found application associated with file extension: .exe

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
          • Excluded IPs from analysis (whitelisted): 20.189.173.22
          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtCreateKey calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • VT rate limit hit for: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe

          Simulations

          Behavior and APIs

          TimeTypeDescription
          12:25:09API Interceptor1x Sleep call for process: SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe modified
          12:25:11API Interceptor20x Sleep call for process: powershell.exe modified
          12:25:34API Interceptor1x Sleep call for process: WerFault.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_74c1169901cfd82c83d4316a2f32e8232d1c591_4b6ee407_16f3011e-a244-453b-95f7-631c14484814\Report.wer

          Download File
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):65536
          Entropy (8bit):0.6666295732138922
          Encrypted:false
          SSDEEP:96:1pEIFgQsy1Chuo/s9H+j9Fc+fpQXIDcQvc6QcEVcw3cE/CMJ+HbHsZAX/d5FMT2A:1mIuZyu/w0BU/AjlzuiF1Z24IO8u
          MD5:2C9855DF77B8DBB376C75EDE72E82DBB
          SHA1:00154DD4DC352A5BB313A35EBD2D2073B7F8D215
          SHA-256:72B21A5A1BF308216FDC9D57401D057E3BF6BCA5332BAEBF128ABEDF74CFCC4E
          SHA-512:F6E7EFD5A85DA72180067B61CA8CB3AAFE91DD1B2ECC25A2FD82F95B803C283FA3F65A1577CA65B46F313FEB07D33906DCA862D6755326562BA636C07C509C32
          Malicious:false
          Reputation:low
          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.3.2.4.7.1.3.8.5.3.8.8.5.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.3.2.4.7.1.4.1.3.5.1.3.8.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.6.f.3.0.1.1.e.-.a.2.4.4.-.4.5.3.b.-.9.5.f.7.-.6.3.1.c.1.4.4.8.4.8.1.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.f.7.6.e.a.e.7.-.1.7.c.f.-.4.f.a.b.-.b.3.b.d.-.7.e.a.d.6.7.e.4.7.8.1.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.i.n.3.2...P.W.S.X.-.g.e.n...1.6.1.7.6...2.0.8.6.4...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.Q.x.k.B...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.4.-.0.0.0.1.-.0.0.1.4.-.6.9.3.4.-.6.1.3.e.d.3.c.b.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.2.c.c.9.5.3.1.e.d.7.6.4.8.b.2.2.6.a.5.9.9.a.a.c.5.b.d.3.5.9.1.0.0.0.0.0.0.0.0.!.0.0.0.0.1.f.c.a.e.3.

          C:\ProgramData\Microsoft\Windows\WER\Temp\WERD85F.tmp.dmp

          Download File
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:Mini DuMP crash report, 14 streams, Mon Jul 1 16:25:13 2024, 0x1205a4 type
          Category:dropped
          Size (bytes):25254
          Entropy (8bit):1.7192646379016576
          Encrypted:false
          SSDEEP:96:5C88N1L6Y7i8i1ZhBdyi75d/kK9Z7HzRW+yESRWI9LIedhMx7JT:X8fmy6Z3IO5D9Z7HIEAY7JT
          MD5:36E5B54961D3FA2508E1766F080C3EB4
          SHA1:DA7C3C7ECC5F1F507E4068688175138D84E98429
          SHA-256:230503101D0D14003BDDBCEF58E306236D80F2C02E28E77025169322D8AFB5B6
          SHA-512:4B3F37F5710C5FB6B7C8B0FD72160466C6F0E2F4AA035917F857A4E33478C44FACE4EF380AA1936020D1FB672AA2FC5492F150CEE398087848792312413ACD7B
          Malicious:false
          Reputation:low
          Preview:MDMP..a..... .......i.f............4...............<.......T...(...........T.......8...........T...........0...vZ......................................................................................................eJ......L.......GenuineIntel............T...........f.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\ProgramData\Microsoft\Windows\WER\Temp\WERD89F.tmp.WERInternalMetadata.xml

          Download File
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):6492
          Entropy (8bit):3.7244270652667333
          Encrypted:false
          SSDEEP:96:RSIU6o7wVetbP1D6bBM5ugcwYosUQE/fzbd5aM4U789bixsfd2m:R6l7wVeJdD6bBIdYInpr789bixsfd2m
          MD5:2EEAE5EA05DD3449EFC244F1D0E5AE75
          SHA1:619D80CCAC691727808F768013449BC03EF21888
          SHA-256:1BDB26BB6C8F9830DFA679DF278DC1A65354FD3A0A813C1721520AF1EC650FF7
          SHA-512:A221B10D75D6479BF8595D143062C37C10AB5CF1D1A5D4BD45B0BD75C4B45583A8603B80DC5E664D8517E365B379C8DB9D6F4320B25E9AA26D6191BE9C51297E
          Malicious:false
          Reputation:low
          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.9.2.<./.P.i.

          C:\ProgramData\Microsoft\Windows\WER\Temp\WERD8CF.tmp.xml

          Download File
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):4881
          Entropy (8bit):4.578329076686502
          Encrypted:false
          SSDEEP:48:cvIwWl8zsUJg77aI9JmWpW8VYyYYm8M4JE1ZAZKjFP+q81TW4I61Vw8Ilwwd:uIjfSI7nn7VVVJIg0Owd
          MD5:7B5A1E105DB1C9EF2C528B6F88BAA9F8
          SHA1:6D96FF0F56774B164A0DF2F47CA81AF94D38EC96
          SHA-256:7511724A81B4643D45A0B64377412413738E4E1BD2B18F79D3F84CD6D6810964
          SHA-512:C9718B0E6BA405279EA5175D1D82DA6E55C3987A91ABE9715726DEDA75FD67AD993D3DD97454F302329A03BB2EDC14B9E145D69A992628747FAA84C5DDBF0466
          Malicious:false
          Reputation:low
          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="392127" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe.log

          Download File
          Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):1216
          Entropy (8bit):5.34331486778365
          Encrypted:false
          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
          MD5:1330C80CAAC9A0FB172F202485E9B1E8
          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
          Malicious:true
          Reputation:high, very likely benign file
          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Download File
          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          File Type:data
          Category:dropped
          Size (bytes):2232
          Entropy (8bit):5.379736180876081
          Encrypted:false
          SSDEEP:48:tWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:tLHyIFKL3IZ2KRH9Oug8s
          MD5:AE33CC731D64A142DFCC6A541D0708FC
          SHA1:31B0ECD28CA8892C3EF4B42D1CB1F56BECD14BEA
          SHA-256:776FC4031835093845318CEABF43AB13C51EC6CA69B985C45049EAE2EB6AF623
          SHA-512:5282E64561D28CB77C92089BEAF27D83EC55B2A673BEF6EAB4DFC49BE61A0F6653E73F07A45AFBF93C407546D04BB50D9690CCBF553227A4E6CFE4F98389C211
          Malicious:false
          Reputation:moderate, very likely benign file
          Preview:@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1cv3okj0.b1b.ps1

          Download File
          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Reputation:high, very likely benign file
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kzwnydqv.bsu.psm1

          Download File
          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sism01nl.0zf.psm1

          Download File
          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wwnohdeg.d0b.ps1

          Download File
          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):60
          Entropy (8bit):4.038920595031593
          Encrypted:false
          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
          MD5:D17FE0A3F47BE24A6453E9EF58C94641
          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
          Malicious:false
          Preview:# PowerShell test file to determine AppLocker lockdown mode

          C:\Windows\appcompat\Programs\Amcache.hve

          Download File
          Process:C:\Windows\SysWOW64\WerFault.exe
          File Type:MS Windows registry file, NT/2000 or above
          Category:dropped
          Size (bytes):1835008
          Entropy (8bit):4.466012043400569
          Encrypted:false
          SSDEEP:6144:aIXfpi67eLPU9skLmb0b46WSPKaJG8nAgejZMMhA2gX4WABl0uNvdwBCswSbY:vXD946WlLZMM6YFHV+Y
          MD5:3C9F6C444FC244E30FE97179CA18B127
          SHA1:E6B128704D288EBE2BF168814A24B043700CA99D
          SHA-256:DD7D7985EE2F2B8832EA86C97FBA6806EEC4A24684E937ED1D9BDC343EEDEC89
          SHA-512:D76BF6F617CBDE76F1C60F874AC0F13CB9EEA99672790EB8976BD42A516390BD6C2B75D10FC41CEC606FD7627B5556761ACB135C374A41A2E0471F55063702F5
          Malicious:false
          Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm^.J@................................................................................................................................................................................................................................................................................................................................................+.\t........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
          Entropy (8bit):7.9496767064670655
          TrID:
          • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
          • Win32 Executable (generic) a (10002005/4) 49.75%
          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
          • Windows Screen Saver (13104/52) 0.07%
          • Win16/32 Executable Delphi generic (2074/23) 0.01%
          File name:SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe
          File size:686'080 bytes
          MD5:1bf19b9cf38e2316c53af9ecfdf2142b
          SHA1:1fcae3591288df36927b66fcb3422e14ba12b234
          SHA256:a2f6bbeb5c2756cfd0a71196e98f0b4f71e58101b3e39342015aad98d70d0f31
          SHA512:2fa3c3603120add1271e35d2dea38f7e1003929baf5b4e4512b2bf7137d2d0f4d728b7f2de8ebaa2442ee8c482edda7eb73a82b5ab50a21c53c0f4e1cc227571
          SSDEEP:12288:UA1v6lRPMlAXtbAFz6CpDQO2nJeKB0EWq2+xG1fUu+pdi0LMTzh37wVTWHP7j/:VIRoubg2FO2nJeKOnqzxGTbfN30VTWHP
          TLSH:0AE42262367CA9A3CB7D95FA2415446203F2363C650AD3C91ED470DE0BE6FB42A41F6B
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0..P... .......m... ........@.. ....................................@................................

          File Icon

          Icon Hash:6145b2b1e4a4b186

          Static PE Info

          General

          Entrypoint:0x4a6dd6
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Time Stamp:0x6682B7C7 [Mon Jul 1 14:05:59 2024 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

          Entrypoint Preview

          Instruction
          jmp dword ptr [00402000h]
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xa6d840x4f.text
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xa80000x16b4.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0xaa0000xc.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x20000xa4ddc0xa5000db7d026a193e858876cd3b516721c767False0.958493134469697COM executable for DOS7.968605701945629IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rsrc0xa80000x16b40x1800a690efb91db3c1ddba26e17f957f4a01False0.8045247395833334data7.038176928915998IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0xaa0000xc0x800605be39b33f3fbc7eac61bea35031788False0.015625data0.03037337037012526IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_ICON0xa80c80x129fPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9418921753723516
          RT_GROUP_ICON0xa93780x14data1.05
          RT_VERSION0xa939c0x312data0.43638676844783714

          Imports

          DLLImport
          mscoree.dll_CorExeMain

          Network Behavior

          No network behavior found

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:12:25:08
          Start date:01/07/2024
          Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe"
          Imagebase:0x960000
          File size:686'080 bytes
          MD5 hash:1BF19B9CF38E2316C53AF9ECFDF2142B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          General

          Target ID:2
          Start time:12:25:10
          Start date:01/07/2024
          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe"
          Imagebase:0x7d0000
          File size:433'152 bytes
          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:3
          Start time:12:25:10
          Start date:01/07/2024
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7699e0000
          File size:862'208 bytes
          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:4
          Start time:12:25:10
          Start date:01/07/2024
          Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.16176.20864.exe"
          Imagebase:0x530000
          File size:686'080 bytes
          MD5 hash:1BF19B9CF38E2316C53AF9ECFDF2142B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2026512273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.2026512273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
          Reputation:low
          Has exited:true

          General

          Target ID:5
          Start time:12:25:13
          Start date:01/07/2024
          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
          Imagebase:0x7ff693ab0000
          File size:496'640 bytes
          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
          Has elevated privileges:true
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          General

          Target ID:8
          Start time:12:25:13
          Start date:01/07/2024
          Path:C:\Windows\SysWOW64\WerFault.exe
          Wow64 process (32bit):true
          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7092 -s 196
          Imagebase:0x9e0000
          File size:483'680 bytes
          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:9.5%
            Dynamic/Decrypted Code Coverage:100%
            Signature Coverage:0%
            Total number of Nodes:206
            Total number of Limit Nodes:12
            execution_graph 17675 2c73840 17676 2c739cb 17675->17676 17677 2c73866 17675->17677 17677->17676 17680 2c73ac0 PostMessageW 17677->17680 17682 2c73ab8 17677->17682 17681 2c73b2c 17680->17681 17681->17677 17683 2c73ac0 PostMessageW 17682->17683 17684 2c73b2c 17683->17684 17684->17677 17685 2cfdc08 17686 2cfdc4e GetCurrentProcess 17685->17686 17688 2cfdc99 17686->17688 17689 2cfdca0 GetCurrentThread 17686->17689 17688->17689 17690 2cfdcdd GetCurrentProcess 17689->17690 17691 2cfdcd6 17689->17691 17692 2cfdd13 GetCurrentThreadId 17690->17692 17691->17690 17694 2cfdd6c 17692->17694 17924 2cfe258 DuplicateHandle 17925 2cfe2ee 17924->17925 17926 2cfc0e8 17927 2cfc0fc 17926->17927 17928 2cfc121 17927->17928 17930 2cfb888 17927->17930 17931 2cfc2c8 LoadLibraryExW 17930->17931 17933 2cfc341 17931->17933 17933->17928 17695 2cf2180 17696 2cf218a 17695->17696 17698 2cf2280 17695->17698 17699 2cf22a5 17698->17699 17703 2cf2380 17699->17703 17707 2cf2390 17699->17707 17705 2cf23b7 17703->17705 17704 2cf2494 17704->17704 17705->17704 17711 2cf1fb8 17705->17711 17708 2cf23b7 17707->17708 17709 2cf1fb8 CreateActCtxA 17708->17709 17710 2cf2494 17708->17710 17709->17710 17712 2cf3420 CreateActCtxA 17711->17712 17714 2cf34e3 17712->17714 17715 2cfc040 17716 2cfc088 GetModuleHandleW 17715->17716 17717 2cfc082 17715->17717 17718 2cfc0b5 17716->17718 17717->17716 17719 2c72608 17720 2c7261d 17719->17720 17725 2c726a6 17720->17725 17741 2c72638 17720->17741 17756 2c72648 17720->17756 17721 2c7262f 17726 2c72634 17725->17726 17728 2c726a9 17725->17728 17771 2c72b16 17726->17771 17776 2c72b6a 17726->17776 17781 2c72fcc 17726->17781 17791 2c72e6c 17726->17791 17796 2c730be 17726->17796 17804 2c72d7f 17726->17804 17809 2c73080 17726->17809 17819 2c73490 17726->17819 17827 2c72b21 17726->17827 17839 2c731b2 17726->17839 17844 2c72af2 17726->17844 17854 2c72aa3 17726->17854 17727 2c72686 17727->17721 17728->17721 17742 2c72662 17741->17742 17744 2c72b16 2 API calls 17742->17744 17745 2c72aa3 6 API calls 17742->17745 17746 2c72af2 4 API calls 17742->17746 17747 2c731b2 2 API calls 17742->17747 17748 2c72b21 6 API calls 17742->17748 17749 2c73490 4 API calls 17742->17749 17750 2c73080 4 API calls 17742->17750 17751 2c72d7f 2 API calls 17742->17751 17752 2c730be 4 API calls 17742->17752 17753 2c72e6c 2 API calls 17742->17753 17754 2c72fcc 4 API calls 17742->17754 17755 2c72b6a 2 API calls 17742->17755 17743 2c72686 17743->17721 17744->17743 17745->17743 17746->17743 17747->17743 17748->17743 17749->17743 17750->17743 17751->17743 17752->17743 17753->17743 17754->17743 17755->17743 17757 2c72662 17756->17757 17759 2c72b16 2 API calls 17757->17759 17760 2c72aa3 6 API calls 17757->17760 17761 2c72af2 4 API calls 17757->17761 17762 2c731b2 2 API calls 17757->17762 17763 2c72b21 6 API calls 17757->17763 17764 2c73490 4 API calls 17757->17764 17765 2c73080 4 API calls 17757->17765 17766 2c72d7f 2 API calls 17757->17766 17767 2c730be 4 API calls 17757->17767 17768 2c72e6c 2 API calls 17757->17768 17769 2c72fcc 4 API calls 17757->17769 17770 2c72b6a 2 API calls 17757->17770 17758 2c72686 17758->17721 17759->17758 17760->17758 17761->17758 17762->17758 17763->17758 17764->17758 17765->17758 17766->17758 17767->17758 17768->17758 17769->17758 17770->17758 17772 2c72dc3 17771->17772 17866 2c70ba0 17772->17866 17870 2c70b98 17772->17870 17773 2c72de5 17777 2c72b70 17776->17777 17874 2c70862 17777->17874 17878 2c70868 17777->17878 17778 2c72b9d 17778->17727 17782 2c72feb 17781->17782 17785 2c72afe 17781->17785 17882 2c737e8 17782->17882 17887 2c737f8 17782->17887 17783 2c72b88 17787 2c70862 ResumeThread 17783->17787 17788 2c70868 ResumeThread 17783->17788 17784 2c72b09 17784->17727 17784->17784 17785->17782 17785->17783 17785->17784 17786 2c72b9d 17786->17727 17787->17786 17788->17786 17792 2c72e72 17791->17792 17900 2c70ab0 17792->17900 17904 2c70aa9 17792->17904 17793 2c72ea4 17797 2c73411 17796->17797 17799 2c72ea4 17796->17799 17908 2c709f0 17797->17908 17912 2c709e9 17797->17912 17798 2c72e83 17798->17799 17800 2c70ab0 WriteProcessMemory 17798->17800 17801 2c70aa9 WriteProcessMemory 17798->17801 17799->17799 17800->17799 17801->17799 17805 2c72f03 17804->17805 17807 2c70ab0 WriteProcessMemory 17805->17807 17808 2c70aa9 WriteProcessMemory 17805->17808 17806 2c733f2 17807->17806 17808->17806 17813 2c72afe 17809->17813 17810 2c72feb 17817 2c737e8 2 API calls 17810->17817 17818 2c737f8 2 API calls 17810->17818 17811 2c72b88 17815 2c70862 ResumeThread 17811->17815 17816 2c70868 ResumeThread 17811->17816 17812 2c72b09 17812->17727 17812->17812 17813->17810 17813->17811 17813->17812 17814 2c72b9d 17814->17727 17815->17814 17816->17814 17817->17814 17818->17814 17820 2c7341f 17819->17820 17821 2c72e83 17819->17821 17820->17821 17823 2c709f0 VirtualAllocEx 17820->17823 17824 2c709e9 VirtualAllocEx 17820->17824 17822 2c72ea4 17821->17822 17825 2c70ab0 WriteProcessMemory 17821->17825 17826 2c70aa9 WriteProcessMemory 17821->17826 17823->17821 17824->17821 17825->17822 17826->17822 17835 2c70ab0 WriteProcessMemory 17827->17835 17836 2c70aa9 WriteProcessMemory 17827->17836 17828 2c72afe 17829 2c72b09 17828->17829 17830 2c72feb 17828->17830 17831 2c72b88 17828->17831 17829->17727 17837 2c737e8 2 API calls 17830->17837 17838 2c737f8 2 API calls 17830->17838 17833 2c70862 ResumeThread 17831->17833 17834 2c70868 ResumeThread 17831->17834 17832 2c72b9d 17832->17727 17833->17832 17834->17832 17835->17828 17836->17828 17837->17832 17838->17832 17840 2c73315 17839->17840 17842 2c70912 Wow64SetThreadContext 17840->17842 17843 2c70918 Wow64SetThreadContext 17840->17843 17841 2c73330 17842->17841 17843->17841 17846 2c72afe 17844->17846 17845 2c72b09 17845->17727 17845->17845 17846->17845 17847 2c72feb 17846->17847 17848 2c72b88 17846->17848 17850 2c737e8 2 API calls 17847->17850 17851 2c737f8 2 API calls 17847->17851 17852 2c70862 ResumeThread 17848->17852 17853 2c70868 ResumeThread 17848->17853 17849 2c72b9d 17849->17727 17850->17849 17851->17849 17852->17849 17853->17849 17916 2c70d2d 17854->17916 17920 2c70d38 17854->17920 17855 2c72b09 17855->17727 17856 2c72ad3 17856->17855 17857 2c72feb 17856->17857 17859 2c72b88 17856->17859 17862 2c737e8 Wow64SetThreadContext Wow64SetThreadContext 17857->17862 17863 2c737f8 Wow64SetThreadContext Wow64SetThreadContext 17857->17863 17858 2c72b9d 17858->17727 17864 2c70862 ResumeThread 17859->17864 17865 2c70868 ResumeThread 17859->17865 17862->17858 17863->17858 17864->17858 17865->17858 17867 2c70beb ReadProcessMemory 17866->17867 17869 2c70c2f 17867->17869 17869->17773 17871 2c70ba0 ReadProcessMemory 17870->17871 17873 2c70c2f 17871->17873 17873->17773 17875 2c70868 ResumeThread 17874->17875 17877 2c708d9 17875->17877 17877->17778 17879 2c708a8 ResumeThread 17878->17879 17881 2c708d9 17879->17881 17881->17778 17883 2c7380d 17882->17883 17892 2c70912 17883->17892 17896 2c70918 17883->17896 17884 2c73823 17884->17786 17888 2c7380d 17887->17888 17890 2c70912 Wow64SetThreadContext 17888->17890 17891 2c70918 Wow64SetThreadContext 17888->17891 17889 2c73823 17889->17786 17890->17889 17891->17889 17893 2c7095d Wow64SetThreadContext 17892->17893 17895 2c709a5 17893->17895 17895->17884 17897 2c7095d Wow64SetThreadContext 17896->17897 17899 2c709a5 17897->17899 17899->17884 17901 2c70af8 WriteProcessMemory 17900->17901 17903 2c70b4f 17901->17903 17903->17793 17905 2c70af8 WriteProcessMemory 17904->17905 17907 2c70b4f 17905->17907 17907->17793 17909 2c70a30 VirtualAllocEx 17908->17909 17911 2c70a6d 17909->17911 17911->17798 17913 2c709f0 VirtualAllocEx 17912->17913 17915 2c70a6d 17913->17915 17915->17798 17917 2c70d38 CreateProcessA 17916->17917 17919 2c70f83 17917->17919 17919->17919 17921 2c70dc1 CreateProcessA 17920->17921 17923 2c70f83 17921->17923 17923->17923

