Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe
Analysis ID:1483058
MD5:68b43f31a73b4ceccb149056b6a7aafa
SHA1:067ddfcf7a22a17e438a1c26cfa37c1427bdc0d1
SHA256:b07cd71f9882bdd5e28f47863b84634b985bebb1dab1e5cc84e246b94fe8c864
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe (PID: 7156 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe" MD5: 68B43F31A73B4CECCB149056B6A7AAFA)
    • powershell.exe (PID: 3228 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7280 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • RegSvcs.exe (PID: 2624 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 4332 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "phoenixblowers.com", "Username": "backoffice@phoenixblowers.com", "Password": "Officeback@2022#"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.3238002300.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000006.00000002.3238002300.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000006.00000002.3239532526.00000000028F1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000006.00000002.3239532526.00000000028F1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000006.00000002.3239532526.0000000002917000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3770ba8.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3770ba8.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3770ba8.3.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x316b3:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x31725:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x317af:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x31841:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x318ab:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x3191d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x319b3:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31a43:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                6.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  6.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 10 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe, ParentProcessId: 7156, ParentProcessName: SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe", ProcessId: 3228, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe, ParentProcessId: 7156, ParentProcessName: SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe", ProcessId: 3228, ProcessName: powershell.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 43.255.154.55, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 4332, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49708
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe, ParentProcessId: 7156, ParentProcessName: SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe", ProcessId: 3228, ProcessName: powershell.exe

                    Snort Signatures

                    No Snort rule has matched

                    Suricata Signatures

                    Timestamp:2024-07-26T15:23:54.956611+0200
                    SID:2022930
                    Source Port:443
                    Destination Port:49717
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T15:23:16.624272+0200
                    SID:2022930
                    Source Port:443
                    Destination Port:49711
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeAvira: detected
                    Found malware configuration
                    Source: 6.2.RegSvcs.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "phoenixblowers.com", "Username": "backoffice@phoenixblowers.com", "Password": "Officeback@2022#"}
                    Multi AV Scanner detection for submitted file
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeReversingLabs: Detection: 50%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeJoe Sandbox ML: detected

                    Compliance

                    barindex
                    Detected unpacking (overwrites its own PE header)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeUnpacked PE file: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.360000.0.unpack
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49706 version: TLS 1.2
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 4x nop then jmp 08F9B30Eh0_2_08F9AAFB
                    Source: global trafficTCP traffic: 192.168.2.5:49708 -> 43.255.154.55:587
                    Source: Joe Sandbox ViewIP Address: 43.255.154.55 43.255.154.55
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.5:49708 -> 43.255.154.55:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: phoenixblowers.com
                    Source: RegSvcs.exe, 00000006.00000002.3238767434.0000000000D39000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3239532526.0000000002917000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: RegSvcs.exe, 00000006.00000002.3242989638.0000000005D54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: RegSvcs.exe, 00000006.00000002.3242989638.0000000005DC6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3238767434.0000000000D39000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3239532526.0000000002917000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                    Source: RegSvcs.exe, 00000006.00000002.3238767434.0000000000D39000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3239532526.0000000002917000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: RegSvcs.exe, 00000006.00000002.3242989638.0000000005DC6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3238767434.0000000000D39000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3239532526.0000000002917000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com05