            Executed Functions

            Function 02C749BB Relevance: .4, Instructions: 396COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1786963179.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2c70000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 218c999b18679021648f3dc64cc52b6f9c66052ac1c174c5794bd0200911b8b4
            • Instruction ID: 6beb2a4e8e006c0351fbd28b534488017568ec9ecce37f4d1d8b81b89494ec49
            • Opcode Fuzzy Hash: 218c999b18679021648f3dc64cc52b6f9c66052ac1c174c5794bd0200911b8b4
            • Instruction Fuzzy Hash: B3E1C9717016048FDB69DB75C460BAEB7FBAFC9704F208469D2499B690DB34EE01CBA1
            Function 02CFDC08 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 563 2cfdc08-2cfdc97 GetCurrentProcess 567 2cfdc99-2cfdc9f 563->567 568 2cfdca0-2cfdcd4 GetCurrentThread 563->568 567->568 569 2cfdcdd-2cfdd11 GetCurrentProcess 568->569 570 2cfdcd6-2cfdcdc 568->570 572 2cfdd1a-2cfdd32 569->572 573 2cfdd13-2cfdd19 569->573 570->569 576 2cfdd3b-2cfdd6a GetCurrentThreadId 572->576 573->572 577 2cfdd6c-2cfdd72 576->577 578 2cfdd73-2cfddd5 576->578 577->578
            APIs
            • GetCurrentProcess.KERNEL32 ref: 02CFDC86
            • GetCurrentThread.KERNEL32 ref: 02CFDCC3
            • GetCurrentProcess.KERNEL32 ref: 02CFDD00
            • GetCurrentThreadId.KERNEL32 ref: 02CFDD59
            Memory Dump Source
            • Source File: 00000000.00000002.1787011451.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2cf0000_SecuriteInfo.jbxd
            Similarity
            • API ID: Current$ProcessThread
            • String ID:
            • API String ID: 2063062207-0
            • Opcode ID: 110e11947abd2787810dfda9fff98a425eca2837edaa927becd77eff6e35602d
            • Instruction ID: 79b1b8a197c241382b028d801fbbada79b71bb12efda6ca988976dbc8f17aa73
            • Opcode Fuzzy Hash: 110e11947abd2787810dfda9fff98a425eca2837edaa927becd77eff6e35602d
            • Instruction Fuzzy Hash: C05177B0D007098FDB44DFA9D648B9EBBF1EF88314F208459E419A7390DB709984CB66
            Function 02C70D2D Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 646 2c70d2d-2c70dcd 649 2c70e06-2c70e26 646->649 650 2c70dcf-2c70dd9 646->650 655 2c70e5f-2c70e8e 649->655 656 2c70e28-2c70e32 649->656 650->649 651 2c70ddb-2c70ddd 650->651 653 2c70e00-2c70e03 651->653 654 2c70ddf-2c70de9 651->654 653->649 657 2c70ded-2c70dfc 654->657 658 2c70deb 654->658 666 2c70ec7-2c70f81 CreateProcessA 655->666 667 2c70e90-2c70e9a 655->667 656->655 659 2c70e34-2c70e36 656->659 657->657 660 2c70dfe 657->660 658->657 661 2c70e59-2c70e5c 659->661 662 2c70e38-2c70e42 659->662 660->653 661->655 664 2c70e46-2c70e55 662->664 665 2c70e44 662->665 664->664 668 2c70e57 664->668 665->664 678 2c70f83-2c70f89 666->678 679 2c70f8a-2c71010 666->679 667->666 669 2c70e9c-2c70e9e 667->669 668->661 671 2c70ec1-2c70ec4 669->671 672 2c70ea0-2c70eaa 669->672 671->666 673 2c70eae-2c70ebd 672->673 674 2c70eac 672->674 673->673 675 2c70ebf 673->675 674->673 675->671 678->679 689 2c71012-2c71016 679->689 690 2c71020-2c71024 679->690 689->690 693 2c71018 689->693 691 2c71026-2c7102a 690->691 692 2c71034-2c71038 690->692 691->692 694 2c7102c 691->694 695 2c7103a-2c7103e 692->695 696 2c71048-2c7104c 692->696 693->690 694->692 695->696 697 2c71040 695->697 698 2c7105e-2c71065 696->698 699 2c7104e-2c71054 696->699 697->696 700 2c71067-2c71076 698->700 701 2c7107c 698->701 699->698 700->701 702 2c7107d 701->702 702->702
            APIs
            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02C70F6E
            Memory Dump Source
            • Source File: 00000000.00000002.1786963179.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2c70000_SecuriteInfo.jbxd
            Similarity
            • API ID: CreateProcess
            • String ID:
            • API String ID: 963392458-0
            • Opcode ID: 32cf36d0ec2817a9970831a435eef2da82638cf0b395559ffab680b4caded258
            • Instruction ID: af61b1c738c9f096a54a321b701f572340c11660c945be8cd72770a342a6a212
            • Opcode Fuzzy Hash: 32cf36d0ec2817a9970831a435eef2da82638cf0b395559ffab680b4caded258
            • Instruction Fuzzy Hash: E7A16E71D00259CFDB20CF69C841BEEBBB2FF48314F14856AE859A7240DB759A85CF92
            Function 02C70D38 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 704 2c70d38-2c70dcd 706 2c70e06-2c70e26 704->706 707 2c70dcf-2c70dd9 704->707 712 2c70e5f-2c70e8e 706->712 713 2c70e28-2c70e32 706->713 707->706 708 2c70ddb-2c70ddd 707->708 710 2c70e00-2c70e03 708->710 711 2c70ddf-2c70de9 708->711 710->706 714 2c70ded-2c70dfc 711->714 715 2c70deb 711->715 723 2c70ec7-2c70f81 CreateProcessA 712->723 724 2c70e90-2c70e9a 712->724 713->712 716 2c70e34-2c70e36 713->716 714->714 717 2c70dfe 714->717 715->714 718 2c70e59-2c70e5c 716->718 719 2c70e38-2c70e42 716->719 717->710 718->712 721 2c70e46-2c70e55 719->721 722 2c70e44 719->722 721->721 725 2c70e57 721->725 722->721 735 2c70f83-2c70f89 723->735 736 2c70f8a-2c71010 723->736 724->723 726 2c70e9c-2c70e9e 724->726 725->718 728 2c70ec1-2c70ec4 726->728 729 2c70ea0-2c70eaa 726->729 728->723 730 2c70eae-2c70ebd 729->730 731 2c70eac 729->731 730->730 732 2c70ebf 730->732 731->730 732->728 735->736 746 2c71012-2c71016 736->746 747 2c71020-2c71024 736->747 746->747 750 2c71018 746->750 748 2c71026-2c7102a 747->748 749 2c71034-2c71038 747->749 748->749 751 2c7102c 748->751 752 2c7103a-2c7103e 749->752 753 2c71048-2c7104c 749->753 750->747 751->749 752->753 754 2c71040 752->754 755 2c7105e-2c71065 753->755 756 2c7104e-2c71054 753->756 754->753 757 2c71067-2c71076 755->757 758 2c7107c 755->758 756->755 757->758 759 2c7107d 758->759 759->759
            APIs
            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02C70F6E
            Memory Dump Source
            • Source File: 00000000.00000002.1786963179.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2c70000_SecuriteInfo.jbxd
            Similarity
            • API ID: CreateProcess
            • String ID:
            • API String ID: 963392458-0
            • Opcode ID: 1be34f4a2261c86f6f02798433df9c674236fdc4e6b7288229f618345dab7b5a
            • Instruction ID: 6aab7c6bb5a328ad32dad335b6ff744cf5b4801daf6e84457f356f686c2f24d5
            • Opcode Fuzzy Hash: 1be34f4a2261c86f6f02798433df9c674236fdc4e6b7288229f618345dab7b5a
            • Instruction Fuzzy Hash: 5F916D71D10259CFDB20CF68C841BEEBBB2BF48314F14856AE859A7240DB759A85CF92
            Function 02CF3414 Relevance: 1.6, APIs: 1, Instructions: 107COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 761 2cf3414-2cf3415 762 2cf33fe-2cf340b 761->762 763 2cf3417-2cf341c 761->763 764 2cf3420-2cf34e1 CreateActCtxA 763->764 766 2cf34ea-2cf3544 764->766 767 2cf34e3-2cf34e9 764->767 774 2cf3546-2cf3549 766->774 775 2cf3553-2cf3557 766->775 767->766 774->775 776 2cf3559-2cf3565 775->776 777 2cf3568-2cf3598 775->777 776->777 781 2cf354a-2cf354b 777->781 782 2cf359a-2cf359f 777->782 781->775 783 2cf3611-2cf3643 782->783
            APIs
            • CreateActCtxA.KERNEL32(?), ref: 02CF34D1
            Memory Dump Source
            • Source File: 00000000.00000002.1787011451.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2cf0000_SecuriteInfo.jbxd
            Similarity
            • API ID: Create
            • String ID:
            • API String ID: 2289755597-0
            • Opcode ID: 3230bfeacb98c2bb41e563d4e67e17be09f653783359e70188c1fe5a2409de38
            • Instruction ID: 71373f49754ea22044190c0e5f52ae4bcce094a94953f02a8594f0cbeca30f5c
            • Opcode Fuzzy Hash: 3230bfeacb98c2bb41e563d4e67e17be09f653783359e70188c1fe5a2409de38
            • Instruction Fuzzy Hash: 304126B0C00359DEDB64CFA9C844BDEBBF5BF85304F20809AD509AB251DB71694ACF51
            Function 02CF1FB8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 785 2cf1fb8-2cf34e1 CreateActCtxA 788 2cf34ea-2cf3544 785->788 789 2cf34e3-2cf34e9 785->789 796 2cf3546-2cf3549 788->796 797 2cf3553-2cf3557 788->797 789->788 796->797 798 2cf3559-2cf3565 797->798 799 2cf3568-2cf3598 797->799 798->799 803 2cf354a-2cf354b 799->803 804 2cf359a-2cf359f 799->804 803->797 805 2cf3611-2cf3643 804->805
            APIs
            • CreateActCtxA.KERNEL32(?), ref: 02CF34D1
            Memory Dump Source
            • Source File: 00000000.00000002.1787011451.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2cf0000_SecuriteInfo.jbxd
            Similarity
            • API ID: Create
            • String ID:
            • API String ID: 2289755597-0
            • Opcode ID: 326511eff63476e56fd3a16a3ac47dc4f1035b6afba171d1c39544279d240d03
            • Instruction ID: 220d4cdb95c873d1c62a1837337f2933c028550f732bf0e3e51f30ec999ad7c4
            • Opcode Fuzzy Hash: 326511eff63476e56fd3a16a3ac47dc4f1035b6afba171d1c39544279d240d03
            • Instruction Fuzzy Hash: A84105B0C0075DDBDB64DFA9C844B9EBBF5BF88304F20806AD509AB251DBB56949CF90
            Function 02C70AA9 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 807 2c70aa9-2c70afe 809 2c70b00-2c70b0c 807->809 810 2c70b0e-2c70b4d WriteProcessMemory 807->810 809->810 812 2c70b56-2c70b86 810->812 813 2c70b4f-2c70b55 810->813 813->812
            APIs
            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02C70B40
            Memory Dump Source
            • Source File: 00000000.00000002.1786963179.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2c70000_SecuriteInfo.jbxd
            Similarity
            • API ID: MemoryProcessWrite
            • String ID:
            • API String ID: 3559483778-0
            • Opcode ID: 1a53d8bca4e6be289ed1c9949eb087259b218a7ec508afc90f4de08c0f8f569d
            • Instruction ID: 6ce1e9171636aae3f9ac3025620f40588f01740362c38cbea4066b9fdda64cce
            • Opcode Fuzzy Hash: 1a53d8bca4e6be289ed1c9949eb087259b218a7ec508afc90f4de08c0f8f569d
            • Instruction Fuzzy Hash: 1A2115B19003099FCB10DFA9C885BDEBBF1FF88314F10842AE959A7241D7789A55DBA4
            Function 02C70AB0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 817 2c70ab0-2c70afe 819 2c70b00-2c70b0c 817->819 820 2c70b0e-2c70b4d WriteProcessMemory 817->820 819->820 822 2c70b56-2c70b86 820->822 823 2c70b4f-2c70b55 820->823 823->822
            APIs
            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02C70B40
            Memory Dump Source
            • Source File: 00000000.00000002.1786963179.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2c70000_SecuriteInfo.jbxd
            Similarity
            • API ID: MemoryProcessWrite
            • String ID:
            • API String ID: 3559483778-0
            • Opcode ID: 6b591d137ea852516de19ecdd71755793b12bf4ad4bef0ee3805fda67f6d3ed8
            • Instruction ID: 242bac26feace0c564dc5c5c58918bfc7617a12582ce0ea9b32ae74609c2c7ea
            • Opcode Fuzzy Hash: 6b591d137ea852516de19ecdd71755793b12bf4ad4bef0ee3805fda67f6d3ed8
            • Instruction Fuzzy Hash: 7C214AB1D003099FCB10DFA9C885BDEBBF5FF88314F10842AE959A7241D7789A54DBA4
            Function 02C70B98 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 827 2c70b98-2c70c2d ReadProcessMemory 831 2c70c36-2c70c66 827->831 832 2c70c2f-2c70c35 827->832 832->831
            APIs
            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02C70C20
            Memory Dump Source
            • Source File: 00000000.00000002.1786963179.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2c70000_SecuriteInfo.jbxd
            Similarity
            • API ID: MemoryProcessRead
            • String ID:
            • API String ID: 1726664587-0
            • Opcode ID: 3f35c37614afffa3c5afa55bf3cd01dc4839f3aa00673fd1f240ed21c0331755
            • Instruction ID: 02862cc9d07ff6060d63feab591996814c68b484ee273292242c5521500b184d
            • Opcode Fuzzy Hash: 3f35c37614afffa3c5afa55bf3cd01dc4839f3aa00673fd1f240ed21c0331755
            • Instruction Fuzzy Hash: BA214AB1C003099FCB10DFAAC885AEEFBF5FF48320F10842AE559A7240C7349945DBA5
            Function 02C70912 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 836 2c70912-2c70963 838 2c70965-2c70971 836->838 839 2c70973-2c709a3 Wow64SetThreadContext 836->839 838->839 841 2c709a5-2c709ab 839->841 842 2c709ac-2c709dc 839->842 841->842
            APIs
            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02C70996
            Memory Dump Source
            • Source File: 00000000.00000002.1786963179.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2c70000_SecuriteInfo.jbxd
            Similarity
            • API ID: ContextThreadWow64
            • String ID:
            • API String ID: 983334009-0
            • Opcode ID: 42d2ad112c6df447d2ccd83cf28c893af6552fbf23592db17c40df738cc17fda
            • Instruction ID: 436a248b53c023f28e9ce260396390f7d01d928b165c2892a6a5bd009c0309a2
            • Opcode Fuzzy Hash: 42d2ad112c6df447d2ccd83cf28c893af6552fbf23592db17c40df738cc17fda
            • Instruction Fuzzy Hash: A92143B19002098FDB10DFAAC4857EEBFF4EB88324F10842AD559A7341CB789A45CBA5
            Function 02C70BA0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
            Download Yara Rule
            APIs
            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02C70C20
            Memory Dump Source
            • Source File: 00000000.00000002.1786963179.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2c70000_SecuriteInfo.jbxd
            Similarity
            • API ID: MemoryProcessRead
            • String ID:
            • API String ID: 1726664587-0
            • Opcode ID: b4c0eb8d1ac1ad7d5861c68a45ffd3eddd3bddda874264929855038d50dd3df2
            • Instruction ID: 958a8fe3c13b1f5b3876333373a7b29ea36de049fb7cd4f2808f395a9560e70e
            • Opcode Fuzzy Hash: b4c0eb8d1ac1ad7d5861c68a45ffd3eddd3bddda874264929855038d50dd3df2
            • Instruction Fuzzy Hash: 332128B1D003499FCB10DFAAC845AEEFBF5FF48310F10842AE559A7240C7789945DBA5
            Function 02C70918 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 846 2c70918-2c70963 848 2c70965-2c70971 846->848 849 2c70973-2c709a3 Wow64SetThreadContext 846->849 848->849 851 2c709a5-2c709ab 849->851 852 2c709ac-2c709dc 849->852 851->852
            APIs
            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02C70996
            Memory Dump Source
            • Source File: 00000000.00000002.1786963179.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2c70000_SecuriteInfo.jbxd
            Similarity
            • API ID: ContextThreadWow64
            • String ID:
            • API String ID: 983334009-0
            • Opcode ID: 69516fdc97f6e39ba958ffa54d6dadd3eff6358c10e0e2a3b71d02817d7ffefb
            • Instruction ID: 7559b4b6bc896e33447489513d3a438ab3de7e3d259a17aea262cb003e823f2d
            • Opcode Fuzzy Hash: 69516fdc97f6e39ba958ffa54d6dadd3eff6358c10e0e2a3b71d02817d7ffefb
            • Instruction Fuzzy Hash: BC2138B1D003098FDB10DFAAC4857EEBBF4EF88324F10842AD559A7241CB789945CFA5
            Function 02CFE258 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
            Download Yara Rule
            APIs
            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02CFE2DF
            Memory Dump Source
            • Source File: 00000000.00000002.1787011451.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2cf0000_SecuriteInfo.jbxd
            Similarity
            • API ID: DuplicateHandle
            • String ID:
            • API String ID: 3793708945-0
            • Opcode ID: 4338e127d6aa4c58e1d40ca776ea9edfa4141ba914191179c23501eee1800f6e
            • Instruction ID: c56dd26809f54ae65040d658050491a48c7032b20d3583281bc7f868fab4c162
            • Opcode Fuzzy Hash: 4338e127d6aa4c58e1d40ca776ea9edfa4141ba914191179c23501eee1800f6e
            • Instruction Fuzzy Hash: 6021E4B59003499FDB10CF9AD984ADEBFF5EB48310F14841AE958A3350D374A944CFA5
            Function 02C709E9 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
            Download Yara Rule
            APIs
            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02C70A5E
            Memory Dump Source
            • Source File: 00000000.00000002.1786963179.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2c70000_SecuriteInfo.jbxd
            Similarity
            • API ID: AllocVirtual
            • String ID:
            • API String ID: 4275171209-0
            • Opcode ID: 16acb18e58a65a9b20a3960dfd69d68886d5cbad092f4c567ab57053339df7e4
            • Instruction ID: 8e69bea1c66c84712ca80bd19f59812b90db600c8ce570d98c5782e131cb47e2
            • Opcode Fuzzy Hash: 16acb18e58a65a9b20a3960dfd69d68886d5cbad092f4c567ab57053339df7e4
            • Instruction Fuzzy Hash: CA1189B28002488FCB20DFAAC845AEFBFF5EF88320F108419E559A7250CB759540CBA0
            Function 02CFB888 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02CFC121,00000800,00000000,00000000), ref: 02CFC332
            Memory Dump Source
            • Source File: 00000000.00000002.1787011451.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2cf0000_SecuriteInfo.jbxd
            Similarity
            • API ID: LibraryLoad
            • String ID:
            • API String ID: 1029625771-0
            • Opcode ID: f5f159243df5ad6461927bd7f10d00666263497cd821a7541aff62cd06dc364e
            • Instruction ID: fe63365572a7b6797624bad81c13da8a899beb24be0e443affaf0c47de629156
            • Opcode Fuzzy Hash: f5f159243df5ad6461927bd7f10d00666263497cd821a7541aff62cd06dc364e
            • Instruction Fuzzy Hash: F51114B6D003098FCB50CF9AC444ADEFBF4EB88320F10842AE519A7200C375AA49CFA5
            Function 02C70862 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1786963179.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2c70000_SecuriteInfo.jbxd
            Similarity
            • API ID: ResumeThread
            • String ID:
            • API String ID: 947044025-0
            • Opcode ID: 5b92815c091e1f3e8dc85bd1d644726448ff2611f92b5d0e34fbc5de07e4a2d3
            • Instruction ID: 78a43019b815d9478e7e56e845a014581291d5ef882f7424e20b50e83890ae9b
            • Opcode Fuzzy Hash: 5b92815c091e1f3e8dc85bd1d644726448ff2611f92b5d0e34fbc5de07e4a2d3
            • Instruction Fuzzy Hash: B91146B19003098BDB20DFAAC4457EEFBF5EF88324F20881AD559A7240CB74A945CBA5
            Function 02C709F0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
            Download Yara Rule
            APIs
            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02C70A5E
            Memory Dump Source
            • Source File: 00000000.00000002.1786963179.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2c70000_SecuriteInfo.jbxd
            Similarity
            • API ID: AllocVirtual
            • String ID:
            • API String ID: 4275171209-0
            • Opcode ID: 004e13e46a21d52ad300b2b0984f3ca8d8ef5f87bd05914a4f4b2e3e5c180b30
            • Instruction ID: 1cde8d50041c74e484cc580937b21142facc1b15eacd00bd1d3c5da5d46d5be7
            • Opcode Fuzzy Hash: 004e13e46a21d52ad300b2b0984f3ca8d8ef5f87bd05914a4f4b2e3e5c180b30
            • Instruction Fuzzy Hash: F71167B19003098FCB10DFAAC844AEFBFF5EF88320F208419E519A7250CB75A940CFA0
            Function 02C70868 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1786963179.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2c70000_SecuriteInfo.jbxd
            Similarity
            • API ID: ResumeThread
            • String ID:
            • API String ID: 947044025-0
            • Opcode ID: 9cad3e2c0a15d80fa73e3777fe289935b725b726bb164d04992e4a5dbd8cda31
            • Instruction ID: e80d0df7746ef0ccd105c00cdfcfe4ef5be476d7201171c26142fe9866d13a70
            • Opcode Fuzzy Hash: 9cad3e2c0a15d80fa73e3777fe289935b725b726bb164d04992e4a5dbd8cda31
            • Instruction Fuzzy Hash: FE1128B1D003498BCB20DFAAC44579FFBF5EF88324F208819D559A7240CB75A945CB95
            Function 02C73AB8 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,?,?,?), ref: 02C73B1D
            Memory Dump Source
            • Source File: 00000000.00000002.1786963179.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2c70000_SecuriteInfo.jbxd
            Similarity
            • API ID: MessagePost
            • String ID:
            • API String ID: 410705778-0
            • Opcode ID: 3b40ca2b111023ebfdcbde678f4ef9bccd0d13ed398340912fdc8e1b7ceabc96
            • Instruction ID: dc5808888ec3da0188258ff9bd72a029549c5447416fcdc5415622dd0af74b3c
            • Opcode Fuzzy Hash: 3b40ca2b111023ebfdcbde678f4ef9bccd0d13ed398340912fdc8e1b7ceabc96
            • Instruction Fuzzy Hash: BE1110B5800349DFDB10DF9AC889BDEBBF8FB48320F20845AE558A7610C375A944CFA1
            Function 02CFC040 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNELBASE(00000000), ref: 02CFC0A6
            Memory Dump Source
            • Source File: 00000000.00000002.1787011451.0000000002CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CF0000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2cf0000_SecuriteInfo.jbxd
            Similarity
            • API ID: HandleModule
            • String ID:
            • API String ID: 4139908857-0
            • Opcode ID: 7066ba915e61c589b57265ece1a09f8ce79c7efba063911f8de24705e3bc0e9a
            • Instruction ID: 7ffbfbf3e2e41b6a98e8dda0643ff6a72c0b0391220418eb21ea05e6af4107be
            • Opcode Fuzzy Hash: 7066ba915e61c589b57265ece1a09f8ce79c7efba063911f8de24705e3bc0e9a
            • Instruction Fuzzy Hash: 101110B5D003498FCB20DF9AC844ADEFBF4EB88324F10841AD959B7610C375A64ACFA1
            Function 02C73AC0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,?,?,?), ref: 02C73B1D
            Memory Dump Source
            • Source File: 00000000.00000002.1786963179.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2c70000_SecuriteInfo.jbxd
            Similarity
            • API ID: MessagePost
            • String ID:
            • API String ID: 410705778-0
            • Opcode ID: d92f0b7663646d5faf1179b15c9a4147274b4e78393d3f09ea91930db9501587
            • Instruction ID: 259caedc70eecd626dc96e7b25b9ae8b46924a1722313867322d57b5728049f4
            • Opcode Fuzzy Hash: d92f0b7663646d5faf1179b15c9a4147274b4e78393d3f09ea91930db9501587
            • Instruction Fuzzy Hash: 421103B58003499FCB10DF9AC849BDEBBF8EB48320F10845AD559A7200C375A544CFA1
            Function 010CD4C4 Relevance: .1, Instructions: 75COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1786279344.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_10cd000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e2bf4858b69d78527b55bc1997fed0801cc65031d6a942c9c8bd40d6cec1176b
            • Instruction ID: 72201caca64300fda88f13a52e6afff60e8b23d971f7035f52acc802fb4f0327
            • Opcode Fuzzy Hash: e2bf4858b69d78527b55bc1997fed0801cc65031d6a942c9c8bd40d6cec1176b
            • Instruction Fuzzy Hash: AD212471500200DFCB01DF58D8C0B2ABFA5FB94718F20C5BDE9490A246C336D416CBE1
            Function 010DD01C Relevance: .1, Instructions: 72COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1786324186.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_10dd000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7b63ebd3e99787070f9fc442f593916949f44df5aa00101048de0df79c8f35ca
            • Instruction ID: c9859a6b7030f06d23f0b0f74e2fc845e042a7b8623c215577bcc9de5def84d6
            • Opcode Fuzzy Hash: 7b63ebd3e99787070f9fc442f593916949f44df5aa00101048de0df79c8f35ca
            • Instruction Fuzzy Hash: 7E21D375604300DFDB15DF58D984B16BFA5EB84354F24C9ADE98A4B286C336D407CB61
            Function 010DD1D4 Relevance: .1, Instructions: 72COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1786324186.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_10dd000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ae1179543469e1d1126da07c46b614d5102ad086b9b8384d06dd99b5351de55b
            • Instruction ID: 5f96dff91db16a1d4e71e81c230d5a3d43e8ca92cf4ef2baabcb1fddb86b94a7
            • Opcode Fuzzy Hash: ae1179543469e1d1126da07c46b614d5102ad086b9b8384d06dd99b5351de55b
            • Instruction Fuzzy Hash: A421F575604300EFDB05DF98D9C4B25BBA5FB94324F24C6ADE98A4B292C336D406CB61
            Function 010DD006 Relevance: .1, Instructions: 60COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1786324186.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_10dd000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3ff9ef2cbaa725e811acbc49e1fd276a900ed6ce44ec49aec74232d9779e4ed9
            • Instruction ID: 4725c70acec95b794d1897e92f51667a9b24c694ae5725e802f2e086455a52dd
            • Opcode Fuzzy Hash: 3ff9ef2cbaa725e811acbc49e1fd276a900ed6ce44ec49aec74232d9779e4ed9
            • Instruction Fuzzy Hash: 8921C6755093808FDB13CF64D594715BFB1EB85314F28C5DAD8898B697C33AD40ACB62
            Function 010CD4BF Relevance: .1, Instructions: 56COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1786279344.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_10cd000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
            • Instruction ID: fda50d554018457cf2ae19f01d37f8a66389080fc98a4e23650e9324a9d7ac2d
            • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
            • Instruction Fuzzy Hash: 5F11DF76504280CFCB02CF54D9C4B1ABFB2FB94724F24C6ADD8490B256C336D45ACBA1
            Function 010DD1CF Relevance: .1, Instructions: 53COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1786324186.00000000010DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010DD000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_10dd000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
            • Instruction ID: 40f6c3cb2d0001f3227a3d05ca50c684fb74d7fc6321861f93633f66448af5bd
            • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
            • Instruction Fuzzy Hash: BC11BB75904380DFDB02CF54C5C4B25BBB2FB84224F24C6ADD8894B696C33AD40ACB61
            Function 010CD759 Relevance: .0, Instructions: 45COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1786279344.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_10cd000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 468626f2792033d5982bf4e54f4ed4a9c9b97e8080c31899d0754f3690dbea44
            • Instruction ID: 8ca8cd48eb199e6930518cf647edbc12e81e9556585194f4445ed0aa0c25a111
            • Opcode Fuzzy Hash: 468626f2792033d5982bf4e54f4ed4a9c9b97e8080c31899d0754f3690dbea44
            • Instruction Fuzzy Hash: EA01D8710043809AE7515B59CC8476EBFD8EF51721F18C96EED4D0A286D7389440CBB1
            Function 010CD758 Relevance: .0, Instructions: 36COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1786279344.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_10cd000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e3db44bbd6bcba32abde8f4ac095af6b87ffbc1ea8da34f5ae05ec1aeabf6497
            • Instruction ID: 38c3f53ce5347d049c561f613676b1966ea6d0b084b5449e0034cf46fa5f9df1
            • Opcode Fuzzy Hash: e3db44bbd6bcba32abde8f4ac095af6b87ffbc1ea8da34f5ae05ec1aeabf6497
            • Instruction Fuzzy Hash: D8F0C231004380AEE7618B0ACC84B66FFE8EF50734F18C55EED480A286C379A840CBB0

            Non-executed Functions

            Function 02C76978 Relevance: 2.8, Strings: 2, Instructions: 298COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1786963179.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2c70000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: PH^q$PH^q
            • API String ID: 0-1598597984
            • Opcode ID: 8564afac5f605272f2f236fe2243058c89e6c00cfe31dfe0b04e3b002e51c241
            • Instruction ID: f6af9b545d4bee43afe5532612fd046b4172093d27408880be8e26097629075a
            • Opcode Fuzzy Hash: 8564afac5f605272f2f236fe2243058c89e6c00cfe31dfe0b04e3b002e51c241
            • Instruction Fuzzy Hash: 1BD1B334B00604CFDB18DF69C598AA9B7F5BF8D705F2580A9E40AAB361DB31AD41CF60
            Function 02C70040 Relevance: .3, Instructions: 312COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1786963179.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2c70000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ed39ec3ad521d50e978dc6cfdbd3f5f3f2fb5b9be24c0eb5287f08dad93ecfff
            • Instruction ID: 37caedea4ebc4b0d08334341d962eb5afe4ece35cb676c2b29fdc89e2ea112c7
            • Opcode Fuzzy Hash: ed39ec3ad521d50e978dc6cfdbd3f5f3f2fb5b9be24c0eb5287f08dad93ecfff
            • Instruction Fuzzy Hash: 72E1EAB4E011198FDB14DFA9C5909AEFBF2FF89304F248169E414AB356D731A941CFA1
            Function 02C70007 Relevance: .2, Instructions: 151COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1786963179.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_2c70000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b9485998e36a35de9a0b62ff49487ba9954c214cf07af675d1e8ee4d0325288c
            • Instruction ID: 46cfc1ad188cc24e0563eaa173fd00f0f2d1645f542b66fc09788c17691d0d62
            • Opcode Fuzzy Hash: b9485998e36a35de9a0b62ff49487ba9954c214cf07af675d1e8ee4d0325288c
            • Instruction Fuzzy Hash: 9D615E70E052598FCB15CF69C9905AEBFF2FF8A304F2481AAD408AB356D7319945CFA1

            Execution Graph

            Execution Coverage:0.5%
            Dynamic/Decrypted Code Coverage:5.7%
            Signature Coverage:5.7%
            Total number of Nodes:70
            Total number of Limit Nodes:6
            execution_graph 93241 42a943 93242 42a95d 93241->93242 93245 1042df0 LdrInitializeThunk 93242->93245 93243 42a985 93245->93243 93246 4240e3 93247 4240ff 93246->93247 93248 424127 93247->93248 93249 42413b 93247->93249 93250 42b313 NtClose 93248->93250 93256 42b313 93249->93256 93252 424130 93250->93252 93253 424144 93259 42d333 RtlAllocateHeap 93253->93259 93255 42414f 93257 42b330 93256->93257 93258 42b341 NtClose 93257->93258 93258->93253 93259->93255 93301 424473 93304 424482 93301->93304 93302 4244c9 93303 42d213 RtlFreeHeap 93302->93303 93305 4244d9 93303->93305 93304->93302 93306 42450a 93304->93306 93308 42450f 93304->93308 93307 42d213 RtlFreeHeap 93306->93307 93307->93308 93309 42e2f3 93310 42e303 93309->93310 93311 42e309 93309->93311 93312 42d2f3 RtlAllocateHeap 93311->93312 93313 42e32f 93312->93313 93260 41de83 93261 41dea9 93260->93261 93265 41df97 93261->93265 93266 42e423 93261->93266 93263 41df3b 93263->93265 93272 42a993 93263->93272 93267 42e393 93266->93267 93268 42e3f0 93267->93268 93276 42d2f3 93267->93276 93268->93263 93270 42e3cd 93279 42d213 93270->93279 93273 42a9b0 93272->93273 93288 1042c0a 93273->93288 93274 42a9dc 93274->93265 93282 42b613 93276->93282 93278 42d30e 93278->93270 93285 42b663 93279->93285 93281 42d22c 93281->93268 93283 42b630 93282->93283 93284 42b641 RtlAllocateHeap 93283->93284 93284->93278 93286 42b67d 93285->93286 93287 42b68e RtlFreeHeap 93286->93287 93287->93281 93289 1042c11 93288->93289 93290 1042c1f LdrInitializeThunk 93288->93290 93289->93274 93290->93274 93314 401a98 93315 401aaf 93314->93315 93318 42e7b3 93315->93318 93321 42cdd3 93318->93321 93320 401ba0 93322 42cdf9 93321->93322 93324 42ce41 93322->93324 93325 41ab73 NtClose 93322->93325 93324->93320 93325->93324 93291 4164aa 93294 42bd53 93291->93294 93293 416463 93296 42bd6b 93294->93296 93295 42bd8f 93295->93293 93296->93295 93297 42a993 LdrInitializeThunk 93296->93297 93298 42bde4 93297->93298 93299 42d213 RtlFreeHeap 93298->93299 93300 42bdfd 93299->93300 93300->93293

            Executed Functions

            Function 0042B313 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 28 42b313-42b34f call 404803 call 42c3a3 NtClose
            APIs
            Memory Dump Source
            • Source File: 00000004.00000002.2026512273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_400000_SecuriteInfo.jbxd
            Yara matches
            Similarity
            • API ID: Close
            • String ID:
            • API String ID: 3535843008-0
            • Opcode ID: 8cf92a311490d6b713e6b933524410f40cd6b60585ef6e24ea01071ac6d68e70
            • Instruction ID: d553735f12dcd91997c2bfea5c748e7af7f21e442c20e9529220de16dde7586a
            • Opcode Fuzzy Hash: 8cf92a311490d6b713e6b933524410f40cd6b60585ef6e24ea01071ac6d68e70
            • Instruction Fuzzy Hash: C3E086762502147BC620FA5ADC41F9B776CDFC5714F108429FE0C67141C670BA1087F4
            Function 01042DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 37 1042df0-1042dfc LdrInitializeThunk
            APIs
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 89d55e39f9c2026276ac106a818a6c0ae6951a7f7069f8b2d03631b79b9080d4
            • Instruction ID: f8a3217b10e772ebab4bd2e79d2b7d4504856353885981b4bbe7b1e803916f72
            • Opcode Fuzzy Hash: 89d55e39f9c2026276ac106a818a6c0ae6951a7f7069f8b2d03631b79b9080d4
            • Instruction Fuzzy Hash: 4190023120140413E25171598504707000997D0241F95C413B8824558DD6568E52A621
            Function 0042B663 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 23 42b663-42b6a4 call 404803 call 42c3a3 RtlFreeHeap
            APIs
            • RtlFreeHeap.NTDLL(00411EEF,?,00411EEF,?,00000000,00411EEF,?,00411EEF,?,?), ref: 0042B69F
            Memory Dump Source
            • Source File: 00000004.00000002.2026512273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_400000_SecuriteInfo.jbxd
            Yara matches
            Similarity
            • API ID: FreeHeap
            • String ID:
            • API String ID: 3298025750-0
            • Opcode ID: 7fd86adcd79e9cea16da5c4e0a1bb27a40c424895336ef2c37afb1f6315b753b
            • Instruction ID: 285e0d1cb086cab4e195ef97c49c1fe8c076e5c065ee6ae54c5d2079a32fa6ce
            • Opcode Fuzzy Hash: 7fd86adcd79e9cea16da5c4e0a1bb27a40c424895336ef2c37afb1f6315b753b
            • Instruction Fuzzy Hash: 1EE06DB6204258BBD614EF99DC41FEB73ACEFC9710F004419FA08A7241C670B910C7B4
            Function 0042B613 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 18 42b613-42b657 call 404803 call 42c3a3 RtlAllocateHeap
            APIs
            • RtlAllocateHeap.NTDLL(?,0041DF3B,?,?,00000000,?,0041DF3B,?,?,?), ref: 0042B652
            Memory Dump Source
            • Source File: 00000004.00000002.2026512273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_400000_SecuriteInfo.jbxd
            Yara matches
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: 912b5357c411c9b4656f23b054b57a02fda9b7fe3207d12f6ecc23e170454d9c
            • Instruction ID: c64bcc9710de2e727891552d78514d2e6bd11ecedf4892e25e237a30c1dba70e
            • Opcode Fuzzy Hash: 912b5357c411c9b4656f23b054b57a02fda9b7fe3207d12f6ecc23e170454d9c
            • Instruction Fuzzy Hash: 2EE06DB62102547BC614EE59DC81FAB37ACEFC5710F004819F908A7241C670B9118AB8
            Function 01042C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 33 1042c0a-1042c0f 34 1042c11-1042c18 33->34 35 1042c1f-1042c26 LdrInitializeThunk 33->35
            APIs
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: d34150ab1a86e3f31102741c337da352ccd812e877dc768de225b2df1dbb269e
            • Instruction ID: 453b4d696114004e5306233835a2281419c845ed04636bc3aad17baf82e90624
            • Opcode Fuzzy Hash: d34150ab1a86e3f31102741c337da352ccd812e877dc768de225b2df1dbb269e
            • Instruction Fuzzy Hash: F2B09B719015C5C6EB51E7645608717794077D0701F15C072F6430641F4778C5D1E675