                    Source: RegSvcs.exe, 00000006.00000002.3239532526.0000000002917000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://phoenixblowers.com
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe, 00000000.00000002.2034198929.00000000026D9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3239532526.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe, 00000000.00000002.2034973185.0000000003736000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3238002300.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe, 00000000.00000002.2034973185.0000000003736000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3238002300.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3239532526.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: RegSvcs.exe, 00000006.00000002.3239532526.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: RegSvcs.exe, 00000006.00000002.3239532526.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: RegSvcs.exe, 00000006.00000002.3242989638.0000000005DC6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3238767434.0000000000D39000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3239532526.0000000002917000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49706 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3770ba8.3.raw.unpack, 3DlgK9re6m.cs.Net Code: rfBOV
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3736188.2.raw.unpack, 3DlgK9re6m.cs.Net Code: rfBOV

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3770ba8.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3736188.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3770ba8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3736188.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_025313E00_2_025313E0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_025326680_2_02532668
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_025335680_2_02533568
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_02531C200_2_02531C20
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_025313380_2_02531338
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_025320E80_2_025320E8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_0253367A0_2_0253367A
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_0253361C0_2_0253361C
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_025336D70_2_025336D7
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_025357F80_2_025357F8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_025357E80_2_025357E8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_0253379D0_2_0253379D
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_025334FE0_2_025334FE
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_025355C00_2_025355C0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_025335EB0_2_025335EB
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_025355B10_2_025355B1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_02535A700_2_02535A70
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_02535A620_2_02535A62
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_025308710_2_02530871
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_0253381B0_2_0253381B
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_025338A10_2_025338A1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_02535C700_2_02535C70
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_08F9D5B00_2_08F9D5B0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_08F971D80_2_08F971D8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_08F951180_2_08F95118
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_08F951080_2_08F95108
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_08F97B700_2_08F97B70
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_08F96DA00_2_08F96DA0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_08F955500_2_08F95550
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_08F955400_2_08F95540
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F3A9606_2_00F3A960
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F34A986_2_00F34A98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F3DBD86_2_00F3DBD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F33E806_2_00F33E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F341C86_2_00F341C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_06413CDF6_2_06413CDF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_064145F06_2_064145F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_06415D806_2_06415D80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_064135906_2_06413590
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_064192306_2_06419230
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_064110486_2_06411048
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0641E1116_2_0641E111
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0641A1906_2_0641A190
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_064156A06_2_064156A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_064103286_2_06410328
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0641C3B06_2_0641C3B0