            Non-executed Functions

            Function 01082349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
            • API String ID: 0-2160512332
            • Opcode ID: f531d8d28427ba49d0416c1acf8d866fe4284961127fc506a28b784c64069bc7
            • Instruction ID: b77ba31705c1c26eb0feb75a000d266a0b188a817176aa02885c2a666bba656f
            • Opcode Fuzzy Hash: f531d8d28427ba49d0416c1acf8d866fe4284961127fc506a28b784c64069bc7
            • Instruction Fuzzy Hash: C4928F71608741AFE721EF18C880B6BBBE8BB84754F04492DFAD5D7291D774E844CB92
            Function 01038620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
            Download Yara Rule
            Strings
            • 8, xrefs: 010752E3
            • undeleted critical section in freed memory, xrefs: 0107542B
            • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 010754E2
            • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 010754CE
            • Invalid debug info address of this critical section, xrefs: 010754B6
            • double initialized or corrupted critical section, xrefs: 01075508
            • Thread identifier, xrefs: 0107553A
            • Critical section address., xrefs: 01075502
            • Critical section address, xrefs: 01075425, 010754BC, 01075534
            • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0107540A, 01075496, 01075519
            • Thread is in a state in which it cannot own a critical section, xrefs: 01075543
            • Address of the debug info found in the active list., xrefs: 010754AE, 010754FA
            • Critical section debug info address, xrefs: 0107541F, 0107552E
            • corrupted critical section, xrefs: 010754C2
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
            • API String ID: 0-2368682639
            • Opcode ID: 66c3c782ca13dc6f6b60b59b9f6541b63b2c8091eff91e63e56810ab406748d8
            • Instruction ID: adbd818cc0dfc0b1212a869042f226bcc2828007693fd417f5a8d4867f9f09f8
            • Opcode Fuzzy Hash: 66c3c782ca13dc6f6b60b59b9f6541b63b2c8091eff91e63e56810ab406748d8
            • Instruction Fuzzy Hash: A981BAB0E00398AFDB60CF99CC41BEEBBB9EB48B00F148159F548B7280D775A841DB64
            Function 010329F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
            Download Yara Rule
            Strings
            • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 010722E4
            • RtlpResolveAssemblyStorageMapEntry, xrefs: 0107261F
            • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01072506
            • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 010725EB
            • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 010724C0
            • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01072412
            • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01072409
            • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01072602
            • @, xrefs: 0107259B
            • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01072624
            • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01072498
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
            • API String ID: 0-4009184096
            • Opcode ID: 383575bccfac962db39dcbb443dba11c389a587834b8388158c3387a65414cad
            • Instruction ID: 47e0d468ab0261011f3f07bc32b1a605d455d3792c9ee33caa89e1c27ba85056
            • Opcode Fuzzy Hash: 383575bccfac962db39dcbb443dba11c389a587834b8388158c3387a65414cad
            • Instruction Fuzzy Hash: 89025FF1D0422D9FDB61DB54CC80BDEB7B8AB54314F0041EAA689A7241EB70AF84CF59
            Function 010A8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
            • API String ID: 0-2515994595
            • Opcode ID: 6a973bf4abe4da05054715cf41ecf2e535532f5f02edba13e9debb66be17dd2c
            • Instruction ID: 9ffeb5435e17c57455dfe3325d1ad508edefeab3468364be5a55a1d7f3bc1cc0
            • Opcode Fuzzy Hash: 6a973bf4abe4da05054715cf41ecf2e535532f5f02edba13e9debb66be17dd2c
            • Instruction Fuzzy Hash: 0051C3B15083159BD325EF588848BABBBE8EF94341F948A1FA9D8C7281E770D504DBD2
            Function 010B0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
            • API String ID: 0-1700792311
            • Opcode ID: 308854517b263442df51b81905376401c5fc9bda98978c11ae1ccde1f75e221b
            • Instruction ID: c4319daf2d0e788dba222889006c41788794edef6598b03d0f9efd67e536440b
            • Opcode Fuzzy Hash: 308854517b263442df51b81905376401c5fc9bda98978c11ae1ccde1f75e221b
            • Instruction Fuzzy Hash: 2AD1CC31500685DFDB26DF68C881AEEBBF1FF49700F188099F6859B666C739D981DB10
            Function 010889B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
            Download Yara Rule
            Strings
            • VerifierFlags, xrefs: 01088C50
            • VerifierDlls, xrefs: 01088CBD
            • AVRF: -*- final list of providers -*- , xrefs: 01088B8F
            • VerifierDebug, xrefs: 01088CA5
            • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01088A3D
            • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01088A67
            • HandleTraces, xrefs: 01088C8F
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
            • API String ID: 0-3223716464
            • Opcode ID: adcfc0aed0b6c2d2d3955dd27657eeefa6aba6c38d157c47cc655271a4244194
            • Instruction ID: 84630b4ec624c869d9a23a1f82c0e9fbd8139ed1f19669fe5b075dcd96e7e1fb
            • Opcode Fuzzy Hash: adcfc0aed0b6c2d2d3955dd27657eeefa6aba6c38d157c47cc655271a4244194
            • Instruction Fuzzy Hash: A9913571649716AFD321FF288C81F6A7BE4AB94714F84855EFAC0AB681C775EC00CB91
            Function 0100EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
            • API String ID: 0-1109411897
            • Opcode ID: 702100a6188e273c72a461bddb59b1fb6c9de8d3078d4605e7c5c73f252e778a
            • Instruction ID: e60028a58cd287c9fb8110fe2e6e62c24d415e1655523e9112d9e8efcaa1e6d9
            • Opcode Fuzzy Hash: 702100a6188e273c72a461bddb59b1fb6c9de8d3078d4605e7c5c73f252e778a
            • Instruction Fuzzy Hash: 8FA23874A0562A8FEB75DF18C8887ADBBB5BF45304F1442E9D98DA7290DB319E85CF00
            Function 010363FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
            • API String ID: 0-792281065
            • Opcode ID: 3b5db39d554fe852067356f2eb55c78cba598998fcd7a4636e4b02e5af84a652
            • Instruction ID: 6a2903d6b17ccf90a04d29b63f0f92e0876026d0b41b11b1e571512232a8996f
            • Opcode Fuzzy Hash: 3b5db39d554fe852067356f2eb55c78cba598998fcd7a4636e4b02e5af84a652
            • Instruction Fuzzy Hash: 7B914970F01315ABEB35EF18D845BAE7BE5BB80B24F04016DE5C0AB6C1DB769902C795
            Function 00FF645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
            Download Yara Rule
            Strings
            • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01059A2A
            • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01059A01
            • LdrpInitShimEngine, xrefs: 010599F4, 01059A07, 01059A30
            • apphelp.dll, xrefs: 00FF6496
            • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 010599ED
            • minkernel\ntdll\ldrinit.c, xrefs: 01059A11, 01059A3A
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
            • API String ID: 0-204845295
            • Opcode ID: 588cf0f34fc5e38527071ab7b281f0921fa92759582898a1bbf73308343cc591
            • Instruction ID: 93f3b475c79da4410c9e7c8b90d2010d74b5eabb4c2129ed77ee3a18a5f10c3d
            • Opcode Fuzzy Hash: 588cf0f34fc5e38527071ab7b281f0921fa92759582898a1bbf73308343cc591
            • Instruction Fuzzy Hash: FB518F712083049BE761DF24C842BAB77E8FF84758F14051DFAC59B1A1EB35E904DBA2
            Function 01032674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
            Download Yara Rule
            Strings
            • RtlGetAssemblyStorageRoot, xrefs: 01072160, 0107219A, 010721BA
            • SXS: %s() passed the empty activation context, xrefs: 01072165
            • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01072178
            • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0107219F
            • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01072180
            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 010721BF
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
            • API String ID: 0-861424205
            • Opcode ID: 78e60944b8d97306751f3bc666a914fdfc84a424606227f2eee12496702c13a6
            • Instruction ID: 1a118630e4bb50c347d78e466b1b25c2bd5cc5379c2415fa7557c596022309e8
            • Opcode Fuzzy Hash: 78e60944b8d97306751f3bc666a914fdfc84a424606227f2eee12496702c13a6
            • Instruction Fuzzy Hash: 3131E77AF40355B7E7229A999C45F9E7BBCFBB4B90F050099BB84A7240D2709A00D7A1
            Function 0103C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
            Download Yara Rule
            Strings
            • Unable to build import redirection Table, Status = 0x%x, xrefs: 010781E5
            • Loading import redirection DLL: '%wZ', xrefs: 01078170
            • LdrpInitializeProcess, xrefs: 0103C6C4
            • minkernel\ntdll\ldrredirect.c, xrefs: 01078181, 010781F5
            • minkernel\ntdll\ldrinit.c, xrefs: 0103C6C3
            • LdrpInitializeImportRedirection, xrefs: 01078177, 010781EB
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
            • API String ID: 0-475462383
            • Opcode ID: 2a916cfdaf059826f80ffc68e5bd6b4fad11c2eb6ffcccba7712359e5d6dd6a0
            • Instruction ID: 283c4631676567b581a482a2f3d42b553c93a31fd198fe02c0cfbd4688f5612e
            • Opcode Fuzzy Hash: 2a916cfdaf059826f80ffc68e5bd6b4fad11c2eb6ffcccba7712359e5d6dd6a0
            • Instruction Fuzzy Hash: 073104717483469BD220EF28D94AE6A77E4EFD4B10F04059DF9C5AB291EA20ED04D7A2
            Function 0104096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 01042DF0: LdrInitializeThunk.NTDLL ref: 01042DFA
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01040BA3
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01040BB6
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01040D60
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01040D74
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
            • String ID:
            • API String ID: 1404860816-0
            • Opcode ID: dbef06d61ca8dcf879ce4d2c062209e64e2db6a85ce5b2b92fb1b5877ecb6441
            • Instruction ID: fd6197a33d3c38698eeffb325a65609cf0504a47724caee1557ce330518c7d85
            • Opcode Fuzzy Hash: dbef06d61ca8dcf879ce4d2c062209e64e2db6a85ce5b2b92fb1b5877ecb6441
            • Instruction Fuzzy Hash: DC425BB1900715DFDB61CF68C880BEAB7F5BF04314F1485A9EA89EB245E770A984CF61
            Function 0100A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
            • API String ID: 0-379654539
            • Opcode ID: 8611d750f5bbdf22f2a13464b47917208c61453f4e1dbb53133cccd3626daf82
            • Instruction ID: e6ce0390bd5e7843ab4efb5cbbd7163ed8a95b3c9ddf96bd7c1294e5abdaf0ce
            • Opcode Fuzzy Hash: 8611d750f5bbdf22f2a13464b47917208c61453f4e1dbb53133cccd3626daf82
            • Instruction Fuzzy Hash: 21C19F74608386CFE712DF68C440BAAB7E4FF84714F04496AF9D58B291E735CA49CB52
            Function 01038402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
            Download Yara Rule
            Strings
            • LdrpInitializeProcess, xrefs: 01038422
            • @, xrefs: 01038591
            • minkernel\ntdll\ldrinit.c, xrefs: 01038421
            • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0103855E
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
            • API String ID: 0-1918872054
            • Opcode ID: 97c74bf7c3b7d7ecc6637e00dc2b93e08ddec52d3e88b1fc2b6b645dd3b36144
            • Instruction ID: 635db71fa0b428cbae3b020d8fbb76f0d196e1e8b68c19ca396bb3816903a4bc
            • Opcode Fuzzy Hash: 97c74bf7c3b7d7ecc6637e00dc2b93e08ddec52d3e88b1fc2b6b645dd3b36144
            • Instruction Fuzzy Hash: 5C91AE71648345AFD721DF64CC80EABBAECBF88744F404A6EFAC496191E734D904CB52
            Function 0103273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
            Download Yara Rule
            Strings
            • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 010721D9, 010722B1
            • SXS: %s() passed the empty activation context, xrefs: 010721DE
            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 010722B6
            • .Local, xrefs: 010328D8
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
            • API String ID: 0-1239276146
            • Opcode ID: 779cd038bcc88341eb98d72b3b31ffc4746058b1ec137b6c26d2fb699c331dc3
            • Instruction ID: 9fb01288b9907205fd4e4facea9c63b2394454cca50e1aa42feacc8c6aa49f4a
            • Opcode Fuzzy Hash: 779cd038bcc88341eb98d72b3b31ffc4746058b1ec137b6c26d2fb699c331dc3
            • Instruction Fuzzy Hash: E0A1D035D0022ADBDB24CF68DC84BA9B7B5BF98314F1541EAD988AB251D730DE81CF94
            Function 010064AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
            Download Yara Rule
            Strings
            • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 010610AE
            • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01060FE5
            • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01061028
            • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0106106B
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
            • API String ID: 0-1468400865
            • Opcode ID: a6e77c53d66be635bc7429c030327598b1b9777c79ba7cc94cbea21b2f89f357
            • Instruction ID: 4e43a4fe45726b1d3f0773839befca6483537d632de2695c3c5c72fb4cdb4422
            • Opcode Fuzzy Hash: a6e77c53d66be635bc7429c030327598b1b9777c79ba7cc94cbea21b2f89f357
            • Instruction Fuzzy Hash: 5C71F0B19043059FDB62EF14C884B9B7FE9AF54764F4004A8F9888B286D736D588CBD2
            Function 0102245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
            Download Yara Rule
            Strings
            • LdrpDynamicShimModule, xrefs: 0106A998
            • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0106A992
            • apphelp.dll, xrefs: 01022462
            • minkernel\ntdll\ldrinit.c, xrefs: 0106A9A2
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
            • API String ID: 0-176724104
            • Opcode ID: f9c98b0652c300e0c577ff98eee5360a9010297fe3022d67762f8da06f3668aa
            • Instruction ID: 7376a25d23d35b824051683c7e11dec5080ac1f2e92e2fc00d0a8aeb785df146
            • Opcode Fuzzy Hash: f9c98b0652c300e0c577ff98eee5360a9010297fe3022d67762f8da06f3668aa
            • Instruction Fuzzy Hash: 4B312771B00201EBD731EF59D842AAEB7F9FB84B14F25005EE9C17B645CB759882CB90
            Function 010129A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
            Download Yara Rule
            Strings
            • HEAP: , xrefs: 01013264
            • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0101327D
            • HEAP[%wZ]: , xrefs: 01013255
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
            • API String ID: 0-617086771
            • Opcode ID: efbdf1c6f04a488e45d1f94c16a1fe04f4013e8d91e852436cf8dab4c190435d
            • Instruction ID: 18637d5e107193f860e98bcb2dc992a7d26fabdb280be11a9979b30d20765bcd
            • Opcode Fuzzy Hash: efbdf1c6f04a488e45d1f94c16a1fe04f4013e8d91e852436cf8dab4c190435d
            • Instruction Fuzzy Hash: F892DE71A04249DFDB25CFA8C4407AEBBF1FF48310F1884A9E989AB395D739A941CF50
            Function 01010770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
            • API String ID: 0-4253913091
            • Opcode ID: 8d8bef15216eeac2aa650328030972bf4e462b1f3013c05a0aa4145fbaaf2c61
            • Instruction ID: b1848d0fc8255a0f08d1a6696cb1d5e923a44a71ec98b5e55dd686f7a0aea288
            • Opcode Fuzzy Hash: 8d8bef15216eeac2aa650328030972bf4e462b1f3013c05a0aa4145fbaaf2c61
            • Instruction Fuzzy Hash: EFF19D30600606DFEB25CF68C894BAAB7F5FF45704F1481A9E5D69B389D738E981CB90
            Function 01026962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: $@
            • API String ID: 0-1077428164
            • Opcode ID: 2233aa13e123c26df054477899f7a69eee79dfa167dd6ab350e62b7e24387519
            • Instruction ID: d27aa60250c9333e191400f0a3289aed5b021873c9b192906c8c3ff0f319f727
            • Opcode Fuzzy Hash: 2233aa13e123c26df054477899f7a69eee79dfa167dd6ab350e62b7e24387519
            • Instruction Fuzzy Hash: 62C28D716083619FEB65CF28C881BABBBE5BF98714F04896DF9C987241D735D804CB92
            Function 00FFA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: FilterFullPath$UseFilter$\??\
            • API String ID: 0-2779062949
            • Opcode ID: c6b20677ae12f68429048d9c56a13cb35b488ac582aa4cf83915972b44eb898f
            • Instruction ID: 86adc2f7541c05e08650fe74728859055e81c28731c3e05ae96edbecd42a60f1
            • Opcode Fuzzy Hash: c6b20677ae12f68429048d9c56a13cb35b488ac582aa4cf83915972b44eb898f
            • Instruction Fuzzy Hash: 3BA18D719016299BEB71DF28CD88BEAB7F8EF44710F1041EAEA49A7250D7359E84CF50
            Function 01020BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
            Download Yara Rule
            Strings
            • LdrpCheckModule, xrefs: 0106A117
            • Failed to allocated memory for shimmed module list, xrefs: 0106A10F
            • minkernel\ntdll\ldrinit.c, xrefs: 0106A121
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
            • API String ID: 0-161242083
            • Opcode ID: 975e39424949d0bc93e1fd892b0dcb13347ed7fbcaa92e82cfdf627dcef285fe
            • Instruction ID: e576b43bcfe48e872a4b5c008e3ead754e61af40858ce85e6953e1208468a994
            • Opcode Fuzzy Hash: 975e39424949d0bc93e1fd892b0dcb13347ed7fbcaa92e82cfdf627dcef285fe
            • Instruction Fuzzy Hash: DE71D1B0A00309DFDB25EF68C981AAEB7F4FB44704F14446DE582AB655E735A941CB50
            Function 01010A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
            • API String ID: 0-1334570610
            • Opcode ID: 8c828c68bab9f5ff95beca3814cefb4f0b73894123157ac488d3a63528815b5a
            • Instruction ID: f2d73d0bcbc29736667ef534651fa23931ed5c4f6c68d31707185a839b75f643
            • Opcode Fuzzy Hash: 8c828c68bab9f5ff95beca3814cefb4f0b73894123157ac488d3a63528815b5a
            • Instruction Fuzzy Hash: 7661BE71600305DFDB29CF28C881BAABBE5FF44704F148599F5D98B29AD7B4E881CB91
            Function 0103C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
            Download Yara Rule
            Strings
            • LdrpInitializePerUserWindowsDirectory, xrefs: 010782DE
            • Failed to reallocate the system dirs string !, xrefs: 010782D7
            • minkernel\ntdll\ldrinit.c, xrefs: 010782E8
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
            • API String ID: 0-1783798831
            • Opcode ID: 00df9e24c94bac3a5051da32cc8177df00abf2de0f7ea6ba616952334c3d3f19
            • Instruction ID: df6580f5ad2ae042d983018752947a392c897ff385902370e4a0f2d8ecadd782
            • Opcode Fuzzy Hash: 00df9e24c94bac3a5051da32cc8177df00abf2de0f7ea6ba616952334c3d3f19
            • Instruction Fuzzy Hash: 6B41F171544305ABE761EB28DD46B9B77E8BF88750F10492EF9C4E7290EB79D800CB91
            Function 010BC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
            Download Yara Rule
            Strings
            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 010BC1C5
            • @, xrefs: 010BC1F1
            • PreferredUILanguages, xrefs: 010BC212
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
            • API String ID: 0-2968386058
            • Opcode ID: 0be92f5bd61c1ab4b9b3c973df2a76b87575acba8da0fda18475de3b6fe6db10
            • Instruction ID: 28da911db107063b86a50c2625918c0866277dc580dbca8d552bdfc6240d044f
            • Opcode Fuzzy Hash: 0be92f5bd61c1ab4b9b3c973df2a76b87575acba8da0fda18475de3b6fe6db10
            • Instruction Fuzzy Hash: 53416271E00209EBEB51DBD8C981FEEBBF9AB14700F14406AEA49F7290D7749E458B90
            Function 01094144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
            • API String ID: 0-1373925480
            • Opcode ID: 2e51feafd66c792231b69b4f41a1945e2171a3bef6d6f4e42129c9e2056da704
            • Instruction ID: 2cbba39bf916c403bf7f2892cadee8ed8e5144b0935300cf520498b5adab2319
            • Opcode Fuzzy Hash: 2e51feafd66c792231b69b4f41a1945e2171a3bef6d6f4e42129c9e2056da704
            • Instruction Fuzzy Hash: 34410371A042498BEF22DBE9CA60BADBBF5FF55340F1404A9D981EF381D7348902DB10
            Function 01084755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
            Download Yara Rule
            Strings
            • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01084888
            • LdrpCheckRedirection, xrefs: 0108488F
            • minkernel\ntdll\ldrredirect.c, xrefs: 01084899
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
            • API String ID: 0-3154609507
            • Opcode ID: 485174ede4be0b9bd79285c0c6817346722b7c1f2480fa8d75a7582e3ba2b532
            • Instruction ID: 2eaf2d4b56a79cc4f99daf74a7f28f6b2fb10accd11fb740fc7b5534b1078ce3
            • Opcode Fuzzy Hash: 485174ede4be0b9bd79285c0c6817346722b7c1f2480fa8d75a7582e3ba2b532
            • Instruction Fuzzy Hash: 6041AF32A18353DBCB61FE58D840B6A7BE5BF49A50B0505ADEDC8EB355E731E800CB91
            Function 01010BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
            • API String ID: 0-2558761708
            • Opcode ID: 8ec6aaf2743b3003bb62d77a82b80eafa7a8b1abcdf7bf1ac660efed9d293147
            • Instruction ID: c9cb7b1ddbb101318119636b38fb3e9d851bae101b1c6d29469643d7458c5de1
            • Opcode Fuzzy Hash: 8ec6aaf2743b3003bb62d77a82b80eafa7a8b1abcdf7bf1ac660efed9d293147
            • Instruction Fuzzy Hash: B111A2313151429FD769DA18CC81BBAB3A9EF40B5AF188199F5C6CB299DF38D880C751
            Function 010820DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
            Download Yara Rule
            Strings
            • LdrpInitializationFailure, xrefs: 010820FA
            • Process initialization failed with status 0x%08lx, xrefs: 010820F3
            • minkernel\ntdll\ldrinit.c, xrefs: 01082104
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
            • API String ID: 0-2986994758
            • Opcode ID: 55fbafcf7c26216db31ec2eae84f063bdb9d2d603a6232f31464e9573fce5a4e
            • Instruction ID: 8c42b0af26b8049a9addb3bd9c7a9b04bc4961f1d40be2a1a8998c0c8bc8bd0a
            • Opcode Fuzzy Hash: 55fbafcf7c26216db31ec2eae84f063bdb9d2d603a6232f31464e9573fce5a4e
            • Instruction Fuzzy Hash: ECF02274640348BBEB24E60CCC43F9937ACFB40B54F2000A9F7C0AB681D6B0AA50C682
            Function 010103E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID: ___swprintf_l
            • String ID: #%u
            • API String ID: 48624451-232158463
            • Opcode ID: f87120e10984601a866cf3b5580724873a8f5fdcf39b9700e3211de403392e24
            • Instruction ID: 5513b3bd9989e56321d804a897ffe701b96f7500facddea0abce4d77c6bde0ec
            • Opcode Fuzzy Hash: f87120e10984601a866cf3b5580724873a8f5fdcf39b9700e3211de403392e24
            • Instruction Fuzzy Hash: 31714CB1A0014A9FDB01DFA8D990BEEB7F8FF18704F144065E985EB255EA38ED45CB60
            Function 0100A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
            Download Yara Rule
            Strings
            • LdrResSearchResource Enter, xrefs: 0100AA13
            • LdrResSearchResource Exit, xrefs: 0100AA25
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
            • API String ID: 0-4066393604
            • Opcode ID: 280a862397f633b420483f23b8d73d99b12440ef3fdd452e134c52aeece647cd
            • Instruction ID: 093e71168a27aba608453b494562f941e2332d1c6e4880e619efa7158fdeb55d
            • Opcode Fuzzy Hash: 280a862397f633b420483f23b8d73d99b12440ef3fdd452e134c52aeece647cd
            • Instruction Fuzzy Hash: E8E16C71F00719EBFB22CB98C990BEEBBB9BF45310F144466E981EB292D7749941CB50
            Function 010CA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: `$`
            • API String ID: 0-197956300
            • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
            • Instruction ID: 2a86880aea22fb12b000d34216fb002884e7ae4134e905c1332661a75f92f677
            • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
            • Instruction Fuzzy Hash: E6C17B3120434A9BE725CF28C841B6EBBE5AF94B18F088A2DF6D68B290E775D505CF51
            Function 0107E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID: Legacy$UEFI
            • API String ID: 2994545307-634100481
            • Opcode ID: 7590ccf3553df2993a5b0f9b7d4d9e8c514ca9877362f11285bb56329cc48102
            • Instruction ID: a4602273bac3f3ad92b417b54d12e51df850ec1178732d0c234eede9945be70b
            • Opcode Fuzzy Hash: 7590ccf3553df2993a5b0f9b7d4d9e8c514ca9877362f11285bb56329cc48102
            • Instruction Fuzzy Hash: D8616D71E017099FDB55DFA9C880BAEBBF5FB48700F1440ADE689EB291D731A900CB54
            Function 010A43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: @$MUI
            • API String ID: 0-17815947
            • Opcode ID: c9aadcd38c54d4dcc15ec613919ce0e3fe373c88579519a2fc185def00a85f88
            • Instruction ID: 8a436541a39694b91cf5a96d9dcd3af73b803a267b605a25702a621e61103df9
            • Opcode Fuzzy Hash: c9aadcd38c54d4dcc15ec613919ce0e3fe373c88579519a2fc185def00a85f88
            • Instruction Fuzzy Hash: 3C5149B5E0021DAFDB11DFE9CC80AEEBBB8EB04754F540529EA91F7281D7709905CBA0
            Function 010004E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
            Download Yara Rule
            Strings
            • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0100063D
            • kLsE, xrefs: 01000540
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
            • API String ID: 0-2547482624
            • Opcode ID: d087045c8ca075e413401c4e1332dbb4be0f6aa9495a7ea112c35e013303847f
            • Instruction ID: 7be2dd7fd019aa7e47efefc141d402da50c702ee1afa2797beda2a83153c4b5d
            • Opcode Fuzzy Hash: d087045c8ca075e413401c4e1332dbb4be0f6aa9495a7ea112c35e013303847f
            • Instruction Fuzzy Hash: 2B51BE715047428BE726EF28C8407E7BBE5AF88340F10883EFADA87285E775D545CB92
            Function 0100A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
            Download Yara Rule
            Strings
            • RtlpResUltimateFallbackInfo Exit, xrefs: 0100A309
            • RtlpResUltimateFallbackInfo Enter, xrefs: 0100A2FB
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
            • API String ID: 0-2876891731
            • Opcode ID: ea1f8ee48cc54f0b2c1a8fecf486640efa82cbcfc17919c5ab06f46353901ff6
            • Instruction ID: dfd395b8d2da68ab1ec6770785a3c783a1b6db2e66c67c70c8fb90e9baedd59d
            • Opcode Fuzzy Hash: ea1f8ee48cc54f0b2c1a8fecf486640efa82cbcfc17919c5ab06f46353901ff6