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe, 00000000.00000002.2032946672.00000000009DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe, 00000000.00000002.2034198929.00000000026D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMML.dll2 vs SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe, 00000000.00000002.2034198929.00000000026D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecc4b9efc-cfc9-4184-b5cd-f53d37b761fe.exe4 vs SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe, 00000000.00000000.1995652964.0000000000410000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFzOa.exe: vs SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe, 00000000.00000002.2043360597.0000000008F10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMML.dll2 vs SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe, 00000000.00000002.2044169013.000000000AB30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe, 00000000.00000002.2034973185.0000000003736000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecc4b9efc-cfc9-4184-b5cd-f53d37b761fe.exe4 vs SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeBinary or memory string: OriginalFilenameFzOa.exe: vs SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3770ba8.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3736188.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3770ba8.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3736188.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3770ba8.3.raw.unpack, slKb.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3770ba8.3.raw.unpack, mAKJ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3770ba8.3.raw.unpack, xQRSe0Fg.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3770ba8.3.raw.unpack, n3rhMa.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3770ba8.3.raw.unpack, MQzE4FWn.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3770ba8.3.raw.unpack, nSmgRyX5a1.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3770ba8.3.raw.unpack, 6IMLmJtk.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3770ba8.3.raw.unpack, 6IMLmJtk.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3770ba8.3.raw.unpack, 3HroK7qN.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3770ba8.3.raw.unpack, 3HroK7qN.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.ab30000.6.raw.unpack, WJVX9PnJ5nJCjakgVG.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.ab30000.6.raw.unpack, Mq1Ah9vj3KtohGD8Dd.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.ab30000.6.raw.unpack, Mq1Ah9vj3KtohGD8Dd.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.ab30000.6.raw.unpack, Mq1Ah9vj3KtohGD8Dd.csSecurity API names: _0020.AddAccessRule
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/6@2/2
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.logJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeMutant created: \Sessions\1\BaseNamedObjects\DKkwHYfpnokIxpOnorccWQ
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5900:120:WilError_03
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lngavjba.apm.ps1Jump to behavior
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeReversingLabs: Detection: 50%
                    Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    Detected unpacking (changes PE section rights)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeUnpacked PE file: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.360000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
                    Detected unpacking (overwrites its own PE header)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeUnpacked PE file: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.360000.0.unpack
                    .NET source code contains potential unpacker
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.272ec18.1.raw.unpack, -.cs.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.272ec18.1.raw.unpack, PingPong.cs.Net Code: Justy
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.8f10000.4.raw.unpack, -.cs.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.8f10000.4.raw.unpack, PingPong.cs.Net Code: Justy
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.ab30000.6.raw.unpack, Mq1Ah9vj3KtohGD8Dd.cs.Net Code: l3arnFNVe1OpnRPDNkh System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_02534C49 push ds; iretd 0_2_02534C57
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_02536C77 push eax; ret 0_2_02536C79
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_02536C81 push eax; ret 0_2_02536C83
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_08F99DA8 pushfd ; retf 0_2_08F99DA9
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeCode function: 0_2_08F99D60 push eax; retf 0_2_08F99D61
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F30C6D push edi; retf 6_2_00F30C7A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00F30C45 push ebx; retf 6_2_00F30C52
                    Source: SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeStatic PE information: section name: .text entropy: 7.89519410569211
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.ab30000.6.raw.unpack, IBtM4k4J4tsq5drShp.csHigh entropy of concatenated method names: 'pBSghICtx8', 'aB9gj8ygui', 'DA98pi4gXd', 'fMi8lL8iWX', 'pIpgTd8MMt', 'gE2gKgBQbI', 'fpKgX5YShE', 'FYFgD6Kmqt', 'HOeg5K1IkE', 'pDVgm9cyWO'
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.ab30000.6.raw.unpack, aqJwix7JRTP07L3Y1Y.csHigh entropy of concatenated method names: 'Dispose', 'rAZlCqIpIT', 'WA69GNBKqF', 'deq77spDG9', 'MA4ljUbgDy', 'hfrlzt6JZ7', 'ProcessDialogKey', 'rvb9pgZGEE', 'Jgx9lypU5Z', 'fHA99fkK48'
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.ab30000.6.raw.unpack, HYb4UGjarah1PDZTIN.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'cOa9C2RT7H', 'fKv9jwluh7', 'zsP9zgBG9X', 'mFAEpRThI7', 'UypElw8v1n', 'eGYE9hA6kT', 'zi0EEbZ7Mk', 'NoJRgPN8OGbENgxqjuT'
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.ab30000.6.raw.unpack, OybfIX9RVamQPJeBham.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zw5MDJijrs', 'NTTM5OuYhs', 'BXPMm2EImw', 'r1gMLvP5uq', 'RI0MOGeOHk', 'umCMa8T4Ao', 'sn9MPFDxRE'
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.ab30000.6.raw.unpack, WUwVOfOsfDf0eJaLx5.csHigh entropy of concatenated method names: 'sIO8UZPXIR', 'Nr18nOo6t9', 'Uqr8dxH8iw', 'Tyy8bayboC', 'ggN8QOb353', 'iX78JgcR2S', 'CrI8vrHemv', 'pVl8oYWwyb', 'jy183N2nIx', 'LJu8yYRmWb'
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.ab30000.6.raw.unpack, dBuNAIGYQ3AZOmWKcr.csHigh entropy of concatenated method names: 'EWsQZghTHg', 'tH4Qnf6LPa', 'r9WQbkXv6W', 'fH4QJd9HwL', 'JpPQv5lqbS', 'jcnbOY26CL', 'Y2DbagDfad', 'cA8bPuR8IF', 'FuSbhlElWQ', 'sBqbCuGODI'
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.ab30000.6.raw.unpack, dU51abqdOFJlmTZZ8F.csHigh entropy of concatenated method names: 'z7TdewtV8S', 'VQ2dBqZVfU', 'yc6dsmncJA', 't1Od0vHj3w', 'ispdF9GvMa', 'Fvgd6tYhi7', 'HtadgfJXmQ', 'Yssd85Eu0Q', 'AW6dcTRrA5', 'Ot4dMqVChJ'
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.ab30000.6.raw.unpack, athOG70WArks9HWmh0.csHigh entropy of concatenated method names: 'VfucltwLef', 'fKqcE98qSc', 'O7Xcqw7rEO', 'yZccUs0HKq', 'NercnqeJUy', 'TfwcbIu2GY', 'DaucQMukpD', 'xAV8P2jA1j', 'PnM8hHOkbe', 'RNT8CrxIkj'
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.ab30000.6.raw.unpack, tHwvXKyQ73qsJ0f7KL.csHigh entropy of concatenated method names: 'xb8JUpKHet', 'pGlJd287i0', 'rMlJQoVnPc', 'zpjQjrg82N', 'TYcQzix6fb', 'I7hJpktTd1', 'M4lJl4Eeaf', 'F3LJ9BmJij', 'MWLJESDOMS', 'EQ0JqoC7kw'
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.ab30000.6.raw.unpack, WJVX9PnJ5nJCjakgVG.csHigh entropy of concatenated method names: 'fKbnDQvFG2', 'gBqn5o3OwN', 'QBqnmj9i2x', 'Fb2nLuUR87', 'Yr9nO1G28Y', 'VUjnaFEEDO', 'Wu9nPGdwwZ', 'A64nh0jxUN', 'H30nCAhxJU', 'DsEnjHJOyM'
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.ab30000.6.raw.unpack, DHQBoCBMiDwn5LomhQ.csHigh entropy of concatenated method names: 'B99rsTu0sP', 'elur0dA7H4', 'q7QrV6UAHp', 'AWyrGlLB60', 'MHjrSjrCaW', 'U7BrY3EUuG', 'tnHrRxRf7w', 'hUJrNxQQsB', 'BjurkdfUYj', 'XgZrTh8R6F'
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.ab30000.6.raw.unpack, GIJTso96SuHJMhDNvwO.csHigh entropy of concatenated method names: 'n3NcHDEGKC', 'hTCcwRBBQi', 'RAXcIuschD', 'avMce0JaWC', 'J5pct5ynoM', 'QskcB7PNEK', 'STIcfNYUC1', 'x4Ncsst46E', 'bbOc0Ueq9B', 'kKJc4g7wVM'
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.ab30000.6.raw.unpack, ohlNjsz0xg4w12lrKL.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'K3tcrhwP7L', 'MARcFQmg9h', 'OeRc6uNIl6', 'kwncgUPVUY', 'wXDc82kCWG', 'HHWcctSVYw', 'kLmcMW97jI'
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.ab30000.6.raw.unpack, Mq1Ah9vj3KtohGD8Dd.csHigh entropy of concatenated method names: 'Ae8EZ2u2xP', 'EfQEU1wKqr', 'Y7MEnGVWWn', 'udIEdmKFHL', 'DDqEbbOusi', 'eOvEQO1hlI', 'AraEJl7Y5T', 'G5SEvnVmDF', 'HJlEoDfxKB', 'DlAE3mSax8'
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.ab30000.6.raw.unpack, ggyFLSe2UQRURZuItS.csHigh entropy of concatenated method names: 'LiElJnW5mT', 'cE8lvqlxEw', 'bo8l32HD01', 'f6hlyNTgyy', 'ESTlFJyrTT', 'b1bl6c2CxN', 'lmGfpsUSBD7PITNgKu', 'UGXFrdeBXLMgqyMQ3w', 'Mb5llfVVwK', 'uU7lEoIUBZ'
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.ab30000.6.raw.unpack, Pgoq07sHcgPfCEVyYW.csHigh entropy of concatenated method names: 'UlmFkc9W4L', 'yA0FKTAVmd', 'pt0FDioXOF', 'wSwF52QQj0', 'Q0FFGDBJ2X', 'geZFuK0KCv', 'H3qFSCUggk', 'pW5FYcF27l', 'HRmFxEZkt0', 'b3iFRYcy8q'
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.ab30000.6.raw.unpack, yxbkDYZXQTc0EE0UoB.csHigh entropy of concatenated method names: 'wiobtsQepK', 'AQxbfA8BOy', 'TLTdu8BDok', 'eysdSWpqJO', 'R6NdYFDYem', 'jcYdxaOoMZ', 'qBfdRu8QIP', 'NGfdNLLwyG', 'N2hd21W82P', 'rxmdkYn076'
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.ab30000.6.raw.unpack, yY1NWAl5Mr8wYVP2Z2.csHigh entropy of concatenated method names: 'LVnINGolx', 'g4ieEAwsa', 'WPPBILkmZ', 'rXvfPONUo', 'BqZ0utJcR', 'bOo4TXBGW', 'rNPkuisgXRM9gvhida', 'kKjSZdY2hF65C6AEM2', 'to68E2bok', 'ywkMnRpxl'
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.ab30000.6.raw.unpack, KFmmEM3rImWgE6gwTO.csHigh entropy of concatenated method names: 'epGJHLPUUu', 'F75JwxqQ3s', 'mOpJI7febS', 'XN8JeZo6Ol', 'npRJtnLrvW', 'bOjJBFROk6', 'sKsJfp8Gy7', 'KxPJs642eC', 'G2TJ0dT13b', 'yiCJ4qZNgc'
                    Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.ab30000.6.raw.unpack, WhhJOX8JRxy7JHQgvZ.csHigh entropy of concatenated method names: 'n868VWV6VU', 'BEj8GxeUSB', 'RHt8uJJbWW', 'OD18S4awbt', 'zM98D9CdFn', 'X228YU9FsW', 'Next', 'Next', 'Next', 'NextBytes'

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe PID: 7156, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeMemory allocated: 2530000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeMemory allocated: 26D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeMemory allocated: 46D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeMemory allocated: 4CF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeMemory allocated: 5CF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeMemory allocated: 5E20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeMemory allocated: 6E20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeMemory allocated: ABB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeMemory allocated: BBB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeMemory allocated: 4CF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6099Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3166Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1435Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8420Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe TID: 