            • Instruction Fuzzy Hash: D6418B30B04745DBEB129F69C840BAE7BF8FF95740F1480A5E980DB2A1E2B5D940CB51
            Function 0103A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID: Cleanup Group$Threadpool!
            • API String ID: 2994545307-4008356553
            • Opcode ID: 57633a19ac1fc4b0cfbb76981c54f4efc8797603fef27f78cfd9b688c2d175e5
            • Instruction ID: a58229ccaf1b19601da6b6d8b51af5ce499ca9ee4e9e769037f4ed8747f28872
            • Opcode Fuzzy Hash: 57633a19ac1fc4b0cfbb76981c54f4efc8797603fef27f78cfd9b688c2d175e5
            • Instruction Fuzzy Hash: 2201D1B2240B00EFD311DF14CD46B1677E8E788B15F058939A6C8C7590E739D804EB46
            Function 0100C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: MUI
            • API String ID: 0-1339004836
            • Opcode ID: e72e22f984e2dbf9af8832f2bc42e7df4f02daffbc5a5d8515bf643500e6a332
            • Instruction ID: 0623176fa75cabd22f7911d7df67773fe847cf083878301790b7cab997bd4704
            • Opcode Fuzzy Hash: e72e22f984e2dbf9af8832f2bc42e7df4f02daffbc5a5d8515bf643500e6a332
            • Instruction Fuzzy Hash: 05824F75E002199FFB66CFA9C9807EDBBB1BF44310F1481A9E999AB391D7309D81CB50
            Function 01086420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID: 0-3916222277
            • Opcode ID: 01f308db07c03270dc5d6e5ff5c4ea50e3796860520e469b84475508efa27efb
            • Instruction ID: 31307f17dda59d052fe7871a58fb728d4e4207f080c8964b0958352231fad3ac
            • Opcode Fuzzy Hash: 01f308db07c03270dc5d6e5ff5c4ea50e3796860520e469b84475508efa27efb
            • Instruction Fuzzy Hash: 2D916271A40219AFEB21EF95CD85FEE7BB8EF18B50F114065F680AB190D775AD00CBA0
            Function 010AE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID: 0-3916222277
            • Opcode ID: baab8e5f898128312c0529098fc0f0534e86cfa0ddc2f89ec6de4a8325c358c0
            • Instruction ID: 3ed04875f7dd93efb6d43ac6d1c6e12b6ffa5eef9ed70d82d560048176e873a1
            • Opcode Fuzzy Hash: baab8e5f898128312c0529098fc0f0534e86cfa0ddc2f89ec6de4a8325c358c0
            • Instruction Fuzzy Hash: C891A072900609BFDB22ABE5DC84FEFBBB9EF85750F504029F581A7251DB359901CB90
            Function 0103A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: GlobalTags
            • API String ID: 0-1106856819
            • Opcode ID: 1c5b24bbcad73a12e7009d3bcf77c70dd77e340ccc744364573f3001b206d145
            • Instruction ID: 3eb0f29dfa928d4d16d1652a9207aba4237febb2d730ad8c9a596e4693023fda
            • Opcode Fuzzy Hash: 1c5b24bbcad73a12e7009d3bcf77c70dd77e340ccc744364573f3001b206d145
            • Instruction Fuzzy Hash: A2716DB5E0061ACFEF68CF99C5906EDBBF1BF48740F14816EE486A7241E7329841CB58
            Function 010A4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: .mui
            • API String ID: 0-1199573805
            • Opcode ID: 9cc056a3e3ca4e990ce5fd709dc3d7e28bfda838070fb0ef689f9b0b7859c2f9
            • Instruction ID: 455fd94f74468202d8458fc28d59a14fb01f671e471ae4ab4f2b9f451f6be4af
            • Opcode Fuzzy Hash: 9cc056a3e3ca4e990ce5fd709dc3d7e28bfda838070fb0ef689f9b0b7859c2f9
            • Instruction Fuzzy Hash: E6519476D0022A9BDB11DFD9C840AEEBBB4AF14B10F49416AE991FB240D7B49D01CBE4
            Function 0101E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: EXT-
            • API String ID: 0-1948896318
            • Opcode ID: b5c5eead854beae4d7d8ba4d2e3f3754bc9b6649e7548d5a79dfb6ab654c7077
            • Instruction ID: 8c5c58e9b590216e71c24f3cd71d019f80ca214374636bb5cc73a19ba423c346
            • Opcode Fuzzy Hash: b5c5eead854beae4d7d8ba4d2e3f3754bc9b6649e7548d5a79dfb6ab654c7077
            • Instruction Fuzzy Hash: 09417F72508312ABE712DA75C844BAFBBE8BF88B14F440969FAC4D7184E678D9048792
            Function 0107C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: BinaryHash
            • API String ID: 0-2202222882
            • Opcode ID: cea54f0b43be62f71fc19363be5c1b056acb81d02dd78bd4f40c26512ff4269b
            • Instruction ID: cb529173ce23252750904edd199bd509654710f0a58e74cb8ccf498c56955e99
            • Opcode Fuzzy Hash: cea54f0b43be62f71fc19363be5c1b056acb81d02dd78bd4f40c26512ff4269b
            • Instruction Fuzzy Hash: 2A4162F1D0052EAFEB61DB50CD84FDEB77CAB44714F0045E5AA48AB140DB709E898FA8
            Function 01096B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: #
            • API String ID: 0-1885708031
            • Opcode ID: ac6ce9b83d4e172854895efbbb40fa7cc045349f5406710eaec02f0027eab8ef
            • Instruction ID: d80ea6c55c896f36dba4a92514a552ab2c2061ab84b9b48c530b28dcefd2a242
            • Opcode Fuzzy Hash: ac6ce9b83d4e172854895efbbb40fa7cc045349f5406710eaec02f0027eab8ef
            • Instruction Fuzzy Hash: 1D310771A0065D9BEF22DB69C860BFE7BE8DF05704F144068F991AB282D776E805DB50
            Function 0107CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: BinaryName
            • API String ID: 0-215506332
            • Opcode ID: 328815822ee4dd30cee4690cc5aa5e3bac7ba1b6a8800c8320121baa50bb99aa
            • Instruction ID: 867e3908dfffcd9b878a94eca7cdc0529c785569bc051c9487c2f970b37dacbe
            • Opcode Fuzzy Hash: 328815822ee4dd30cee4690cc5aa5e3bac7ba1b6a8800c8320121baa50bb99aa
            • Instruction Fuzzy Hash: 2C310176D0051AAFFB16DA59CA41EBFBBB4EB80720F114169B941AB250D7309E00DBE4
            Function 0108892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
            Download Yara Rule
            Strings
            • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0108895E
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
            • API String ID: 0-702105204
            • Opcode ID: f8528d53a8176c51c857fc001417a168704761aecf9438582b7ef25a6818bbc2
            • Instruction ID: b7129aa54928b075fdee72e574bf2254238b0523abc997084033eb4236a61b1f
            • Opcode Fuzzy Hash: f8528d53a8176c51c857fc001417a168704761aecf9438582b7ef25a6818bbc2
            • Instruction Fuzzy Hash: 360126362082119BE675BF59CC85FAA7FA5EF82394F4C016EF7C116953CF25A840C792
            Function 010A2000 Relevance: .8, Instructions: 757COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5ee3b921622d931a5935737564e2e031e0c8752010f9c67423ce787f8443f33b
            • Instruction ID: fb1f9270bcb6135a66a82c95851bdde0b0f2a1ec846100ac3bd3735ba1f47466
            • Opcode Fuzzy Hash: 5ee3b921622d931a5935737564e2e031e0c8752010f9c67423ce787f8443f33b
            • Instruction Fuzzy Hash: 0442D0766083419BE765CFA8C890A6FBBE5BF88300F88497DFAC287250D771D945CB52
            Function 01098158 Relevance: .6, Instructions: 617COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 415aee6a473bb710fdc2538f6dff3c6ea0d29ec4e8e8f1e12c3b56496457e02f
            • Instruction ID: ef7e5ad00f14965f73569769d6a21b2eee2f0dc9c12a1feefba4e369efddd971
            • Opcode Fuzzy Hash: 415aee6a473bb710fdc2538f6dff3c6ea0d29ec4e8e8f1e12c3b56496457e02f
            • Instruction Fuzzy Hash: E0423B75A002198FEF64CF69C891BADBBF5BF49300F14C09AE989AB341D7349985DF50
            Function 01012840 Relevance: .6, Instructions: 605COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 760b18b0d8d6f72661d78e80c5ccd5d5a0efcda15ad7038c591b111f22d45e13
            • Instruction ID: 329c6bb33b69f812760f1449a8553c1ab400eb04aa6d0f9d8c766d59a341fecd
            • Opcode Fuzzy Hash: 760b18b0d8d6f72661d78e80c5ccd5d5a0efcda15ad7038c591b111f22d45e13
            • Instruction Fuzzy Hash: EF32F170A007558FDB65CF69C8447BEBBFABF84304F24815DE4C69B685DB3AA842CB50
            Function 010AA118 Relevance: .6, Instructions: 591COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f1ddc05b01e175449ba36715a076e33609e6a1602daeb330e20dda1eaf8a3f2c
            • Instruction ID: 7fb4bec4b22eb1e2ec9d7405a852a16d5d969187f61438c740a186fc1f6346ad
            • Opcode Fuzzy Hash: f1ddc05b01e175449ba36715a076e33609e6a1602daeb330e20dda1eaf8a3f2c
            • Instruction Fuzzy Hash: 59229D70704661CBEB65CFADC45437ABBE1AF48340F88849AE9C68F2C6D735E452DB60
            Function 01006A50 Relevance: .5, Instructions: 548COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ab25789ed6645b5b51fc79f2ef4ed97ca33b0b8fa975335032b5d8e914e1bed9
            • Instruction ID: 8aa3ee69f72139d230048743335369f0157b5fe00707bec99db2ec777df7e3f9
            • Opcode Fuzzy Hash: ab25789ed6645b5b51fc79f2ef4ed97ca33b0b8fa975335032b5d8e914e1bed9
            • Instruction Fuzzy Hash: D532B370A00615CFEB66CF68C480BAEB7F6FF88300F1485A9E9959B391DB35E851CB50
            Function 01024A35 Relevance: .4, Instructions: 423COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
            • Instruction ID: d86c8801405f7a7a39c5a4749b891ca9933f9b9217194af5d8cbda97f3f96b19
            • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
            • Instruction Fuzzy Hash: 13F17F71E0022A9FDB55DF99C990BEEBBF9BF48710F048169E985EB240E774D841CB60
            Function 0109892B Relevance: .4, Instructions: 386COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a4f7a5d04f9da8f606b8b4d84c39e21d7656bfb0fb84e2b8054ff4793693d6cc
            • Instruction ID: e454cbdd1da720155e07027bad54f2b7738f07360759442aec45be409a269a4d
            • Opcode Fuzzy Hash: a4f7a5d04f9da8f606b8b4d84c39e21d7656bfb0fb84e2b8054ff4793693d6cc
            • Instruction Fuzzy Hash: 32D1E271A0060E9BDF05CF69C861AFEB7F1AF89304F18C16AD595A7341E739E901DB60
            Function 010065D0 Relevance: .4, Instructions: 383COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 708d4475c7e9dc1ab7f3ca90b6b5f5f305e5c9f577d31902040073e3c79bc6b9
            • Instruction ID: 27eef4e00615e11598d2f2685567e4a8c52654a271f13e0dfea26dad5498bf54
            • Opcode Fuzzy Hash: 708d4475c7e9dc1ab7f3ca90b6b5f5f305e5c9f577d31902040073e3c79bc6b9
            • Instruction Fuzzy Hash: E2E1A171508341CFD716CF28C490A6ABBE5FF89314F048A6DE9D98B391DB32E915CB92
            Function 00FF8397 Relevance: .4, Instructions: 380COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 71ad6be3ec34e82e0ffaed6926f446cad1b44ca24ffb6be7b23b91d5e1aa94b3
            • Instruction ID: 2e62ae360810a1c434c25d0fab05566e2485d1c2cd05eebfbe82d69894d93ddf
            • Opcode Fuzzy Hash: 71ad6be3ec34e82e0ffaed6926f446cad1b44ca24ffb6be7b23b91d5e1aa94b3
            • Instruction Fuzzy Hash: 46D1F372A0020A9BCB14DF64C881BBB77E5BF44354F144529FA52DB2A1EB34E942DB60
            Function 01088243 Relevance: .3, Instructions: 322COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
            • Instruction ID: 4bc16c5be91f82c1b6763b9fb574f768d42844e614762673b23792e88dc8d77f
            • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
            • Instruction Fuzzy Hash: B1B17474A046099FDF64EF59C940AABBBF9BF84304F90845EAAC297791DA34E905CB10
            Function 01010535 Relevance: .3, Instructions: 300COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
            • Instruction ID: 98382b2504c64ef9bdc80208ec93ff8d898c76b5bdc1df14797163f28e41ef29
            • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
            • Instruction Fuzzy Hash: 2EB1E7316006469FDB15DBA8C890BBFBBFAAF48304F140595E6D2DB289D734D981DB90
            Function 010083C0 Relevance: .3, Instructions: 281COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0d4fff823bdb8efd4a03d881737ed402001bb1001b35950c6dcc9694f140e2aa
            • Instruction ID: 127f09d5af9d048ced3e9436a62ac418e1a1bba01848cf7e1cd1bcfa2bb80312
            • Opcode Fuzzy Hash: 0d4fff823bdb8efd4a03d881737ed402001bb1001b35950c6dcc9694f140e2aa
            • Instruction Fuzzy Hash: 63C168705083418FE765CF18C494BABB7E9BF88304F44896EE9C987291DB75E909CF92
            Function 00FFC427 Relevance: .3, Instructions: 280COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 16aa87341139eb52a930c8dd15d389171b9871c7e87094294871f491c9ea89e3
            • Instruction ID: 97329ef37a7aac48bfd643fd2af5f99fd4a6491e113ee69778e3b0c966c036ee
            • Opcode Fuzzy Hash: 16aa87341139eb52a930c8dd15d389171b9871c7e87094294871f491c9ea89e3
            • Instruction Fuzzy Hash: 25B19170A0026D8BDB64CF54C980BB9B3F1EF44710F1885E9D94AE7291EB34AD85DB60
            Function 0102E5E7 Relevance: .3, Instructions: 278COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 715aa1733557fbc9e74454d95fb44028601ed774a802aff430c3d5718b631733
            • Instruction ID: 6120d8ab2824bc8f3a38748be2938a51be78ab0033e8a510031d34a8d976efb8
            • Opcode Fuzzy Hash: 715aa1733557fbc9e74454d95fb44028601ed774a802aff430c3d5718b631733
            • Instruction Fuzzy Hash: 6CA14A31E4062A9FEB31DB58D958BAE7BE8BF04754F0401A5EAC0AB281C7749C40CB91
            Function 01040185 Relevance: .3, Instructions: 276COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 67d6aa4819cb7111db5d1ca962ff4c89c7510be578458338c8ba5a23ff540296
            • Instruction ID: ee098c718968c46ed898855786cfba40d2e9748d7118a6956b17a7cf61cc1f52
            • Opcode Fuzzy Hash: 67d6aa4819cb7111db5d1ca962ff4c89c7510be578458338c8ba5a23ff540296
            • Instruction Fuzzy Hash: E7A1AFB0B0061A9BDB25DF69C9D0BEAB7F5FF44314F004179EB85AB285DB34A851CB90
            Function 010D4500 Relevance: .3, Instructions: 275COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4d0a01b6ec4f201845326da8b5c5a951d171d92961ba04f734fa3c5c16c0d149
            • Instruction ID: a1aaf693964222f8f9ca969784a8599a11d1bfc25b19acc3b903ae839b526033
            • Opcode Fuzzy Hash: 4d0a01b6ec4f201845326da8b5c5a951d171d92961ba04f734fa3c5c16c0d149
            • Instruction Fuzzy Hash: A4A1CA72A00712AFC722DF18C981BAABBE9FF48344F45056CE5C9DBA55D738E801CB91
            Function 010D2B57 Relevance: .3, Instructions: 266COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
            • Instruction ID: 434d5c0cae86f75b22fc3249c5c6d1db2217f2fc622844d3ceaaeefb898c87fe
            • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
            • Instruction Fuzzy Hash: 85B15771E0061ADFDF69DFA9C880AADBBF5FF48310F148169E994AB354D730A941CB90
            Function 010860E0 Relevance: .3, Instructions: 264COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 80b60601e67bcb397e8825124da3fced387da76db0a52f7e2190df1eb12326ac
            • Instruction ID: 49867151519dfec2a3ccd9dad02be8d3eb3ded280de0ce134ab40b4816024eb4
            • Opcode Fuzzy Hash: 80b60601e67bcb397e8825124da3fced387da76db0a52f7e2190df1eb12326ac
            • Instruction Fuzzy Hash: 0D91C471D04615AFDF15DFA8D884BAEBFF5AF48310F164199E6C0AB341D776D9008BA0
            Function 0101E3F0 Relevance: .3, Instructions: 261COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7b5a99ba36181a9a42a022d12d4311595dc7483259cb8195dfe0ebd62d020d53
            • Instruction ID: 19a8cc5e139af113a98414b74deffbdca78bd2adf31e3627bacd54580ffeb9e6
            • Opcode Fuzzy Hash: 7b5a99ba36181a9a42a022d12d4311595dc7483259cb8195dfe0ebd62d020d53
            • Instruction Fuzzy Hash: C1914531A00612CFEB26DB5CC440BBEBBE5EF84714F1540A9EDC59B688EB39D941C7A1
            Function 010CAB40 Relevance: .2, Instructions: 222COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
            • Instruction ID: b982a6617feb24e4018369fd5a2c6e14c27f7ad6f11b97996ef4b6cdcda12686
            • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
            • Instruction Fuzzy Hash: B2815E31B00209DFDB59DF98C880AAEBBF6AF84710B18856DD9569B345EA34E901CF50
            Function 0103E284 Relevance: .2, Instructions: 212COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9b78b4ff5d19a00ac4b3c646587206d71f26d2b3fd9c5b7d631afdd9e7e9e4f6
            • Instruction ID: 4301155f6b4dd84c26ed0eb1adcc9115485b3e4a3eec0b627c3eafa5c66fda98
            • Opcode Fuzzy Hash: 9b78b4ff5d19a00ac4b3c646587206d71f26d2b3fd9c5b7d631afdd9e7e9e4f6
            • Instruction Fuzzy Hash: D3817471A00609EFDB65CFA9C880BEEBBF9FF88354F148529E595A7250D730AC45CB60
            Function 0101C640 Relevance: .2, Instructions: 206COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c3c4b863e9c4b95a483f38584b6ec2bf2dbae7a1ce3bb8dd205a6427e6a5ad44
            • Instruction ID: c27736c6d156cf1b8dbac2a965fcc44ee8e07d2603fd038c44290c4a678e952b
            • Opcode Fuzzy Hash: c3c4b863e9c4b95a483f38584b6ec2bf2dbae7a1ce3bb8dd205a6427e6a5ad44
            • Instruction Fuzzy Hash: 8471DF75C04225DFDB258F58D9907BEBBF4FF58710F14815AE982AB354D3799800CBA0
            Function 010B47A0 Relevance: .2, Instructions: 202COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ebd8666a7710e45949ad7c7d51d9d869867c0a0cb3e083d3a0d02f6fd8a14117
            • Instruction ID: e1b05d167e7416c2dd3d93ac8f7edd499c5f9f5cb189b3db870f89feff38160b
            • Opcode Fuzzy Hash: ebd8666a7710e45949ad7c7d51d9d869867c0a0cb3e083d3a0d02f6fd8a14117
            • Instruction Fuzzy Hash: 6C718270D00205EFDB20DFA9D981ADABBF8EF94300B11419EE6D1E769AC7369A40CB54
            Function 0101260B Relevance: .2, Instructions: 201COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 005ab1d90c54bd15e5e1864127ffdcd2ddf824ee046a1173b727a3a89d8ae7ad
            • Instruction ID: b562b6af808b0409a35a3a12eb39ef5b2b84a41ffa0a1284d421fb909e79539e
            • Opcode Fuzzy Hash: 005ab1d90c54bd15e5e1864127ffdcd2ddf824ee046a1173b727a3a89d8ae7ad
            • Instruction Fuzzy Hash: E271C1716046428FD356DF28C480B6AB7E5FF88310F1485A9E8D9CB39ADB38DC45CB91
            Function 0108035C Relevance: .2, Instructions: 198COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
            • Instruction ID: 23480cbcdf9ab942be5c515ba56f7652ae479f9b230a696830a5205b3cf75e71
            • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
            • Instruction Fuzzy Hash: F2718071A00619EFCB10EFA9C984EDEBBB9FF48310F104569E585AB254DB34EA05CB60
            Function 010962A0 Relevance: .2, Instructions: 198COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 25bebdc50f0c2bb024012bbbf66af8971d1cedaa1f3cf6cbc094c14857260689
            • Instruction ID: 85d9ab6ed8833f477839c110789de181e1642b4aa08e056c0e6fd84b3ad20bd5
            • Opcode Fuzzy Hash: 25bebdc50f0c2bb024012bbbf66af8971d1cedaa1f3cf6cbc094c14857260689
            • Instruction Fuzzy Hash: D4710671200B01AFEB329F58C864F5ABBE6FF44760F148468E2D58B2E0DB76E844DB50
            Function 01008AA0 Relevance: .2, Instructions: 197COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 54eb4ef50b9f55e03d87cc84d5814747d8509af1cbc1b71f3120204aad3b5491
            • Instruction ID: 111638c7b8ae7d5d2eaa3808c139af47cfa6957c8d9b7a7e3b7962c42c2e8a4e
            • Opcode Fuzzy Hash: 54eb4ef50b9f55e03d87cc84d5814747d8509af1cbc1b71f3120204aad3b5491
            • Instruction Fuzzy Hash: DF81C172A04716CFEB25CF98C584BAEB7F5BF88310F15816ED984AB681C7799D40CB90
            Function 010D8324 Relevance: .2, Instructions: 192COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 703f072b2caf1a33c8cfca458cfdf7448048b509d2e414e36c0915342a0f590f
            • Instruction ID: c2ec2925a7252e97b9deeab70a6954700aa3c0d4639856eea6aa0aa307495e31
            • Opcode Fuzzy Hash: 703f072b2caf1a33c8cfca458cfdf7448048b509d2e414e36c0915342a0f590f
            • Instruction Fuzzy Hash: 01711BB1E00209AFDB15DF94C881FEEBBB8FF04750F10816AF654A7290D774AA05CB90
            Function 010BA250 Relevance: .2, Instructions: 184COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 24c55ff218835eb44b594f249a4c570072a4fcf8de7d095273b52055fe6c7af2
            • Instruction ID: 8ee9c4e6a4aa9b37704335a318d089d7b24526d61b7d8d0914ecf6e24df71db3
            • Opcode Fuzzy Hash: 24c55ff218835eb44b594f249a4c570072a4fcf8de7d095273b52055fe6c7af2
            • Instruction Fuzzy Hash: 6451AE72604712EFD711DA68C884B9BBBE8EBC9750F004929BA80DB250DB75ED05C7A2
            Function 010A8350 Relevance: .2, Instructions: 161COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 20c1325d53220bdc32ae7fc90be206f949db78e43d908aaa7c6ecf0fba1833ed
            • Instruction ID: 8f4ca9e48a6358a125e093d3fe9528d8189e29a3dfd6a628c3b1d2f9b92820bf
            • Opcode Fuzzy Hash: 20c1325d53220bdc32ae7fc90be206f949db78e43d908aaa7c6ecf0fba1833ed
            • Instruction Fuzzy Hash: 8051B2B0900705DFD721DFAAC880AABFBF8BF94711F50861EE2D6576A0DBB0A545CB50
            Function 0103E443 Relevance: .2, Instructions: 158COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 86c7e1d681abef4613544105024a5623f69a887832da1990502ea17564be99ab
            • Instruction ID: dd58b146df7a69f56746217cb6769fdfc79ed7b4fef2d70bd53ae33fac4e760f
            • Opcode Fuzzy Hash: 86c7e1d681abef4613544105024a5623f69a887832da1990502ea17564be99ab
            • Instruction Fuzzy Hash: F7518D71600A09DFCB22EF69C980EAAB3FDFF58794F400569E58197660EB34ED51CB50
            Function 010A4180 Relevance: .2, Instructions: 156COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9dc8e724f24943d6112508e1474d0d833c85623086b8c659acd34263a5517995
            • Instruction ID: 8b2d6b6b2bd5400b77720cc01ac82081963406eb6e65ceab90cd8f7b4c5ea3a1
            • Opcode Fuzzy Hash: 9dc8e724f24943d6112508e1474d0d833c85623086b8c659acd34263a5517995
            • Instruction Fuzzy Hash: 79517A766083029FD754DF69C880AABBBE5BFC8204F88892DF5C5C7250EB70D905CB52
            Function 010245B1 Relevance: .2, Instructions: 156COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
            • Instruction ID: 7a28ebc0634abc1211812331b2a3c3666ac7d865c90dba1e03187c98d153e630
            • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
            • Instruction Fuzzy Hash: A5519E71E0022AABDF15DF98C840BEEBBB9BF49354F044069EA95EB240D774DD44CBA4
            Function 0108E9E0 Relevance: .2, Instructions: 154COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
            • Instruction ID: adf747680463f1a23def0dbf968b6e31735c77d579acd35d41eaca6a19d86ea1
            • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
            • Instruction Fuzzy Hash: 1351B771D0421AEFEF21FA94C890BEFBBB5AB00724F154665DAD267291D7309E40C7A0
            Function 010C8B28 Relevance: .2, Instructions: 152COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 71131de2b26c939134a86fcbd8c2014ff9980c39118f97a3e680dc4bedeee4bc
            • Instruction ID: ab60f5ce9e6c12f92904d23a8db0a7c34bc3b9a50d56cdcb76d4f576aa7ca669
            • Opcode Fuzzy Hash: 71131de2b26c939134a86fcbd8c2014ff9980c39118f97a3e680dc4bedeee4bc
            • Instruction Fuzzy Hash: 3041E5707016159BD769DB2DC895BBFBBDAEF80A20F04C15EE9D5872C0DB34D801CA98
            Function 0108CBF0 Relevance: .1, Instructions: 148COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b33c07b9fdf03c24ed90e3d1349ba8a8be69fa2f9a1f12e558d10d1f9ae068d7
            • Instruction ID: b7614984a66b14fa35bfb36959cf545ff6a6ba2d2b0477961ee74d7920c28c69
            • Opcode Fuzzy Hash: b33c07b9fdf03c24ed90e3d1349ba8a8be69fa2f9a1f12e558d10d1f9ae068d7
            • Instruction Fuzzy Hash: C3517B7190021ADFEB20FFA9CA809DEBBF9FB48214F15855AD5C5A7704DB35A901CBA0
            Function 0103A430 Relevance: .1, Instructions: 139COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b4b043af08714e10b0527a57957fe64ae3933c855e6042f1f291b088d7eaa5f5
            • Instruction ID: fa9bc6a3813bd65caaef84324a0a0a1087da41dd69df82b6732e2efcf9643760
            • Opcode Fuzzy Hash: b4b043af08714e10b0527a57957fe64ae3933c855e6042f1f291b088d7eaa5f5
            • Instruction Fuzzy Hash: 4F412B75B40201DBDB65EF6DD882FAE3769AB99708F00006DFEC2DB242DB7798008B50
            Function 010CA9D3 Relevance: .1, Instructions: 139COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
            • Instruction ID: 1a87e52f123ba38939fab6278c0dbc9ea234513e43e4764e4ee9a2df70f6c6c1
            • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
            • Instruction Fuzzy Hash: F741C47170171ADFDB25CF68C980AAEB7E9FF84614B05466EE99287244FB30ED14CB90
            Function 010301F8 Relevance: .1, Instructions: 138COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ce2c2f4913f48b7f97d5720151a9f6d87f96dd8c53dd4678684389864e8283eb
            • Instruction ID: 423e0f25c0eb6a3e950bdc949575bb9349df946193e69435a792e031db7092c1
            • Opcode Fuzzy Hash: ce2c2f4913f48b7f97d5720151a9f6d87f96dd8c53dd4678684389864e8283eb
            • Instruction Fuzzy Hash: 2D41DE35E02219DBDB14DF98C440AEEB7B8BF89710F1481AAF895F7244D7359D01CBA4
            Function 0102EBFC Relevance: .1, Instructions: 138COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 09e268b5c1b1c6df5f81d53809859a5c76df698fbc7ec930b030155d9225ebb5
            • Instruction ID: 0e065d71106524dc0689f68c95f73f09fd5b3f2cfc31c6832c4b1b3ce20417fd
            • Opcode Fuzzy Hash: 09e268b5c1b1c6df5f81d53809859a5c76df698fbc7ec930b030155d9225ebb5
            • Instruction Fuzzy Hash: F941B0712043069FD724EF68C880AABB7EAFF98224F10487EE9D7C7615DB35E8458B51
            Function 01042750 Relevance: .1, Instructions: 137COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
            • Instruction ID: af9bde7cf4886380f13cee6828d503f2215d460f0f54086d17d1ea84b293dfe5
            • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
            • Instruction Fuzzy Hash: D9514775E00219DFCB55CF98C480AAEF7F2FF84710F2881A9D995AB351D730AA42CB90
            Function 01006154 Relevance: .1, Instructions: 133COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d56d7027be03bae1c045b0c7bee58ceaf1b30c81fff5b748ac9ba79e0e362e29
            • Instruction ID: 6cc6516274b5d8a135758c8ecfe2ac3c74f7ed2c0c09731a235c1a522a9ddca3
            • Opcode Fuzzy Hash: d56d7027be03bae1c045b0c7bee58ceaf1b30c81fff5b748ac9ba79e0e362e29
            • Instruction Fuzzy Hash: 18512770940606DBEB26CB68CC00BE8BBF6EF01314F1442E9E599976C5DB3A5991CF40
            Function 01000BCD Relevance: .1, Instructions: 130COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 74f013810813017c997f88d4b8cf22ddf79798bc7c2a5865a39c16039847c779
            • Instruction ID: bd3194ab9da060b46104d9ff900231d01b1d8ff6f94dbbd7438cb6d1f75bc57e
            • Opcode Fuzzy Hash: 74f013810813017c997f88d4b8cf22ddf79798bc7c2a5865a39c16039847c779
            • Instruction Fuzzy Hash: 43417375A0022D9FDB62EF68C940FEEB7B4EF45750F0100A5E988AB285D7749E84CF91
            Function 010C866E Relevance: .1, Instructions: 129COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
            • Instruction ID: 7912f60c03801e17340b79a368ab7184144bfe9b80f18aa030385099c7ddc9c8
            • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
            • Instruction Fuzzy Hash: E7419575B00105ABDB15DB99CC84AEFBBBABF88A10F14806EE584A7341D770DD008B64
            Function 01000887 Relevance: .1, Instructions: 128COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a137e3fed5f8bc00f2fc815da397803e10cad20cd1d50e5e34fbae79e796c71c
            • Instruction ID: 9a38efc781c7b37ea7297abc2f8a405d1c4546203102d65203bb759bc8325fd8
            • Opcode Fuzzy Hash: a137e3fed5f8bc00f2fc815da397803e10cad20cd1d50e5e34fbae79e796c71c
            • Instruction Fuzzy Hash: 5A41B2706007029FE326CF28C480A66B7F5FF49354F104A6EE5C786A94EB35E945CB90