5864Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7256Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7220Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99787Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99218Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98671Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98343Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98011Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97797Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97687Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97468Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97250Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97140Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97031Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96921Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96812Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96593Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96484Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96375Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96229Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95999Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95780Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95671Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95343Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95233Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95015Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94796Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94687Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94575Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94468Jump to behavior
                    Source: RegSvcs.exe, 00000006.00000002.3242989638.0000000005D54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe"Jump to behavior
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43C000Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 907008Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3770ba8.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3736188.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3770ba8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3736188.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.3238002300.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.3239532526.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.3239532526.0000000002917000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2034973185.0000000003736000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe PID: 7156, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4332, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3770ba8.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3736188.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3770ba8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3736188.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.3238002300.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.3239532526.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2034973185.0000000003736000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe PID: 7156, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4332, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3770ba8.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3736188.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3770ba8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.3736188.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.3238002300.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.3239532526.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.3239532526.0000000002917000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2034973185.0000000003736000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe PID: 7156, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4332, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts311
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		111
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook32
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model1
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSHKeylogging23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job311
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1483058 Sample: SecuriteInfo.com.Win32.Malw... Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 26 phoenixblowers.com 2->26 28 api.ipify.org 2->28 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus / Scanner detection for submitted sample 2->38 40 8 other signatures 2->40 8 SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe 4 2->8         started        signatures3 process4 file5 24 SecuriteInfo.com.W...31904.27419.exe.log, ASCII 8->24 dropped 42 Detected unpacking (changes PE section rights) 8->42 44 Detected unpacking (overwrites its own PE header) 8->44 46 Writes to foreign memory regions 8->46 48 3 other signatures 8->48 12 RegSvcs.exe 15 2 8->12         started        16 powershell.exe 23 8->16         started        18 RegSvcs.exe 8->18         started        signatures6 process7 dnsIp8 30 phoenixblowers.com 43.255.154.55, 49708, 587 AS-26496-GO-DADDY-COM-LLCUS Singapore 12->30 32 api.ipify.org 104.26.13.205, 443, 49706 CLOUDFLARENETUS United States 12->32 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->50 52 Tries to steal Mail credentials (via file / registry access) 12->52 54 Tries to harvest and steal ftp login credentials 12->54 56 Tries to harvest and steal browser information (history, passwords, etc) 12->56 58 Loading BitLocker PowerShell Module 16->58 20 WmiPrvSE.exe 16->20         started        22 conhost.exe 16->22         started        60 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->60 signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe50%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe100%AviraHEUR/AGEN.1309847
                    SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://api.ipify.org/0%URL Reputationsafe
                    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                    https://api.ipify.org0%URL Reputationsafe
                    https://sectigo.com/CPS00%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    https://api.ipify.org/t0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://phoenixblowers.com0%Avira URL Cloudsafe