            Function 0102A470 Relevance: .1, Instructions: 127COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cd54507efded961e176ed21e8c83abe470f77a898cb2fe9fea56746d9e728db2
            • Instruction ID: 9cb1eff06a49cc47b585586be8ff8bd46451f07fa5f465c4e0db39e852bea18a
            • Opcode Fuzzy Hash: cd54507efded961e176ed21e8c83abe470f77a898cb2fe9fea56746d9e728db2
            • Instruction Fuzzy Hash: 2541D331A41224CFDB21DF68C8857EF7BB4FB54320F1401A9D891ABA95DF39D944CBA0
            Function 01008BF0 Relevance: .1, Instructions: 124COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 77fb771037b5ba0194bd0df5f9030f1ee6af4f3adf41e8c555493a4987a42475
            • Instruction ID: a28ec64f67acc46f2a1af2b2b89617a1ec216264581168cdc4297885f96487b8
            • Opcode Fuzzy Hash: 77fb771037b5ba0194bd0df5f9030f1ee6af4f3adf41e8c555493a4987a42475
            • Instruction Fuzzy Hash: 2641F231E00216CBE7269F48C881AAFBBB5FB94704F14C12FD9859B695C77A9842CB90
            Function 00FF8918 Relevance: .1, Instructions: 123COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 397832cc177c41a999de58d4bfd685add1c2573499f6684f187c54009a1d3dda
            • Instruction ID: 67a38517448af761192371b2e1f9a4fd673b1e3991189b2ff1c5cde20625bebd
            • Opcode Fuzzy Hash: 397832cc177c41a999de58d4bfd685add1c2573499f6684f187c54009a1d3dda
            • Instruction Fuzzy Hash: 8141603250831A9ED321DF55C840A7BB7E9FF84B94F40092AFA80D7160E771DE059B93
            Function 00FFA020 Relevance: .1, Instructions: 122COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
            • Instruction ID: 000dafed21d6a29d9d4b31361726a585c19c185c70570d0dfe75945a065a29a7
            • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
            • Instruction Fuzzy Hash: 1E416072A00219EFDB51DF18D4407BFB7B2EF50714F1580AAEE898B250DA37AD40EB91
            Function 010009AD Relevance: .1, Instructions: 122COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bcf6e582deee04f84c893cf5965f5a40b0c0e1a9bda71947024ab0663169b570
            • Instruction ID: 052228f0975c9c9ff6d28d9bba5a40ffbc16260f14d2246691ec51a657895e23
            • Opcode Fuzzy Hash: bcf6e582deee04f84c893cf5965f5a40b0c0e1a9bda71947024ab0663169b570
            • Instruction Fuzzy Hash: 55419F71640701EFE322CF18C840B6ABBF4FF59354F24866AE489CB295E771E942CB91
            Function 01030710 Relevance: .1, Instructions: 121COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
            • Instruction ID: b8123cbc3f8c7fe9a2cda0807914522425620d777afa6e3b68509003ea033124
            • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
            • Instruction Fuzzy Hash: D5415C75A01705EFDB25CF99C980AAABBF8FF58700B10496DE596D7254D330EA44CF90
            Function 0100262C Relevance: .1, Instructions: 119COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c98752be382780e5081bfe0a9d834a5a8e1e74b44fc92fdf263eecd0fe6c6318
            • Instruction ID: 1b665fc1cfd5345b421f947fc4d2077e15d9a489ca5f4c7f1dca02785c1ed8d9
            • Opcode Fuzzy Hash: c98752be382780e5081bfe0a9d834a5a8e1e74b44fc92fdf263eecd0fe6c6318
            • Instruction Fuzzy Hash: 6441D170501705CFEB62EF28C9046A9B7F2FF48310F1082AEC5CA9B6E1DB34A941CB41
            Function 0103C8F9 Relevance: .1, Instructions: 116COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6ca9606de0280e03ec97e25df8db5825452cfd3fd309be9f6bf52de310812440
            • Instruction ID: f7209f48e25133fc1eefe765d673ea01ea219310088edee91f09a9273f2ce4b7
            • Opcode Fuzzy Hash: 6ca9606de0280e03ec97e25df8db5825452cfd3fd309be9f6bf52de310812440
            • Instruction Fuzzy Hash: 083197B2A00345DFEB52CFA8C540799BBF4EB49728F2181AED149EB251D7369902CB90
            Function 010807C3 Relevance: .1, Instructions: 114COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e6430a7f64f8c8df829a0a3ffc5b7471626116039e8b8c1e98996742edea4029
            • Instruction ID: edc86809b5137d764d24f86d342287216fe3c88c8977181977bd42def600c665
            • Opcode Fuzzy Hash: e6430a7f64f8c8df829a0a3ffc5b7471626116039e8b8c1e98996742edea4029
            • Instruction Fuzzy Hash: 80418BB15083019BD360EF29C845B9BBBE8FF88614F008A2EF9D8D7290D7749844CB92
            Function 00FF80A0 Relevance: .1, Instructions: 111COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4e26face25fc46c5ae6362cf0df2d511bce0d82247a5b4b6661889cd7359bd61
            • Instruction ID: 9089b05b80030335c0be7f44dd50d51ed6515676b55b80df7fc1b1f560a3b2fd
            • Opcode Fuzzy Hash: 4e26face25fc46c5ae6362cf0df2d511bce0d82247a5b4b6661889cd7359bd61
            • Instruction Fuzzy Hash: 4A41E372E056199FDB11DF58CC806B9B7B1BF047A0F208329E955A72A0DF34ED43AB90
            Function 010805A7 Relevance: .1, Instructions: 111COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 628a6dd5d5be00b7d38bdc1192144556ac767dedbf73d5d53f7d3eee47d3f304
            • Instruction ID: d5ab13408cc2927102c593ea7b38b806ca8960f436d7573171dc1d03d51e85dc
            • Opcode Fuzzy Hash: 628a6dd5d5be00b7d38bdc1192144556ac767dedbf73d5d53f7d3eee47d3f304
            • Instruction Fuzzy Hash: 1041E6726086469FD320EF68C840ABAB7E5FFC8700F14466DF9D497684E730D918C7A5
            Function 01004859 Relevance: .1, Instructions: 111COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 02d0b39a6d7f8e5e2759a4c57622df8d190b56feb7a0581d29134405d5d27872
            • Instruction ID: 0be74151bcf0942a6fb7c5c2b618b0a8c105f8404fb1e37ab5d621d185809328
            • Opcode Fuzzy Hash: 02d0b39a6d7f8e5e2759a4c57622df8d190b56feb7a0581d29134405d5d27872
            • Instruction Fuzzy Hash: F941B0702003028BE726DF28D884B2ABBE9EF80364F1448BDE6C5CB2E1DB35D941CB55
            Function 010102E1 Relevance: .1, Instructions: 106COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
            • Instruction ID: 4792ab79f11dfd525839cbf48b191375c6f0f57b6de73180510bc8117cd64d5c
            • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
            • Instruction Fuzzy Hash: 90310771A04245AFDB528B68CC40BDFBFEDAF14350F0485A5F8D5D739AC6789984CBA0
            Function 010AE3DB Relevance: .1, Instructions: 105COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ac9070bfefa57105d38227577221b20709077a120e5c43f0739aa63b8f517aba
            • Instruction ID: 561515e2058885c9031b4f385a951fa1b293908dce8d8d0eab7cd7014ce8604c
            • Opcode Fuzzy Hash: ac9070bfefa57105d38227577221b20709077a120e5c43f0739aa63b8f517aba
            • Instruction Fuzzy Hash: E931967574071AABD7229F95CC41FAB7AA8AB59B50F500028FA40AB291DAA5DC01C7A0
            Function 010B4B4B Relevance: .1, Instructions: 104COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 920a50536f6a8890a485422b75d63285b5aa91aff7616c53a994e7e2e3223780
            • Instruction ID: 316c6ac6d9420be25d7eb6abdee414e098d4c9a1bbd169faf1d5962df1a772cd
            • Opcode Fuzzy Hash: 920a50536f6a8890a485422b75d63285b5aa91aff7616c53a994e7e2e3223780
            • Instruction Fuzzy Hash: EB31E6326052058FC321DF1DD8C1EA6B7E5FB80760F1A44ADE9D6CB656DB32E940CB91
            Function 01004260 Relevance: .1, Instructions: 102COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 99a6c1f8c6dc90f038e8aadaaeec2c33895ab31542d66892cffd41ad3e202ad9
            • Instruction ID: 920358862ffdc6bdca1914d6bbb7f8882c783529d4f8dbc2e100b24bfe410f35
            • Opcode Fuzzy Hash: 99a6c1f8c6dc90f038e8aadaaeec2c33895ab31542d66892cffd41ad3e202ad9
            • Instruction Fuzzy Hash: 7E41AB71240B469FD762CF68C881BDA7BE9BF49714F058869E6D9CB290CB74E844CB90
            Function 010B4BB0 Relevance: .1, Instructions: 101COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 83381f874cfb9fd0c8688efd08a189192c6a9df039e3517647a167f282e70a1f
            • Instruction ID: ced61112fddc46e7d073c3960ebc42ebc6608786bf48337c1cd9aaf74ec58c68
            • Opcode Fuzzy Hash: 83381f874cfb9fd0c8688efd08a189192c6a9df039e3517647a167f282e70a1f
            • Instruction Fuzzy Hash: BB319E716042058FD360DF28C8C1EAAB7E5FB84B10F15456DE9D6DB692D730EA04CB91
            Function 0107EB1D Relevance: .1, Instructions: 100COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1665df746e7bca56a5777b4b51031626a56dbfe480611567060551821e5e29a7
            • Instruction ID: e5a9f02e5834a13f64e39da030cb5874c7626e365a0e8059d268607be59d90a4
            • Opcode Fuzzy Hash: 1665df746e7bca56a5777b4b51031626a56dbfe480611567060551821e5e29a7
            • Instruction Fuzzy Hash: CF31C671B026C69BF326676CCD48B667FD9BB41B54F1D00E0ABC59B6D2DB28D841C238
            Function 010C61C3 Relevance: .1, Instructions: 97COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 976a2dd5927d27c023fdb248c8bf40b9fbc92093ccc82eb7a4d5c8567f1baf74
            • Instruction ID: 9f2224ef399973d82b4b5c33fa682d33b9aa0ba6d85ebe398869f05dce5ba6b9
            • Opcode Fuzzy Hash: 976a2dd5927d27c023fdb248c8bf40b9fbc92093ccc82eb7a4d5c8567f1baf74
            • Instruction Fuzzy Hash: 5531C476A0051AABDB25DF98CC80FAEB7B6FB48B40F454169E940EB344D771ED01CB94
            Function 010A483A Relevance: .1, Instructions: 96COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bfb3f517401119037fbee5cc7424fb4998fb811576cc538b1052f80e2071482d
            • Instruction ID: 2e1abe5d3ad33ee01f865540159a5c627624e17d8b16e1d44d2b99165ecc91c7
            • Opcode Fuzzy Hash: bfb3f517401119037fbee5cc7424fb4998fb811576cc538b1052f80e2071482d
            • Instruction Fuzzy Hash: 92315276A4012DABCB61DF94DC84BDEBBF9AB98310F1440E5E548E7250DB70DE918F90
            Function 0102EB20 Relevance: .1, Instructions: 96COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 478a17fc2d47512bc969ba202525dd08e20ecc171a43b77560f70cc67b6c45cc
            • Instruction ID: 04c962dbfa75a40983da01262e23362f5b5424d363c737c90a9a0e02e72040eb
            • Opcode Fuzzy Hash: 478a17fc2d47512bc969ba202525dd08e20ecc171a43b77560f70cc67b6c45cc
            • Instruction Fuzzy Hash: BD31D772E40225AFDB22EFA9CC40A9FBBF9EF08350F114465E995D7250D2749E008BA0
            Function 010C60B8 Relevance: .1, Instructions: 95COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d16144e0468546bc9984c17058f30e05970a577e525e5c3ee5eebbf87809957f
            • Instruction ID: 3497d45e0cb394ee5ee25381991f8e33c7f230f2c0f6e7678453e79b45765dca
            • Opcode Fuzzy Hash: d16144e0468546bc9984c17058f30e05970a577e525e5c3ee5eebbf87809957f
            • Instruction Fuzzy Hash: 6F31D671A00606AFD7229F99C850BAFB7F9AF84B54F14406DE985DB352DA31EC018B90
            Function 010007AF Relevance: .1, Instructions: 95COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a5fcd108b482a6bc9c8ec90d6fb3b616f2634427fa5f4b1bd4940218a4e85628
            • Instruction ID: af5a84b9a5af0647d11ab0a0f106338cce78e75314015103ff23237a327d0819
            • Opcode Fuzzy Hash: a5fcd108b482a6bc9c8ec90d6fb3b616f2634427fa5f4b1bd4940218a4e85628
            • Instruction Fuzzy Hash: 2E31F432A04716DBD713DE28C880BABBBE5BF94290F014529FDD997295DB30DD0187E1
            Function 01008550 Relevance: .1, Instructions: 94COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 249ecd971e464485a2367e84319a8988e0f2d08ab177335fc2d40b523f09bfb4
            • Instruction ID: bf7a0899efd6d256a1de6b8444801205c2f8f33b40c9fb9cfe620d7904716b7f
            • Opcode Fuzzy Hash: 249ecd971e464485a2367e84319a8988e0f2d08ab177335fc2d40b523f09bfb4
            • Instruction Fuzzy Hash: 6B316B71A093018FF765CF19C840B2ABBE9BB88700F0589AEF9C497291D775E944CB92
            Function 0103A6C7 Relevance: .1, Instructions: 92COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
            • Instruction ID: a658383d6715cd3287c583c9a01a8824034c6fe613e81b67e73b37de03639745
            • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
            • Instruction Fuzzy Hash: F0312DB2B00B01EFE7A5CF69DD81B57BBF8BB48650F04496DA5DAC3650E630E900CB64
            Function 010AEBD0 Relevance: .1, Instructions: 91COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 86e6a6878bba9dfe4c8f373a32bdbfebdbebcd666cc472623ed2533406ca7221
            • Instruction ID: 021e4bf76439f67171a7771fc2468ecbdbc20b220873e49ba44ca23a562cef0c
            • Opcode Fuzzy Hash: 86e6a6878bba9dfe4c8f373a32bdbfebdbebcd666cc472623ed2533406ca7221
            • Instruction Fuzzy Hash: C631CC71905306CFCB21DF19C54085ABBF1FF89218F8449AEE4C89B251E335E946CF92
            Function 0102438F Relevance: .1, Instructions: 89COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f618d9f3bdf5bd151bb93b2767377535399b7774442f7b4ea932247f4c634649
            • Instruction ID: c7397a960e07e135dcfe9afa11fd195a34a3cc3e46514cbcf691252454167e44
            • Opcode Fuzzy Hash: f618d9f3bdf5bd151bb93b2767377535399b7774442f7b4ea932247f4c634649
            • Instruction Fuzzy Hash: 2B31F172B006169FD720EFA8C881AAEBBF9AF85304F008529D185D7654EB35ED42CB90
            Function 00FFCB7E Relevance: .1, Instructions: 89COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
            • Instruction ID: cccd98f4a1360e54a3886c86a83bce92e1c3f8e0463c91f8165cc0052d76b050
            • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
            • Instruction Fuzzy Hash: DC21F236E4026EAADB109BB98851BBFBBB5AF44754F058175AE95EB350E270CD0087E0
            Function 00FFC156 Relevance: .1, Instructions: 88COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ec580123ae8bb637e6ea05435bd876131bbc13dd86e936f03ddf527cc0ab4840
            • Instruction ID: 2c77dd05bb83675342c1bbe167d2c65a267a5776b7ea71e33ef333fe8c4f795f
            • Opcode Fuzzy Hash: ec580123ae8bb637e6ea05435bd876131bbc13dd86e936f03ddf527cc0ab4840
            • Instruction Fuzzy Hash: 2C3139B15002058BD771AF68CC41BAA77B4BF54314F5481AADDC99F386EE39D982CBA0
            Function 010BC3CD Relevance: .1, Instructions: 88COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
            • Instruction ID: 47405c926a37640d6d099a76d5736404748f46ae5e94822e303cecabb47f9d1e
            • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
            • Instruction Fuzzy Hash: 6521303A60065677DB15AB958D80AFBBBB5EF80710F40C81AFAD58B551EB3CDE40C360
            Function 00FFE420 Relevance: .1, Instructions: 88COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e4cab0f7892e4dde13dbfbca644ada8bd5c6b511286fc18902de66bdc5690ad1
            • Instruction ID: cb0cacbe14bb8c7e5be1adf96a06fd26bf3fdb47fa87d8c41ef5f8d4676db0a5
            • Opcode Fuzzy Hash: e4cab0f7892e4dde13dbfbca644ada8bd5c6b511286fc18902de66bdc5690ad1
            • Instruction Fuzzy Hash: 3231C236A4052C9BDB31DF14CC41BFEB7B9AF15750F0500A5E685AB2B0D674AE80AF90
            Function 01034588 Relevance: .1, Instructions: 87COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
            • Instruction ID: 28cbd8951f302e0ebce172a171a0ba436964c5ad570fc1416424a1ceb93c7a98
            • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
            • Instruction Fuzzy Hash: 2A218D32A00609EBCB15CF58C980A8EBBE9FF8D314F1080A9EE55DF241D671EA059B90
            Function 010344B0 Relevance: .1, Instructions: 87COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 44f2c266b7749cf8b3d457f8a54fd9d2a0e0c48676f1b55b3969c10dc86e98da
            • Instruction ID: ab0063a67badffffa6dc45a50fc06c1d19f5002d3ac39fb864099e7b543c92e4
            • Opcode Fuzzy Hash: 44f2c266b7749cf8b3d457f8a54fd9d2a0e0c48676f1b55b3969c10dc86e98da
            • Instruction Fuzzy Hash: F521C372A047459BC722DF18C880B6B7BE8FBC8760F014559FD999F682D730E9018BA2
            Function 00FFE388 Relevance: .1, Instructions: 86COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
            • Instruction ID: d8e82a9088c1edf7977d18de1d687f8a79bfd7b1b375f7f1561df1a48bda6fac
            • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
            • Instruction Fuzzy Hash: 0F317C31600609EFD721DF68C984FAAB7F9EF45354F1045A9E692CB2A0E734EE01DB50
            Function 0107E609 Relevance: .1, Instructions: 86COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: acc65a66ca5c8f260f3cc800af6d0f31d87d3dd6b36e30a1cd1556665e342e9b
            • Instruction ID: 97292ef9aa16d9d318f2c3ba24a09c8029aecdca280d98a5de636b48a4e1b2c0
            • Opcode Fuzzy Hash: acc65a66ca5c8f260f3cc800af6d0f31d87d3dd6b36e30a1cd1556665e342e9b
            • Instruction Fuzzy Hash: C3316F79A01205DFCB14DF1CC8849EEB7F6FF88344B158499E8859B391E771EA50CB94
            Function 010806F1 Relevance: .1, Instructions: 79COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c1e1abee9bb45dddcbd6712909cdc7bed956b6be311bedd6312804d5743dbf11
            • Instruction ID: c41f3b8f5ca362ee5a25250a4c2f9f6905b0cd479bf92d84b83fbe4ee3941ea0
            • Opcode Fuzzy Hash: c1e1abee9bb45dddcbd6712909cdc7bed956b6be311bedd6312804d5743dbf11
            • Instruction Fuzzy Hash: D321BF71D00229ABCF24EF59C881ABEB7F4FF48740B554069F981EB244E738AD41CBA0
            Function 0108019F Relevance: .1, Instructions: 78COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a794523340812601feaec0ac52ac37955e6bdf1e15b0a54e90c53d6ef557bba0
            • Instruction ID: c17e58e432333b042dff7f011c0f0945e96b35b79999d50150df7826be9e247d
            • Opcode Fuzzy Hash: a794523340812601feaec0ac52ac37955e6bdf1e15b0a54e90c53d6ef557bba0
            • Instruction Fuzzy Hash: 0C219C71600645AFD715EBACD880F6AB7E8FF48750F1400A9F984DB690D638ED40CBA4
            Function 01080283 Relevance: .1, Instructions: 74COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4e43ced4ff07ee9e74331fd23b26ecc6b79887453127304b6cdfb3f9eb543b83
            • Instruction ID: abc017183200dbe160f71e7953bf28a0bab0f757f065ed7a515de3c952443499
            • Opcode Fuzzy Hash: 4e43ced4ff07ee9e74331fd23b26ecc6b79887453127304b6cdfb3f9eb543b83
            • Instruction Fuzzy Hash: 3721D0729083469BD711FF59C844B9BBBECAFA0650F0844A6BDC0CB255D734C908C7A2
            Function 01022835 Relevance: .1, Instructions: 73COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6327c7c2db0a1c38bb92570ada9d20242ac56290db4492e17ac8599337796a26
            • Instruction ID: 182e9771455c8f1e641c5a2ff41adc174279fde67efe9925946e4570abb5cdf3
            • Opcode Fuzzy Hash: 6327c7c2db0a1c38bb92570ada9d20242ac56290db4492e17ac8599337796a26
            • Instruction Fuzzy Hash: 6121FC31705691DBE322776C8C04B657BD5AF41774F2903E4FAE1AF6D2D7A8C801C150
            Function 0103A30B Relevance: .1, Instructions: 70COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ec8a0996c539750639c4b76c64928397e54279ca17d646e3bf6f48d9d5a9be43
            • Instruction ID: 4a551608a460fb00f875bc84b9a96244963fe7bfb936bbd8e747b69d88b088b0
            • Opcode Fuzzy Hash: ec8a0996c539750639c4b76c64928397e54279ca17d646e3bf6f48d9d5a9be43
            • Instruction Fuzzy Hash: E3216A75600A01DBC725DF29C901B5677F5BF48714F24846CA589CBB61E376E842CB98
            Function 010BA49A Relevance: .1, Instructions: 70COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f775941018d3a75d03ce539092dcd3c62496db7b140d95635556314f73489ec4
            • Instruction ID: 932d7936073715043f36f18183bcaddddbd482ec9ee0711f21cdc52327d67fa6
            • Opcode Fuzzy Hash: f775941018d3a75d03ce539092dcd3c62496db7b140d95635556314f73489ec4
            • Instruction Fuzzy Hash: D4113A72340A15FFE72256549C80FAB76D9DBD4BB0F100028B789CB190EF70DD018695
            Function 01080946 Relevance: .1, Instructions: 70COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5b4c2d9f953fc6b6492140932c0f24352a2c735c129ac7e407dcd7d02b0bb2ed
            • Instruction ID: 958ce844577d20778a2ad0a6be60f85db2f702f2d232aa98cfe96ef77a7d1ed4
            • Opcode Fuzzy Hash: 5b4c2d9f953fc6b6492140932c0f24352a2c735c129ac7e407dcd7d02b0bb2ed
            • Instruction Fuzzy Hash: A52116B1E00209ABCB20DFAAD8819AEFBF8FF98710F10412EE585E7254DA749945CB50
            Function 010980A8 Relevance: .1, Instructions: 69COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
            • Instruction ID: 237f442119cd99c5b8301952e3d0fc429242a3b375f55c930ffc11af2ad1a5f3
            • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
            • Instruction Fuzzy Hash: 1E218EB2A0020DEFDF129F98CC40BAEBBB9EF89350F20445AF980A7251D734D9509B50
            Function 01030124 Relevance: .1, Instructions: 68COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
            • Instruction ID: 1e6403fde171e7c4f8b6aa4ceaa4d20fad9e82c2bb3ee0915d32bdf93a5d0920
            • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
            • Instruction Fuzzy Hash: 9F11DD72642605AFE722DB48CC81FAABBBCEB84754F104069F6418F190D671ED44DB60
            Function 01008770 Relevance: .1, Instructions: 68COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c347f98724212f74d9e13abd8a00ec5e3c4fba3402ef4339e5f46218317ec691
            • Instruction ID: 088eaad1e091e846093ac5d76ca19b00822115fa70e13f94b66dfdde4237b9a5
            • Opcode Fuzzy Hash: c347f98724212f74d9e13abd8a00ec5e3c4fba3402ef4339e5f46218317ec691
            • Instruction Fuzzy Hash: AB11B631B006119BEB56CF4DC48095ABBE5BF9A710F14C0FEEE4C9F249D6B2D9018B91
            Function 010080E9 Relevance: .1, Instructions: 66COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ca96d97a4e9bb7241b01cae68383390ea8c9acdea7e3794e56da679f4f792b97
            • Instruction ID: 468043b3dfc73898a447c8405607011b4ffc1e6ed096811171247c83b71a3d5a
            • Opcode Fuzzy Hash: ca96d97a4e9bb7241b01cae68383390ea8c9acdea7e3794e56da679f4f792b97
            • Instruction Fuzzy Hash: 9F216A35A00206DFDB15CF58C591AAEBBF9FF88314F2081AED145AB350CB71AD06CB90
            Function 0103674D Relevance: .1, Instructions: 65COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 736fadb3b12a08e151642d5347498db940fba7fb654406b9a9511083ab7c8eed
            • Instruction ID: 9f5c32c990500a35beac0f80090f63817857ace4d26daec8fc6bcf0d3355e732
            • Opcode Fuzzy Hash: 736fadb3b12a08e151642d5347498db940fba7fb654406b9a9511083ab7c8eed
            • Instruction Fuzzy Hash: 5C218E75500A01EFD7618F68C881BAAB7F8FF84250F44882DE5DAC7650DA31A950CB60
            Function 01096870 Relevance: .1, Instructions: 63COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6cc7c18221eb94ba474f358d6229b60f0121ad814a514c16534cf71331d156c0
            • Instruction ID: 95d07fe0c758655c52698feea701ab4b4ed6695223e444063fe86a85b04ad523
            • Opcode Fuzzy Hash: 6cc7c18221eb94ba474f358d6229b60f0121ad814a514c16534cf71331d156c0
            • Instruction Fuzzy Hash: 3211C132240514EBCB22DB5DCD50F9A7BECEB99B60F114025F281DF250DA72E801D790
            Function 0102E8C0 Relevance: .1, Instructions: 63COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 17e0e3747621d9e4028a83564b1d588d7168db2058a004f733722b30cf7adb5d
            • Instruction ID: eaaa369603436a06063606d44714803c030a8c9306229f4e565d9eb2c10e9dca
            • Opcode Fuzzy Hash: 17e0e3747621d9e4028a83564b1d588d7168db2058a004f733722b30cf7adb5d
            • Instruction Fuzzy Hash: 071126333001259FCB19DB29DD91A6F72ABEFD5370B25452DEAA2CB294E9319802C390
            Function 010366B0 Relevance: .1, Instructions: 61COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9b63133175e85d9ab31a2335d3c1439deb74a5b9fd64190c9154e38aa2ab89b4
            • Instruction ID: f3641fc5cba92b092af68c7483235823b7e5aeb1cf64c58661ed4e45eb3db962
            • Opcode Fuzzy Hash: 9b63133175e85d9ab31a2335d3c1439deb74a5b9fd64190c9154e38aa2ab89b4
            • Instruction Fuzzy Hash: 4811CE76A01205EFCB66CF59C580A5ABBF8BFC4650B5140BDD9859B315E63AEE00CBA0
            Function 010CA8E4 Relevance: .1, Instructions: 61COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
            • Instruction ID: 7d6bbf7590859b2e8f2f7e9275bc80b7ff24a8b6081a6e28fc19e67d54f6d0cd
            • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
            • Instruction Fuzzy Hash: 8A110436A00909EFDB19CB58C841BDEFBF5EF84710F058269E89597340E631BD01CB80
            Function 0108E7E1 Relevance: .1, Instructions: 59COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
            • Instruction ID: 2fa0d028df58ad9a01c5ba3457a0f944b0c6879eb534c7c15bdb1f43bdc97b59
            • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
            • Instruction Fuzzy Hash: D7110232624600EFE721AF48CC44B9EBBE5EF55754F058468EACC9B160DB30DC40CB90
            Function 010227ED Relevance: .1, Instructions: 58COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9c08d36e86b6df42f5713786ada549f8d64124de811262cb5c01c781e99cbe2d
            • Instruction ID: 2c1f7d295564e1bd04c18e4d70e0e08c6470b23d0ffd2c5f77dd8b7798cd3c31
            • Opcode Fuzzy Hash: 9c08d36e86b6df42f5713786ada549f8d64124de811262cb5c01c781e99cbe2d
            • Instruction Fuzzy Hash: 8A010431706685EBE316B6ADD844F6B7ACCEF902A4F0500A5FA819B250DA54DC00C271
            Function 01004690 Relevance: .1, Instructions: 57COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7578d52ba925451d742303caf7bd56fc7bd8880e1e689e4f79882f1caf05f2eb
            • Instruction ID: af5899258271cfff278f72b24f1e02b80b0c88e7d31c4b8b9e7f8e99684b3079
            • Opcode Fuzzy Hash: 7578d52ba925451d742303caf7bd56fc7bd8880e1e689e4f79882f1caf05f2eb
            • Instruction Fuzzy Hash: 9211E036200640AFEB27CF5DC840B567BE4FB8A764F04411AFA88CB690C370E840CF64
            Function 010D4B00 Relevance: .1, Instructions: 57COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0070728c60661829418e1c9526de0e457e90858f677622961dde3cc42a57775f
            • Instruction ID: cd1d608a5e9474023ae76063a29fd7f647381b8923cd13752c4b38ea1ec42c9d
            • Opcode Fuzzy Hash: 0070728c60661829418e1c9526de0e457e90858f677622961dde3cc42a57775f
            • Instruction Fuzzy Hash: 5E11C2362007119FD7629B69D844F67B7E6FFD4720F194469EAC6C7A94DA30A802CB90
            Function 01036620 Relevance: .1, Instructions: 56COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2fb6d3c99ebd1e9f99f5140e6328d81fe851855f4105845f78f6f700a082b042
            • Instruction ID: d8ac4933ccddba5e01be1b20e98ae1cd54c82159a3583c68cdf789363ee7b069
            • Opcode Fuzzy Hash: 2fb6d3c99ebd1e9f99f5140e6328d81fe851855f4105845f78f6f700a082b042
            • Instruction Fuzzy Hash: 98117372900615ABDB219B59CD80B9EFBFCEF88790F510459DA81A7240D735AA019B50
            Function 0102EA2E Relevance: .1, Instructions: 56COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9475a455cba146dd77b3ff9aba3a6d330a4627a575556d63eeda4f07a0bb3a30
            • Instruction ID: cd2486c0156be3fb42ee5d13d85ef57e1c64b5e735953011daab7447390b92ae
            • Opcode Fuzzy Hash: 9475a455cba146dd77b3ff9aba3a6d330a4627a575556d63eeda4f07a0bb3a30
            • Instruction Fuzzy Hash: 1701247150110A9FD326DF19D805F66BBF9FF81314F2081AEE2858BAA4CB74EC42CB90
            Function 0102E53E Relevance: .1, Instructions: 55COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
            • Instruction ID: 41331422606de8d4cb7647264f84b2edb3a955b66c4a878f392d9b416237a74b
            • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
            • Instruction Fuzzy Hash: E811C8722526E39BE763972CE964B697BD8FF41758F1900E0DEC1CB652F728C842C260
            Function 0108E75D Relevance: .1, Instructions: 54COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
            • Instruction ID: c975d9c2fb46c4e46556407066291b0983a1809d8b410010a709c17aecfea174
            • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
            • Instruction Fuzzy Hash: 2C01D232608105AFE721BF58CC00F9A7AE9FF85750F158064EAC99B260E771DD40C790
            Function 00FFA250 Relevance: .1, Instructions: 52COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
            • Instruction ID: 4c211ece3d8b61af7bb1df00ece758bc18611e0743229336cf18ce6434facfc1
            • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
            • Instruction Fuzzy Hash: 020149B2A04B199BCB308F15E840A727BF4FF55770700892DFD998B2A0C731D800EBA1
            Function 010D4940 Relevance: .1, Instructions: 52COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7c7c276bdd55446bb163e07eda2c4f2740db0053ebda173a3ed55f80fa89be9f
            • Instruction ID: 644962462bb0fe57cf348dd31df326168e1c58810af7982c452734f8aa025d31
            • Opcode Fuzzy Hash: 7c7c276bdd55446bb163e07eda2c4f2740db0053ebda173a3ed55f80fa89be9f
            • Instruction Fuzzy Hash: 0401C0725417019BC322DF1E9840E56F7E8EB95770B2542A5E9E8DB5AAE630E801CB90
            Function 0107E1D0 Relevance: .1, Instructions: 51COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c7cf350566e9615f7f42766ecbf39a18855eb689cc4a59dd39fd006e0478f7cc
            • Instruction ID: a1d9f08bca78c10f3b3d2a17fb1f3558c90ae61e94eb13fc323dc99cfc99174e
            • Opcode Fuzzy Hash: c7cf350566e9615f7f42766ecbf39a18855eb689cc4a59dd39fd006e0478f7cc
            • Instruction Fuzzy Hash: 4711A131641241EFDB26EF19CD80F567BB8FF54B54F1000A9FA459B691C635ED01CB90
            Function 01006259 Relevance: .1, Instructions: 51COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e94c3e1f6cf1a8eae87ace8768ea1ab63aee94ece11badd348d74d1e7c73b6b4
            • Instruction ID: def9094c0a606fade0c11f5c2857f7a55bdcc8970cb246183bd3345afa124992
            • Opcode Fuzzy Hash: e94c3e1f6cf1a8eae87ace8768ea1ab63aee94ece11badd348d74d1e7c73b6b4
            • Instruction Fuzzy Hash: 9C11A070641628ABEB65EF64CC82FE873B4BF04710F5041E4B354A60E1DB319E81CF85
            Function 01086050 Relevance: .0, Instructions: 50COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f81f5dd70a41e6cf0dfe8e8b96d315230e8650727881627466eea8ba25761d24
            • Instruction ID: f7722fc2cd3099f9984109babd019ce4eed353bcf222692749f80087b9445de6
            • Opcode Fuzzy Hash: f81f5dd70a41e6cf0dfe8e8b96d315230e8650727881627466eea8ba25761d24
            • Instruction Fuzzy Hash: 90111776900019ABCB16EB94CC80DEFBBBCEF48254F054166A946E7211EA35AA15CBE0
            Function 0100208A Relevance: .0, Instructions: 50COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
            • Instruction ID: 93ff1f0f1fa10ace7ed225c533293c9ed056bcad8961b2aa2bd58bccdbeb847c
            • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
            • Instruction Fuzzy Hash: 7901F1322003118BEF92DA69D888A967BABBFC4710F5545E5ED858F28BDA718C81C390
            Function 01096500 Relevance: .0, Instructions: 50COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8422a05e52f147c7e92b32092fe40fe47aa7f3a4dd26f3a23726ed65a7e95a0c
            • Instruction ID: d917ab5e80342258d7353b013ef1e2498d8bc15a1b70d58bf1656f5c3f2c8eb8
            • Opcode Fuzzy Hash: 8422a05e52f147c7e92b32092fe40fe47aa7f3a4dd26f3a23726ed65a7e95a0c
            • Instruction Fuzzy Hash: BE11C8766441459FD711CF58D810BA5BBF5FB5A314F098199E884CF315D732EC81DBA0
            Function 0108C810 Relevance: .0, Instructions: 50COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d38be69ab146d6c9a578b6e0a42052743dc96091299be730dd154f8e7a9b148e
            • Instruction ID: b93eb81fa28794597b10cb1f637347b77dc155350e49461d4c790faf6159cbac
            • Opcode Fuzzy Hash: d38be69ab146d6c9a578b6e0a42052743dc96091299be730dd154f8e7a9b148e
            • Instruction Fuzzy Hash: 961118B1A00209DFCB00DFA9D581AAEBBF8FF58250F10806AB945E7351D674EA018BA4
            Function 010AEA60 Relevance: .0, Instructions: 50COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f1290cbb3d5f955779e53ec5ede2fc409c7b90f077545d2caec4c7addc98e6a2
            • Instruction ID: b1ab0acdedbbb1e518239a1bdea7ab0d3506b3f230abb9221dca74ee843f2cf1
            • Opcode Fuzzy Hash: f1290cbb3d5f955779e53ec5ede2fc409c7b90f077545d2caec4c7addc98e6a2
            • Instruction Fuzzy Hash: 4101F7315402119FCB32AF69C490D7ABBFAFFA16A0B94446EE2C55B611CB39FC41CB91
            Function 00FFC020 Relevance: .0, Instructions: 49COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
            • Instruction ID: 722d497f2b585f664f47c26630db3bac30a7aad9bec70c990e37326a84df895b
            • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
            • Instruction Fuzzy Hash: 8001F532100709DFDB62A6A9C900BB777E9FFC4714F14485AAA86CB550DE70E902D790
            Function 010420F0 Relevance: .0, Instructions: 49COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9ae26f851a4f5280a4f503fbc13bbc22b6ee40b53c46e12035613b5b7b269d3e
            • Instruction ID: 9944838b4c9f3d5f1c0838d196436ca4bd792c1a28a12bf1184e4933e0a08323
            • Opcode Fuzzy Hash: 9ae26f851a4f5280a4f503fbc13bbc22b6ee40b53c46e12035613b5b7b269d3e
            • Instruction Fuzzy Hash: 4D118075A0120DEFDB05EFA4D891FAE7BB5FB54340F0040A9F9819B250DA35AE11CB90
            Function 0103E5CF Relevance: .0, Instructions: 49COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 58c064f67ed2389c0bf5053173a821f85d7550abdbfca622b109c736644828db
            • Instruction ID: a9aaa6ba5bb1a604389d4e06e6a4927b604ea8c02f609958010235c9ef31faac
            • Opcode Fuzzy Hash: 58c064f67ed2389c0bf5053173a821f85d7550abdbfca622b109c736644828db
            • Instruction Fuzzy Hash: 9001F7716005057FC311BB79CD80E97B7BCFF94664B000629B24587550DB38EC11C6E0
            Function 010969C0 Relevance: .0, Instructions: 49COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d72d69c9f2ffa0337dbaf8ed73f5e63e9b78f4d29c7e9520747307415785397d
            • Instruction ID: 25577a22b2ca52f7d3d30f7d44b9a012a3a96ed76d09eee006e01388b7d07042
            • Opcode Fuzzy Hash: d72d69c9f2ffa0337dbaf8ed73f5e63e9b78f4d29c7e9520747307415785397d
            • Instruction Fuzzy Hash: 7D014C322142029BC720DF6AC8989ABBBE8FF44620F114129EDA887180E7359901CBD1
            Function 0108C460 Relevance: .0, Instructions: 48COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 751fc76f3b1aaffa61966c97040ff047f6d1c4b0b721eccd13fe0eaeffd4d91d
            • Instruction ID: 1f4d1cb11fd7b35325adaa9dd12a46397af139eeae1413ad29a6d23b298352ea
            • Opcode Fuzzy Hash: 751fc76f3b1aaffa61966c97040ff047f6d1c4b0b721eccd13fe0eaeffd4d91d
            • Instruction Fuzzy Hash: 47115B71A0120DABDB15EFA8C944EEE7BB5FB48250F004099BD8197340DA39ED51CBA0
            Function 0108C97C Relevance: .0, Instructions: 48COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ed6df1c8d99837cc73d973ef0e15d4204aca615be4a60de555574d9387107dd2
            • Instruction ID: b0e1f427fb942f6688e375938c9a88b7b7c9f1ef8001133f02ea5265bcd39819
            • Opcode Fuzzy Hash: ed6df1c8d99837cc73d973ef0e15d4204aca615be4a60de555574d9387107dd2
            • Instruction Fuzzy Hash: A0117CB16083089FC700DF69D44199BBBF4EF98310F00855EB998D7350D630E900CBA2
            Function 0108CA11 Relevance: .0, Instructions: 48COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 247a8e7408d467c113cc2c3473aa144aba0423b34e134b3e05c41e80b8b67e7d
            • Instruction ID: 34742799c20037b9e4167f1a37b1f9a4da007230fb6b718fde86beebfdf980f0
            • Opcode Fuzzy Hash: 247a8e7408d467c113cc2c3473aa144aba0423b34e134b3e05c41e80b8b67e7d
            • Instruction Fuzzy Hash: 86117CB16083089FC300DF69D44199BBBF4FF99350F00851EB998D7350E630E900CBA2
            Function 010D4A80 Relevance: .0, Instructions: 48COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
            • Instruction ID: b94ff2272188e0500265e489487e8ecabd6f7eccec5c318c8297af233f25d926
            • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
            • Instruction Fuzzy Hash: B201D4322007069FD7219A6DD844F97BBEAFFC5210F044899F682CBA50EAB0F840C795
            Function 0101E016 Relevance: .0, Instructions: 46COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
            • Instruction ID: 246d5a9aee13ca6aadb11361b560d2b0db794584fe07b7fe4039071afd006fb5
            • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
            • Instruction Fuzzy Hash: 0E017872200680DFE363DB1DC948F6B7BE8EB44B54F0944A1FE85CB6A2D66CDC80C621
            Function 00FF826B Relevance: .0, Instructions: 46COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d86e404ec8a731c2ebd2be5d3017f94ef1aa29eaffedf01f74a5a899ce3c7774
            • Instruction ID: 8248921676ee92a390f24d6ab519b0d0afa8240ff9db08cc331823a0d19fc335
            • Opcode Fuzzy Hash: d86e404ec8a731c2ebd2be5d3017f94ef1aa29eaffedf01f74a5a899ce3c7774
            • Instruction Fuzzy Hash: B401A772B00509DFC714EB6ADC05ABE77A9FF41760B1580699A41D7790DE70ED03E690
            Function 010AEB50 Relevance: .0, Instructions: 46COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID: InitializeThunk
            • String ID:
            • API String ID: 2994545307-0
            • Opcode ID: 1370d14b048e396313cb0f135d3114262f15bd4c05f4e7dcade68671538c6658
            • Instruction ID: 18e037921e80dcacd9a307befd41e3e2ad0a56e073ce563ce3038353b4692a62
            • Opcode Fuzzy Hash: 1370d14b048e396313cb0f135d3114262f15bd4c05f4e7dcade68671538c6658
            • Instruction Fuzzy Hash: BD01F7712407019FD3315B56D841F47BAA8EF55B60F11042DB3C68F790C6B5A840CB94
            Function 01002582 Relevance: .0, Instructions: 45COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 715e21cc87ab605853f703a73c54b668558ef6466045ae2395a7bb4c23449fa3
            • Instruction ID: f37a8a04ab07fa3b711caa33d1dd9320df9a576330794c699bf05451f0a6d508
            • Opcode Fuzzy Hash: 715e21cc87ab605853f703a73c54b668558ef6466045ae2395a7bb4c23449fa3
            • Instruction Fuzzy Hash: 20F0F932641711BBD7329B568C44F477EEDEB84B90F104069A6459B640D634ED01C7A0
            Function 0102C073 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
            • Instruction ID: 05813bbcb37078fce8944def8c603ecee20ed4200fe1b97084d6b5d3d6b66559
            • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
            • Instruction Fuzzy Hash: 44F0C2B2A00621ABE324CF4DDD80E57FBEADBD5A80F048169F545CB220EA31DD04CB90
            Function 010D634F Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b74cbc20c49e3469a1f8fa869ea3c5eea0e059fb803533573e60fefba1eb8889
            • Instruction ID: c3f5b695402d585e611c83f2b9b1e7d1901caebf2d098fec3622beab2aea6512
            • Opcode Fuzzy Hash: b74cbc20c49e3469a1f8fa869ea3c5eea0e059fb803533573e60fefba1eb8889
            • Instruction Fuzzy Hash: 2C0121B1A10209ABDB04DFA9D551A9EB7F8FF58304F10806AF944EB350DA74DA018BA4
            Function 010D625D Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e4a05b46ae7e04d827073ded24e0437d40d552c8ce6299a8b9ddcbe182762997
            • Instruction ID: 18e1f4bb3e195ad10bffe00300b29b83c46dcda3fc0219da360b82f61fbac512
            • Opcode Fuzzy Hash: e4a05b46ae7e04d827073ded24e0437d40d552c8ce6299a8b9ddcbe182762997
            • Instruction Fuzzy Hash: 7E0121B1A10619ABCB04DFA9D491AAEB7F8EF58304F10806AF944EB351D674A9018BA4
            Function 010D62D6 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7ee28775fdd37daa5e40c433666447ddcca4bc3ef0f78e4b1234148c16bb0138
            • Instruction ID: 68a2122c4f321958ae512ab53f8e8f788f79773584395893e9220f93cc2955cd
            • Opcode Fuzzy Hash: 7ee28775fdd37daa5e40c433666447ddcca4bc3ef0f78e4b1234148c16bb0138
            • Instruction Fuzzy Hash: 2C0144B1A0020DEFDB04DFA9D451A9EB7F8FF58304F50806AF954EB350DA749D018BA4
            Function 00FFC310 Relevance: .0, Instructions: 43COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
            • Instruction ID: b28d7edd8fc7dcf7f447eb3da1c20ff53b84ca0c1d3561cd4d3731cb4bf3dda9
            • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
            • Instruction Fuzzy Hash: 7EF0C233604A3F9BC73216598980B7BB6968FD1FA4F2A4035F3099B264CA648C02B6D1
            Function 0103CA6F Relevance: .0, Instructions: 42COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
            • Instruction ID: f4a71d314a1e91868c42e494a0692070c69b8e5ec915ab3083a3d0269064924f
            • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
            • Instruction Fuzzy Hash: FA01D631600A859BE322A61DC909B9ABBDDEF81754F0980A6FA84DF691DBB8D801C214
            Function 010D61E5 Relevance: .0, Instructions: 41COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 689ca8a4c8cb9e22a84338ec9492c8aa6005940ff740b077fca2f75817e02c89
            • Instruction ID: 607bbd82c5d591bd2163bd0a7732ea7ecfaa26f8a44fdc327faaefc87ac964b5
            • Opcode Fuzzy Hash: 689ca8a4c8cb9e22a84338ec9492c8aa6005940ff740b077fca2f75817e02c89
            • Instruction Fuzzy Hash: 12014FB1A006599BDB04DFA9D455AEEBBF8FF58310F14406AF941EB380D778EA01CB94
            Function 010863C0 Relevance: .0, Instructions: 41COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
            • Instruction ID: b7953539d400e20f1f13d01ca4b262b5e93282d3b34c451884dcae427cfed920
            • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
            • Instruction Fuzzy Hash: BEF06D7220001DBFEF02AF94CD80DEF7B7EEB592A8B114124FA0092020D632DD21ABA0
            Function 0108A4B0 Relevance: .0, Instructions: 40COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 688a41428f2a5222247d1a227c9eee894681987ad67cd1f8b7f6ca90a70a82ad
            • Instruction ID: db34553ce1f6e67423cebf2e26692c2ad0210345d689fa6951d9f468aeb2b724
            • Opcode Fuzzy Hash: 688a41428f2a5222247d1a227c9eee894681987ad67cd1f8b7f6ca90a70a82ad
            • Instruction Fuzzy Hash: B8018936204149EBCF12AE84DC40EDE3FA6FB4C664F058116FE9866620C736D9B0EB91
            Function 00FFC0F0 Relevance: .0, Instructions: 39COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 224823fa5ef1ee8d23b4852b5d990b30575418e2d94e32e87099c53d1eb2899a
            • Instruction ID: 178654d02b7adec50f50e684cb09bdb211babb080dc0c7d9b4c41ccad54f7d79
            • Opcode Fuzzy Hash: 224823fa5ef1ee8d23b4852b5d990b30575418e2d94e32e87099c53d1eb2899a
            • Instruction Fuzzy Hash: E3F02B7260432D5BF314A5159E01B72329ADFD0760F69807AEB058F3E2FA71DC11A3D5
            Function 0103656A Relevance: .0, Instructions: 39COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3540ae7af38a095c82a1e38f418e6199ab6d0c80ddda7f8c9e303d99d4dc1a9f
            • Instruction ID: dbe9d9d9f2745d34a1d08a43b50bdb5876c6aa81cbc5d3b99a4f4613b0100c26
            • Opcode Fuzzy Hash: 3540ae7af38a095c82a1e38f418e6199ab6d0c80ddda7f8c9e303d99d4dc1a9f
            • Instruction Fuzzy Hash: 7901A970701681ABE372AB2CCD48B6937E8BB80B04F4841E4B9C1CB9D6D729D5018214
            Function 010A437C Relevance: .0, Instructions: 37COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
            • Instruction ID: 5fa7d7642087f5c3ea9d2b4ae99a1e360b971a24a2162a2b5be7c937514db42b
            • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
            • Instruction Fuzzy Hash: F7F0593F341D1347E7B5AAAE8860B6EBAD5AFD0B00B4D856C96C1DB240CFA0C8048380
            Function 0108E872 Relevance: .0, Instructions: 36COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
            • Instruction ID: 603e36bc5b9e87463988002d03c47b1f836e03d945135c1123f48eabe5c6b3e7
            • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
            • Instruction Fuzzy Hash: BBF08933729521DBD371AA4DCC80F1AB7A8EFD5A60F590075A6C89F264C760EC01C7D0
            Function 0108C89D Relevance: .0, Instructions: 36COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 584e93f9e1a7715889f80e107cbe325311f8f641b00d77cfe3f109eaa414485c
            • Instruction ID: 7c81f1dfccb0ff49999d02cc215b260c1290a64a73be1727b7fa4214e403e0c1
            • Opcode Fuzzy Hash: 584e93f9e1a7715889f80e107cbe325311f8f641b00d77cfe3f109eaa414485c
            • Instruction Fuzzy Hash: ABF0AFB06193049FD310FF68C542A5BB7E4FF98710F80865AB8D8DB394EA34E900CB96
            Function 01030854 Relevance: .0, Instructions: 35COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
            • Instruction ID: f7c53c318f2cc40d27bf20e373d35db4d0f2a7046e6295aaa8280c76cbb9856f
            • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
            • Instruction Fuzzy Hash: BDF0B472610204AFE714DF25CC01F96B6EDEFD8340F148079A585DB164FAB5DD01D694
            Function 0108C912 Relevance: .0, Instructions: 34COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d93374dd00e1616283cc45497671357ff9a32d866b942f9cb46e72698a443722
            • Instruction ID: 80a3c4cd7e08250f0e99044255c0c3458b9979642f393512852631909adacabe
            • Opcode Fuzzy Hash: d93374dd00e1616283cc45497671357ff9a32d866b942f9cb46e72698a443722
            • Instruction Fuzzy Hash: 5EF062B0A0124DDFDB04EFA9D555A9EB7F4FF18300F108069B995EB385DA38EA01CB64
            Function 0040A7ED Relevance: .0, Instructions: 33COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2026512273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_400000_SecuriteInfo.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9d44fd9f054868efd350094a4d70267de33054086e7e44df512b4ad4b16977a8
            • Instruction ID: 6ec1fcf91d3fe3610ad473bc2a0161c726520ea98a86bc063cf3f481d3dee235
            • Opcode Fuzzy Hash: 9d44fd9f054868efd350094a4d70267de33054086e7e44df512b4ad4b16977a8
            • Instruction Fuzzy Hash: 25F05C376486558FC309DB78A0010C6BFB3C969714329A6B6C4515F1A7F636080EC3D4
            Function 010047FB Relevance: .0, Instructions: 33COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 734f4c77731499af7ec1d54afcfeae8b926eca41caabd89d650eee6beccae1ba
            • Instruction ID: 1cec38c25e35761576297e6568f76c1bd7bacd0264689847310671b4217b054c
            • Opcode Fuzzy Hash: 734f4c77731499af7ec1d54afcfeae8b926eca41caabd89d650eee6beccae1ba
            • Instruction Fuzzy Hash: 73F0F0719026D59EF7638F2CC004B69BBC49B00A21F084CEAD7C9C3582C3B4DB80C708
            Function 010C0115 Relevance: .0, Instructions: 32COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2e5dc9bd8e93c2923b75060d54fe3e9a3f74bcefa95a701920b4b3b3adf17824
            • Instruction ID: 04a7ccacf4ed87364e91c959fc69e4b3dfae8576f11f1b7ec219dea9300a6d8a
            • Opcode Fuzzy Hash: 2e5dc9bd8e93c2923b75060d54fe3e9a3f74bcefa95a701920b4b3b3adf17824
            • Instruction Fuzzy Hash: 6FF0273A41A68586CF726B2CA8A23D9AB98E781910F0910CDECE05760DC57B8483CB20
            Function 0103C5ED Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0eef3c045ffd9adcb5000ce5ddfb8ba32dcfe04ee396a3d2de76bc2d2c5abdc6
            • Instruction ID: eb177211407c5c9ea66a7387a24e67a916179d7dd09c5479923b44156260b87b
            • Opcode Fuzzy Hash: 0eef3c045ffd9adcb5000ce5ddfb8ba32dcfe04ee396a3d2de76bc2d2c5abdc6
            • Instruction Fuzzy Hash: E7F052754012809FF3A2971CC708B51BBDCAB887A0F0C94A7D5C2D3522C770E880DA40
            Function 01042619 Relevance: .0, Instructions: 31COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
            • Instruction ID: 4fa78ebbd7061b80450022f06fade9589453f9bb04727cb92096e0e0e2737a0a
            • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
            • Instruction Fuzzy Hash: FCE0D8723006016BE7119F599CC4F877BAEDFDAB10F040079B5045F251C9E6DC0986A4
            Function 01096030 Relevance: .0, Instructions: 29COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
            • Instruction ID: fb069ca7613eb8b86db636f7b8715764c3c02b99cfd8ce0da888ef620f381c11
            • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
            • Instruction Fuzzy Hash: 3AF0A0721002049FE7208F09DD80F53BBF8EB85364F01C066F6488B160D33AEC40DBA0
            Function 01000710 Relevance: .0, Instructions: 28COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
            • Instruction ID: edc4b0be45610bd4b53950be2d7d052bb9d27ae0c2ea442670d26ab41dc5979b
            • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
            • Instruction Fuzzy Hash: 3DF0E5396047459BEB57DF19D040ADA7BE4FB413A0F000094FCC68B341D735EA82CB50
            Function 010349D0 Relevance: .0, Instructions: 28COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
            • Instruction ID: 43d460af8dec5c3aa149e26ec4424270cbaa0809aa5eef62e8308a57fb813652
            • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
            • Instruction Fuzzy Hash: BFE0D832244945ABD3211A598800B6A7BEDEBD57A0F150429E280CF150DB74DC42C7D8
            Function 010D4164 Relevance: .0, Instructions: 27COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1d9fbe803c756854a15087165de64eacbef8fe775bd65829ab8154ed107923a4
            • Instruction ID: bdb3df54ee29d282843dc4f5de1d6c9788edee64b4cf36d2ac4a20fe45e6ffe6
            • Opcode Fuzzy Hash: 1d9fbe803c756854a15087165de64eacbef8fe775bd65829ab8154ed107923a4
            • Instruction Fuzzy Hash: 39F0A939A26B918FE7A2D738E2A0B9677E0AB10620F0E05A4D490C7E12C334EC80CA50
            Function 010A678E Relevance: .0, Instructions: 27COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
            • Instruction ID: 7b4044ecbf329017604fa8df8a41fc2ff723f32b885bb8d02848c16cf3f69520
            • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
            • Instruction Fuzzy Hash: 25E0DF32A00120BBDB21A7998D05F9ABEBCEB94FA0F090054B600EB0E0E531DE00C6D0
            Function 010D08C0 Relevance: .0, Instructions: 25COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
            • Instruction ID: db5cdd197e53625a4a77d064504b1a9ef2a6e55402189bdb21b3d43d7e9c137a
            • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
            • Instruction Fuzzy Hash: 06E09B316403518BCB259A1DC141A97BFE8DF95660F1580ADE9DD47616C271F842C6D0
            Function 010025E0 Relevance: .0, Instructions: 23COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 344d47e5801ba75f51cc8e63cb3e68d11a321407554196272a3bd658d309a3df
            • Instruction ID: 1e70910881921cb7758119d3131569722fd73bd038e88adc5f62c16e3afedc77
            • Opcode Fuzzy Hash: 344d47e5801ba75f51cc8e63cb3e68d11a321407554196272a3bd658d309a3df
            • Instruction Fuzzy Hash: BEE092721009549BC322FB29DD01FCA779AEB64360F014529B19597190CA35A810C7C8
            Function 010BA456 Relevance: .0, Instructions: 23COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
            • Instruction ID: 256b2fdd617d8c37c24fa6a71f0c9d4d6348a5018ba3b7a43a1b949f36c91b47
            • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
            • Instruction Fuzzy Hash: 79E09231110A11DFE7326F2AD988BD27AE0BF90711F148C6DE0D6124B0CBB898C0CA40
            Function 01084000 Relevance: .0, Instructions: 22COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
            • Instruction ID: 022e909fa5f7c7dc2dc2b5fb851c14c6b87766875dba4677378692f3ed4da3bb
            • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
            • Instruction Fuzzy Hash: B0E0AE343043068BE755DF19C044B627BA6BFD5A10F28C0A8A9888F305EB32A8438A40
            Function 0103CA38 Relevance: .0, Instructions: 22COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2f147f5c56fe06396b7c755659004bf555f28fbe11ef891f4446e9dd1e45098b
            • Instruction ID: 3e4e74c1588c31e2268493faaae4bcc7a9364a70c1a601e09d8dcfb5c20d125d
            • Opcode Fuzzy Hash: 2f147f5c56fe06396b7c755659004bf555f28fbe11ef891f4446e9dd1e45098b
            • Instruction Fuzzy Hash: BAD02B324814306ADB75E1187D04FD33ADD9BC6324F054862F1C8F2015D519CC8282C4
            Function 00FF823B Relevance: .0, Instructions: 21COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
            • Instruction ID: 51ae193022650204183601d2081a6e5490bebb98f2679a839624d13943c78982
            • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
            • Instruction Fuzzy Hash: 11E08632500918EFD7312E15DC40BA176A1FF54BA0F204829F1C1060748B747C82EB44
            Function 01002050 Relevance: .0, Instructions: 20COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 89a4647917e4a5fff9003d71512ea31355477b5456c9be4068268570aa4f678e
            • Instruction ID: 1a1ee52695be01ce1f1a29ed082e95037b489e7c7258b84367c820e11f3811f7
            • Opcode Fuzzy Hash: 89a4647917e4a5fff9003d71512ea31355477b5456c9be4068268570aa4f678e
            • Instruction Fuzzy Hash: 04E0C232100454ABC312FB5DDD01F8A739EEFA8370F000125F1908B6D4CA25AC00C798
            Function 01038A90 Relevance: .0, Instructions: 20COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
            • Instruction ID: a364b79eebeb8a55fa361d3883f6a7fa1c391b8558b1dbcac693cf208bc9ab75
            • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
            • Instruction Fuzzy Hash: 52E08633111A1487D729DE18D511B7677E8EF85720F09877EA65387780C534E544C794
            Function 0040A7CF Relevance: .0, Instructions: 18COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2026512273.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_400000_SecuriteInfo.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 30e1051104484b6764b7f3912f4de2ea0ca1f7fafe58f612dc28ef9e2cf00233
            • Instruction ID: 1b12c263542896e5101f3d4b7ed0ce608fb4ec5b0b27e31583c6832db153754d
            • Opcode Fuzzy Hash: 30e1051104484b6764b7f3912f4de2ea0ca1f7fafe58f612dc28ef9e2cf00233
            • Instruction Fuzzy Hash: 76D0A72798C0D98DC7169379A1060D56F7BD892A083AEE6E5CC452F16BD22B041F87D4
            Function 0103E59C Relevance: .0, Instructions: 16COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
            • Instruction ID: d29f6d0c602169a1bcc5b23d078d193626ffde5152a830c83a5846fcbe80eacf
            • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
            • Instruction Fuzzy Hash: 39D0A932604664ABD772AA1CFC00FC333E8BB88730F060499B048CB060C364AC82CA88
            Function 0107E908 Relevance: .0, Instructions: 16COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
            • Instruction ID: f2b9db52e507c0829a182c377849c152526c37f48f87513b2cf45e625bad5b80
            • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
            • Instruction Fuzzy Hash: E9E0EC36951684ABDF52DF59C640F9ABBF9BB94B40F150498A1886B660C624A900CB40
            Function 00FFA0E3 Relevance: .0, Instructions: 15COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
            • Instruction ID: 7a21e868c96d05f326ed6be058b322005c00808f47d235756fd72654f8f25299
            • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
            • Instruction Fuzzy Hash: A0D0223321603893CB2857616800FB37905EF80BA0F1A002C350E93910C4088C42E6E0
            Function 0103A830 Relevance: .0, Instructions: 14COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
            • Instruction ID: 4087574e7147c72c6b02e5eb67c226733cc5257b4ad1f3b3fb31a7216ceadfb3
            • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
            • Instruction Fuzzy Hash: 93D012371D054DBBCB119F66DC01F957BA9E764BA0F444020B5048B5A0D63AE950D684
            Function 0103CA24 Relevance: .0, Instructions: 14COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fbdf6f3ffc42c590840d0db64cd067ab6b39c1678aa558d0a24730d20775883f
            • Instruction ID: dc56536a59b16243961e024de3d31386e7d5a925fd55e310951a29d8e4419005
            • Opcode Fuzzy Hash: fbdf6f3ffc42c590840d0db64cd067ab6b39c1678aa558d0a24730d20775883f
            • Instruction Fuzzy Hash: 84D0A734D01449CBEF17DF08C618D6E36F4FB54640B4000ADE7C0A2420E72ADC02C700
            Function 010102A0 Relevance: .0, Instructions: 13COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
            • Instruction ID: 18847098a5d0c970b0333a007b04b5240ab75a346aeb2267bc10791a276468cb
            • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
            • Instruction Fuzzy Hash: B6D0C935312E80CFD65BCB0CC5A4B5533E8BB44B44F8144D0F481CBB2AD62CD980CA00
            Function 0103C700 Relevance: .0, Instructions: 12COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
            • Instruction ID: 9aff8eaeb19cf3f80f5241ec92c1723ff2f1b28db75a38da61261eaa3cee6f60
            • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
            • Instruction Fuzzy Hash: 4FC01232290648AFC712AA99CD01F427BA9EBA8B50F000021F2048B670D635E820EA84
            Function 01020310 Relevance: .0, Instructions: 11COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
            • Instruction ID: a8a0918c099161883d89b1ee381b2df01208f1671ae1b3bb64ed315f40356f9f
            • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
            • Instruction Fuzzy Hash: 62D01236100248EFCB01DF41C890D9A772AFBD8710F108019FD19076108A31ED62DA90
            Function 01000750 Relevance: .0, Instructions: 9COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
            • Instruction ID: 2f4d67c7a5a338cc334929ddcaa2820062c2ebb1e0f97d6d42d75f8289443e0a
            • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
            • Instruction Fuzzy Hash: 2CC04C797015458FCF55DB19D294F4677E4F744750F1508D0E985CB721E624E901CA10
            Function 01044340 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: dfd9a048130d27a3ee1112913ebd12f6d21b4d368d02b9691cf2c6a8087bd957
            • Instruction ID: 22ea4196f0120d76eae3829583ea901d06c9e3d8c44f66fbba5eddcc27d202a4
            • Opcode Fuzzy Hash: dfd9a048130d27a3ee1112913ebd12f6d21b4d368d02b9691cf2c6a8087bd957
            • Instruction Fuzzy Hash: 3A90023160580012A280715988845474005A7E0301B55C012F8824554CCA148E565761
            Function 01044650 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6cbbf9bf579a5c224dd56f3e70b828a4e030aa9fbdb66b147ac0f576a165f088
            • Instruction ID: 1267b1a302e9da1dc2693fa5c4e891b5f6a0188504c376b6714f8c2f0c7a723b
            • Opcode Fuzzy Hash: 6cbbf9bf579a5c224dd56f3e70b828a4e030aa9fbdb66b147ac0f576a165f088
            • Instruction Fuzzy Hash: B3900261601500425280715988044076005A7E1301395C116B8954560CC6188D559769
            Function 01042B60 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0d7f3c7c3df33d502e8a8725b4c6434a1072e2127b2afa4e2ac71ca786637d48
            • Instruction ID: 943e43e531f6ae574a5d62bd93a9e543ea513a29bf4b0a102d4de3bd96b442e4
            • Opcode Fuzzy Hash: 0d7f3c7c3df33d502e8a8725b4c6434a1072e2127b2afa4e2ac71ca786637d48
            • Instruction Fuzzy Hash: 6490026120240003524571598414617400A97E0201B55C022F9414590DC5258D916625
            Function 01042B80 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: acb5d53b71a4c215eb2408194a89059c3c26a4b004babc43af9dbafdd235b809
            • Instruction ID: 59d75e07551b659fda09e049113d57d18f80b21dd4d5363603240d8917ec3cf3
            • Opcode Fuzzy Hash: acb5d53b71a4c215eb2408194a89059c3c26a4b004babc43af9dbafdd235b809
            • Instruction Fuzzy Hash: DD90023120140802E24471598804687000597D0301F55C012BE424655ED6658D917631
            Function 01042BA0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7e5866bccd2e1bd6d045ad95690575bb73dde9bb15a53b0bbe70ca0d906ae0de
            • Instruction ID: 453966e74598e82633794d7c4251b24ceac44fa1e3328496d3d6c5fbe5d2d1ba
            • Opcode Fuzzy Hash: 7e5866bccd2e1bd6d045ad95690575bb73dde9bb15a53b0bbe70ca0d906ae0de
            • Instruction Fuzzy Hash: D290023160540802E29071598414747000597D0301F55C012B8424654DC7558F557BA1
            Function 01042BE0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2d8b1a064270170ad389fd178556cb080f8ffbacc7acb178e5b8c84bfc7b3f7f
            • Instruction ID: bf76c77019d85f3e99d96abeb07a315612e6159f2dcd1cc07905d26ece8a84b4
            • Opcode Fuzzy Hash: 2d8b1a064270170ad389fd178556cb080f8ffbacc7acb178e5b8c84bfc7b3f7f
            • Instruction Fuzzy Hash: 7F90023120544842E28071598404A47001597D0305F55C012B8464694DD6258E55BB61
            Function 01042BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 68b79672340667f90292de89b45202e609df0abc5fd9ef80c671472e0582ae37
            • Instruction ID: d1e477a0f45d1f36e82e7c2444ec8bef43aa9a22ccfbec09973721a8293f1dd4
            • Opcode Fuzzy Hash: 68b79672340667f90292de89b45202e609df0abc5fd9ef80c671472e0582ae37
            • Instruction Fuzzy Hash: 3490023120140802E2C07159840464B000597D1301F95C016B8425654DCA158F597BA1
            Function 01042AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a749797e749192ac757539e7bb621864327e30fc5afb7e1bf1f81be47f086478
            • Instruction ID: c520f66ff386044e362d9547949e1be12de84fafc4bde1eec9ef96535ba9f019
            • Opcode Fuzzy Hash: a749797e749192ac757539e7bb621864327e30fc5afb7e1bf1f81be47f086478
            • Instruction Fuzzy Hash: 5D9002A1201540925640B259C404B0B450597E0201B55C017F9454560CC5258D519635
            Function 01042AD0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ab4d078c3b81472344438efaee11260f9e1b560fbefb89808997d73542bcfb3b
            • Instruction ID: f4505dd487b3acd12f8363c8eb808ce6f0616d85527fffd5654abf6af8d2953b
            • Opcode Fuzzy Hash: ab4d078c3b81472344438efaee11260f9e1b560fbefb89808997d73542bcfb3b
            • Instruction Fuzzy Hash: B8900435311400031345F55D47045070047D7D5351355C033FD415550CD731CD715731
            Function 01042AF0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b8b94fe3dd51e13e55af2a5557e84d52b66865ed36f5026419391689a01a0624
            • Instruction ID: 5c5bcad39c487a9259951d450b271837831ac0e7e8f3f98e05e1f93b7e9f8dc2
            • Opcode Fuzzy Hash: b8b94fe3dd51e13e55af2a5557e84d52b66865ed36f5026419391689a01a0624
            • Instruction Fuzzy Hash: 6C900225221400021285B559460450B0445A7D6351395C016F9816590CC6218D655721
            Function 01042D00 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2b2cd1af76f07de9c8b829a5860e689d32f3f2926ed272bd7948661d0555bae4
            • Instruction ID: ba0b6322c55ff1ae1f004499fab6491602672af9c03cafe4562f1049fab322e7
            • Opcode Fuzzy Hash: 2b2cd1af76f07de9c8b829a5860e689d32f3f2926ed272bd7948661d0555bae4
            • Instruction Fuzzy Hash: 4E90022120544442E24075599408A07000597D0205F55D012B9464595DC6358D51A631
            Function 01042D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d6a8275054f2df2b1480f28bfa4aa713bfb8aa9e3deb0e7841628e677b7b3051
            • Instruction ID: 3b9114ee85659e0bdd5f2594dbfc4a5aebefd49c00420985f2bbdb4ae650ea40
            • Opcode Fuzzy Hash: d6a8275054f2df2b1480f28bfa4aa713bfb8aa9e3deb0e7841628e677b7b3051
            • Instruction Fuzzy Hash: 1690022921340002E2C07159940860B000597D1202F95D416B8415558CC9158D695721
            Function 01042D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d472d8e2defbc6ec7b002a91dbe1395b6005b69753bcac61dd9e9df0282077b7
            • Instruction ID: 4c335f42195569cacefae937df993118eab746b05b1f9a8175283a7eb8e38e43
            • Opcode Fuzzy Hash: d472d8e2defbc6ec7b002a91dbe1395b6005b69753bcac61dd9e9df0282077b7
            • Instruction Fuzzy Hash: 4E90022130140003E280715994186074005E7E1301F55D012F8814554CD9158D565722
            Function 01042DB0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0dfcc6ef45876a34c7aa24ff74327001e16374cd74d0886b1876b7882caa7777
            • Instruction ID: 256c3f4a6d9175297b6d2b94e1d9377ea4ce5334398433e3148279288fb0c573
            • Opcode Fuzzy Hash: 0dfcc6ef45876a34c7aa24ff74327001e16374cd74d0886b1876b7882caa7777
            • Instruction Fuzzy Hash: 6E90023124140402E281715984046070009A7D0241F95C013B8824554EC6558F56AF61
            Function 01042DD0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5881cc8649cc1833e3e91a715c2fb32dc7560c1d0e31966497044a8e86817389
            • Instruction ID: db481a00c444e4878b63ab1792d1c8074e7188e85280191776e59fc0320bdbc4
            • Opcode Fuzzy Hash: 5881cc8649cc1833e3e91a715c2fb32dc7560c1d0e31966497044a8e86817389
            • Instruction Fuzzy Hash: 68900221242441526685B15984045074006A7E0241795C013B9814950CC5269D56DB21
            Function 01042C60 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e5fa51badd98574547e0fe3fc5d1e2543989de94e825b6cd6ff284c85af17cff
            • Instruction ID: fd3378040b48134ac85a514156c00f5c4ae69d6c1f01bf794763e1bfe88bb0a0
            • Opcode Fuzzy Hash: e5fa51badd98574547e0fe3fc5d1e2543989de94e825b6cd6ff284c85af17cff
            • Instruction Fuzzy Hash: AF90023120140842E24071598404B47000597E0301F55C017B8524654DC615CD517A21
            Function 01042C70 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6419f5929cc397fef4c7a7fe13706da39086db5941bc7d6ca941be905dc5744f
            • Instruction ID: 9008c73ef24a6ab6e22552bca4f7e4dc73aa1c7191754d580e62e8200a0bbab4
            • Opcode Fuzzy Hash: 6419f5929cc397fef4c7a7fe13706da39086db5941bc7d6ca941be905dc5744f
            • Instruction Fuzzy Hash: F790023120148802E2507159C40474B000597D0301F59C412BC824658DC6958D917621
            Function 01042CA0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b82139c8a60168d087cc94a981d746e72327150fdcbdd4934d1dc4e1771c654b
            • Instruction ID: 0bc2290a1e1a2332c8e4b74e660214acd95c4df5f08962a361ee373cea01ce4e
            • Opcode Fuzzy Hash: b82139c8a60168d087cc94a981d746e72327150fdcbdd4934d1dc4e1771c654b
            • Instruction Fuzzy Hash: B790023120140402E24075999408647000597E0301F55D012BD424555EC6658D916631
            Function 01042CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 09e00fd99e64d660f03a427b1f98f42c97d418833248f1227b61947b330e9aba
            • Instruction ID: e3e6b8dd16fcd1fb0ccedcf3a17150bc4f45f7d868f3edbe28d7a5be6a109cc0
            • Opcode Fuzzy Hash: 09e00fd99e64d660f03a427b1f98f42c97d418833248f1227b61947b330e9aba
            • Instruction Fuzzy Hash: 9890022160540402E28071599418707001597D0201F55D012B8424554DC6598F556BA1
            Function 01042CF0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 36342e54fe36577fb8b56eac5d855978452431be3eb4448be97323b761370565
            • Instruction ID: 3a76538c8796bc87bc9aa4a10fcce8c6ff736f35cf04966af9fcd721b7bde29e
            • Opcode Fuzzy Hash: 36342e54fe36577fb8b56eac5d855978452431be3eb4448be97323b761370565
            • Instruction Fuzzy Hash: 4A90023120140403E24071599508707000597D0201F55D412B8824558DD6568D516621
            Function 01042F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3126e36eaaa938d44534398d8fd430609c5a76f39c9d61c3157af2b20ddac401
            • Instruction ID: 642ce56a4d88730c8379369a477faacf0a4ec293f6d0a741ab51701c64efd067
            • Opcode Fuzzy Hash: 3126e36eaaa938d44534398d8fd430609c5a76f39c9d61c3157af2b20ddac401
            • Instruction Fuzzy Hash: A690026134140442E24071598414B070005D7E1301F55C016F9464554DC619CD526626
            Function 01042F60 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b98cd16cf1ae1cd46e66a96f385181d1d51d1f8446f21a5462aa1a4925cb258a
            • Instruction ID: 7c249ee2f64927d34e6aa7ac84f33124c299570b0ecdfccddc3280da249dbe9e
            • Opcode Fuzzy Hash: b98cd16cf1ae1cd46e66a96f385181d1d51d1f8446f21a5462aa1a4925cb258a
            • Instruction Fuzzy Hash: F890026121140042E24471598404707004597E1201F55C013BA554554CC5298D615625
            Function 01042F90 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 02124a7335f092dba44268f20e63aef1970de5a7c92972281739d4883ff1826d
            • Instruction ID: f3eff820615ea5126fa73ed8557b46c51bb4f02616868fcbde52faf3fe75e2a8
            • Opcode Fuzzy Hash: 02124a7335f092dba44268f20e63aef1970de5a7c92972281739d4883ff1826d
            • Instruction Fuzzy Hash: 3290023120180402E2407159881470B000597D0302F55C012B9564555DC6258D516A71
            Function 01042FA0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 411f62abfcf6c03b928123c10ddf522cfe31be321e210b03202a3487fafb2149
            • Instruction ID: ea677e172ed617b047102480f71af20bb7a9e721cdc470d367b889e783902188
            • Opcode Fuzzy Hash: 411f62abfcf6c03b928123c10ddf522cfe31be321e210b03202a3487fafb2149
            • Instruction Fuzzy Hash: A190023120180402E24071598808747000597D0302F55C012BD564555EC665CD916A31
            Function 01042FB0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a9cd088a2a8ffa6765f414fab01cdbcf74293e245602b0e64d0bbf71e84e5adc
            • Instruction ID: dd0722493bf12bcfc8ab50074add53d97e39ed3b2ae799fc368af025450604ff
            • Opcode Fuzzy Hash: a9cd088a2a8ffa6765f414fab01cdbcf74293e245602b0e64d0bbf71e84e5adc
            • Instruction Fuzzy Hash: A99002216014004252807169C8449074005BBE1211755C122B8D98550DC5598D655B65
            Function 01042FE0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 656f69637371ed5ce999ca78643c854d4e6d0400a5d9ea3880040e470ba3d7df
            • Instruction ID: 70bbb46240d3da2cc3dfc1d3252e7ebacb7795cf2903e0c2b7afe2cdfb82e832
            • Opcode Fuzzy Hash: 656f69637371ed5ce999ca78643c854d4e6d0400a5d9ea3880040e470ba3d7df
            • Instruction Fuzzy Hash: 4C900221211C0042E34075698C14B07000597D0303F55C116B8554554CC9158D615A21
            Function 01042E30 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6476322d56cbf6c5affa97fab7c9b8a9a75dc98295120ddcc9d2668901810b84
            • Instruction ID: 8bff1b458a0eb12938506c60d6001e93a4e495c9abc2719b80e8b7997f13c881
            • Opcode Fuzzy Hash: 6476322d56cbf6c5affa97fab7c9b8a9a75dc98295120ddcc9d2668901810b84
            • Instruction Fuzzy Hash: A590022130140402E242715984146070009D7D1345F95C013F9824555DC6258E53A632
            Function 01042E80 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ee85966a3d9d503964099c813b36921acdbb6c10be587d1e19ddcc7a254309a9
            • Instruction ID: 6a2212cbcda4d6d3781236ad490896b9bf25145ece16c1b93b648e79b72f84c6
            • Opcode Fuzzy Hash: ee85966a3d9d503964099c813b36921acdbb6c10be587d1e19ddcc7a254309a9
            • Instruction Fuzzy Hash: 8790022160140502E24171598404617000A97D0241F95C023B9424555ECA258E92A631
            Function 01042EA0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 7a1b80b9202423e567ae3f5465a3d338539e1e0e3d2d7731ba84786158702e75
            • Instruction ID: c0b40ae0397f40ae9b0e4c205be28d60330f24c50e89f593e2544e05951a61de
            • Opcode Fuzzy Hash: 7a1b80b9202423e567ae3f5465a3d338539e1e0e3d2d7731ba84786158702e75
            • Instruction Fuzzy Hash: BD90027120140402E28071598404747000597D0301F55C012BD464554EC6598ED56B65
            Function 01042EE0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 96584a6a31888ed9e2309e3c8568dd29b3243e31451bc5e81f9816bd947c6eda
            • Instruction ID: 213297a02b1fa2e96de63eb7a8a8ef7106e737bae62887ede08c11ab5b6b021c
            • Opcode Fuzzy Hash: 96584a6a31888ed9e2309e3c8568dd29b3243e31451bc5e81f9816bd947c6eda
            • Instruction Fuzzy Hash: A490026120180403E28075598804607000597D0302F55C012BA464555ECA298D516635
            Function 01043010 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4eb370bc8931e505b30d27e858e18d6fa41631753d190587d88896513bb02576
            • Instruction ID: a4b3cde054285f11e497019c5ce307433c40c62057750acd8e2dae7fad211d5b
            • Opcode Fuzzy Hash: 4eb370bc8931e505b30d27e858e18d6fa41631753d190587d88896513bb02576
            • Instruction Fuzzy Hash: 0490022120184442E28072598804B0F410597E1202F95C01ABC556554CC9158D555B21
            Function 01043090 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 827af63798533dd7767554f2176abb6f46eec5049c6f7dbada5ff404ad7937ce
            • Instruction ID: 198ba844185632dfaf749bfd7a01477ee7e4c21ecc6e033d15775e029eb51011
            • Opcode Fuzzy Hash: 827af63798533dd7767554f2176abb6f46eec5049c6f7dbada5ff404ad7937ce
            • Instruction Fuzzy Hash: 7C90022124140802E2807159C4147070006D7D0601F55C012B8424554DC6168E656BB1
            Function 010435C0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a57815f2edaef03191f11afb3e8b239f2555e299df2bab38f5e530724c00e74c
            • Instruction ID: 5cd7f98b51dd48f499db8112f9e8aec8fda65e0f37dcb07ce2d2d6b9dd72eb6c
            • Opcode Fuzzy Hash: a57815f2edaef03191f11afb3e8b239f2555e299df2bab38f5e530724c00e74c
            • Instruction Fuzzy Hash: ED90023160550402E24071598514707100597D0201F65C412B8824568DC7958E516AA2
            Function 010439B0 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 9b44c209535f727273da2e7ef849108aad5b537e5547309ab2de55ff5b7efd0a
            • Instruction ID: f93a92c745e129f75d1c99b882c35f1f7b250dfca0c27cf1f627b1d741c0bb91
            • Opcode Fuzzy Hash: 9b44c209535f727273da2e7ef849108aad5b537e5547309ab2de55ff5b7efd0a
            • Instruction Fuzzy Hash: 1D90022124545102E290715D84046174005B7E0201F55C022B8C14594DC5558D556721
            Function 01043D10 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 65c55ec3d35388f136bb5ee0c074789a8e660d5aceaa987aebbcab43ff453327
            • Instruction ID: 048a969f1681067c3c7c37fd2c70dfbf4469213ec3965de313a65707ec460992
            • Opcode Fuzzy Hash: 65c55ec3d35388f136bb5ee0c074789a8e660d5aceaa987aebbcab43ff453327
            • Instruction Fuzzy Hash: EA90023120240142A68072599804A4F410597E1302B95D416B8415554CC9148D615721
            Function 01043D70 Relevance: .0, Instructions: 4COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d347f2ed9bf3bd221634cc0b6e605fc248c1d74f46549718ad801b2f7a43cdc2
            • Instruction ID: 5e0c6b5284eeb528f7b3cfb04c81e17018c2e1f54f9299957fb1b08099c4165f
            • Opcode Fuzzy Hash: d347f2ed9bf3bd221634cc0b6e605fc248c1d74f46549718ad801b2f7a43cdc2
            • Instruction Fuzzy Hash: 0D90023520140402E65071599804647004697D0301F55D412B8824558DC6548DA1A621
            Function 01042C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
            • Instruction ID: 4164425aec4f01afb9777adc96c70294eac149a4a1d655537a63a92f36486d43
            • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
            • Instruction Fuzzy Hash:
            Function 01042890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID: ___swprintf_l
            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
            • API String ID: 48624451-2108815105
            • Opcode ID: 47edde6a9ede95ec09698f94d06628519bcac058df7fdfa37677d119c9c55eb3
            • Instruction ID: 84230cc08c04a90e863ed86b6691df3af8f5774d5479452f223311cd5fa027fc
            • Opcode Fuzzy Hash: 47edde6a9ede95ec09698f94d06628519bcac058df7fdfa37677d119c9c55eb3
            • Instruction Fuzzy Hash: 6951A3F6B04116ABDB51DB9C98D097EFBF8BB48240B148269F5E5D7642D334EE408BA0
            Function 010B2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID: ___swprintf_l
            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
            • API String ID: 48624451-2108815105
            • Opcode ID: 0615047b674ab484b81f8c1f59c7d5d536c7ed587245f13c53b3ed13802e1734
            • Instruction ID: 5e5c714c26b5cd6d868402dfd08a0ef281b999fd8aaaeb7293d617a1e10e6150
            • Opcode Fuzzy Hash: 0615047b674ab484b81f8c1f59c7d5d536c7ed587245f13c53b3ed13802e1734
            • Instruction Fuzzy Hash: C651E571A00645AECB64DE5CC8D09BFB7F9AF44300B448459E5D6D7681EB74FA40C760
            Function 01037630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
            Download Yara Rule
            Strings
            • ExecuteOptions, xrefs: 010746A0
            • CLIENT(ntdll): Processing section info %ws..., xrefs: 01074787
            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01074742
            • Execute=1, xrefs: 01074713
            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01074655
            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 010746FC
            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01074725
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
            • API String ID: 0-484625025
            • Opcode ID: 819bacc7e217bb793720912b197179f187dfcf1f61f3fbb966d464d5786f8667
            • Instruction ID: 0019591cc30ee6326e8eefaad7049648be94b453a9533e4092a85a10fc9f1319
            • Opcode Fuzzy Hash: 819bacc7e217bb793720912b197179f187dfcf1f61f3fbb966d464d5786f8667
            • Instruction Fuzzy Hash: 595127B1A0021A7AEB21AAA9DC95FEE77ACFB58300F0400E9E685A7180D7719A41DF55
            Function 010D6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
            • Instruction ID: eb053b5a1fb56a7d9acb4022820f72c3c37870568839aa3038b4cfb80916f5e2
            • Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
            • Instruction Fuzzy Hash: 2B023470508342AFD345DF18C490AAFBBE5EFC8714F44896DFA898B264DB32E945CB42
            Function 0104B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID: __aulldvrm
            • String ID: +$-$0$0
            • API String ID: 1302938615-699404926
            • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
            • Instruction ID: 444864ea913ab62c65c29d0fcf2e299bade3f1472fe2180314761ac9fc68ce11
            • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
            • Instruction Fuzzy Hash: 7F819DB0A052499FEF25DE6CC8D17FEBBE2BF49320F1841A9D8D1A7291C634D841CB51
            Function 010B20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID: ___swprintf_l
            • String ID: %%%u$[$]:%u
            • API String ID: 48624451-2819853543
            • Opcode ID: 045a922e604a502aa1a08d70236d9877c4981158c7ddd0005f7e90daefe3e9f9
            • Instruction ID: 82f19381892299d644da6c8115586c9f2458f7324a6c6f4cae9f35b19558e48a
            • Opcode Fuzzy Hash: 045a922e604a502aa1a08d70236d9877c4981158c7ddd0005f7e90daefe3e9f9
            • Instruction Fuzzy Hash: 6B2167BAA00119ABDB50DF79DC90AFF7BF8EF64640F040566ED45D3240E730E9028B91
            Function 0102F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
            Download Yara Rule
            Strings
            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 010702E7
            • RTL: Re-Waiting, xrefs: 0107031E
            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 010702BD
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
            • API String ID: 0-2474120054
            • Opcode ID: 597fdb982df08d77e2110d4f467430789da692839e20fe2ad09d1820c14a2ae5
            • Instruction ID: 2e0a9841763de1c1d3ee4013897649ef393fed487975c32dab70dc86440697e6
            • Opcode Fuzzy Hash: 597fdb982df08d77e2110d4f467430789da692839e20fe2ad09d1820c14a2ae5
            • Instruction Fuzzy Hash: 50E1CD70A087429FD765CF28C884B2ABBF0BB89364F144AADF5E58B2D1D774D845CB42
            Function 0103BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
            Download Yara Rule
            Strings
            • RTL: Resource at %p, xrefs: 01077B8E
            • RTL: Re-Waiting, xrefs: 01077BAC
            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01077B7F
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
            • API String ID: 0-871070163
            • Opcode ID: 403d40ee8fb7160b859c034f5b5a64aa14635fa18ad2eeaed334b8582a7a7b2a
            • Instruction ID: d6d7b51e3153db0b7738b30ad0f7e5eeac1d9d894b8cf4329ebe5775b9e2c78b
            • Opcode Fuzzy Hash: 403d40ee8fb7160b859c034f5b5a64aa14635fa18ad2eeaed334b8582a7a7b2a
            • Instruction Fuzzy Hash: 9541D4357047039FD720DE29C840B6AB7E9EF98725F100A6DFADADB680DB71E4058B91
            Function 0103B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
            Download Yara Rule
            APIs
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0107728C
            Strings
            • RTL: Resource at %p, xrefs: 010772A3
            • RTL: Re-Waiting, xrefs: 010772C1
            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01077294
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
            • API String ID: 885266447-605551621
            • Opcode ID: 0ce11e3fc747580044f7cc971c98e0ffe5722a49d07645a77a32e4a4929a1a3b
            • Instruction ID: c3583994ec96adce64a2ae80b7ec4e9a6abbed408e5e6589718c175bb5a6ef24
            • Opcode Fuzzy Hash: 0ce11e3fc747580044f7cc971c98e0ffe5722a49d07645a77a32e4a4929a1a3b
            • Instruction Fuzzy Hash: 48410231B04202ABC721DE29CC41FAABBE5FF94754F100619F9E5EB280DB21E81287D5
            Function 010B2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID: ___swprintf_l
            • String ID: %%%u$]:%u
            • API String ID: 48624451-3050659472
            • Opcode ID: cf045caaeddb7705bcab055d98e1d1e514895a726bd442d9b25c2f0844ba3959
            • Instruction ID: 8be7cf02e388d39059f398de9c698877cbf42e5784b381c5c34ba307118febb5
            • Opcode Fuzzy Hash: cf045caaeddb7705bcab055d98e1d1e514895a726bd442d9b25c2f0844ba3959
            • Instruction Fuzzy Hash: A4316672A012199FDB60DF2DCC80BEF77F8EF54650F454596E989E3240EB30EA458BA0
            Function 01047D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID: __aulldvrm
            • String ID: +$-
            • API String ID: 1302938615-2137968064
            • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
            • Instruction ID: 5764d725fbb2aac0514c31a424f69de09763bd80fc134afcd4f90a23012ec528
            • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
            • Instruction Fuzzy Hash: 199190F1E0021A9BEB64DF6DC8C0ABEBBF5AF44320F54867AE9D5A72C0D73099418751
            Function 01009126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000004.00000002.2027035047.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_4_2_fd0000_SecuriteInfo.jbxd
            Similarity
            • API ID:
            • String ID: $$@
            • API String ID: 0-1194432280
            • Opcode ID: b47fa9b6af634a85a07bdd2fbf74cf5478d871b5bd74a55bd5d8934f76cc8a18
            • Instruction ID: d9ea53ace5a913c85aba5608c66d1b08e6401fd83f59f0afd64486018c94c5b1
            • Opcode Fuzzy Hash: b47fa9b6af634a85a07bdd2fbf74cf5478d871b5bd74a55bd5d8934f76cc8a18
            • Instruction Fuzzy Hash: CD811A71D012699BDB32DB54CC45BEEB7B8AB08754F0041EAEA5DB7280D7359E84CFA0