                    http://ocsp.sectigo.com050%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    phoenixblowers.com
                    		43.255.154.55
                    		truetrue
                      		unknown
                      api.ipify.org
                      		104.26.13.205
                      		truefalse
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                        • URL Reputation: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#RegSvcs.exe, 00000006.00000002.3242989638.0000000005DC6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3238767434.0000000000D39000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3239532526.0000000002917000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.ipify.orgSecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe, 00000000.00000002.2034973185.0000000003736000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3238002300.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3239532526.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://sectigo.com/CPS0RegSvcs.exe, 00000006.00000002.3242989638.0000000005DC6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3238767434.0000000000D39000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3239532526.0000000002917000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://account.dyn.com/SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe, 00000000.00000002.2034973185.0000000003736000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3238002300.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.ipify.org/tRegSvcs.exe, 00000006.00000002.3239532526.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://phoenixblowers.comRegSvcs.exe, 00000006.00000002.3239532526.0000000002917000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe, 00000000.00000002.2034198929.00000000026D9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3239532526.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://ocsp.sectigo.com05RegSvcs.exe, 00000006.00000002.3242989638.0000000005DC6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3238767434.0000000000D39000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3239532526.0000000002917000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        43.255.154.55
                        		phoenixblowers.comSingapore
                        		26496AS-26496-GO-DADDY-COM-LLCUStrue
                        104.26.13.205
                        		api.ipify.orgUnited States
                        		13335CLOUDFLARENETUSfalse

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1483058
                        Start date and time:2024-07-26 15:22:10 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 5m 59s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:11
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@9/6@2/2
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 98%
                        • Number of executed functions: 86
                        • Number of non-executed functions: 16
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtCreateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        09:22:57API Interceptor1x Sleep call for process: SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe modified
                        09:22:59API Interceptor15x Sleep call for process: powershell.exe modified
                        09:23:01API Interceptor133x Sleep call for process: RegSvcs.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        43.255.154.55SKMBT41085NC9.exeGet hashmaliciousFormBookBrowse
                        • www.abtotalsolution.com/ftgq/?1b30vb0=lNx+fuCjF6x4qwT+2fcPHvD62SBJYAF9YFjnshbroYz2tNyAQAtoBR2AOSwWuHuG9TxWG0DDNw==&Z6A=2drlQXfH
                        2a#U062c.exeGet hashmaliciousFormBookBrowse
                        • www.abtotalsolution.com/ftgq/?LZNd=lNx+fuCjF6x4qwT+2fcPHvD62SBJYAF9YFjnshbroYz2tNyAQAtoBR2AORcGy2y96mYH&MnZ=bjoxsdeh2XJx3v
                        a449cc12_by_Libranalysis.exeGet hashmaliciousFormBookBrowse
                        • www.abtotalsolution.com/ftgq/?zXedzD=UfrDQp&7n6dXlL=lNx+fuCjF6x4qwT+2fcPHvD62SBJYAF9YFjnshbroYz2tNyAQAtoBR2AORcGy2y96mYH
                        104.26.13.205SecuriteInfo.com.Win64.Evo-gen.28044.10443.exeGet hashmaliciousUnknownBrowse
                        • api.ipify.org/
                        vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                        • api.ipify.org/
                        golang-modules.exeGet hashmaliciousUnknownBrowse
                        • api.ipify.org/
                        SecuriteInfo.com.Trojan.Win64.Agent.14415.19839.exeGet hashmaliciousUnknownBrowse
                        • api.ipify.org/
                        242764.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                        • api.ipify.org/?format=wef
                        Ransom.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                        • api.ipify.org/
                        ld.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                        • api.ipify.org/
                        ReturnLegend.exeGet hashmaliciousStealitBrowse
                        • api.ipify.org/?format=json
                        SecuriteInfo.com.Trojan.DownLoaderNET.960.9931.28151.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                        • api.ipify.org/
                        Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                        • api.ipify.org/?format=json

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        phoenixblowers.comdocument.exeGet hashmaliciousAgentTeslaBrowse
                        • 43.255.154.55
                        inquiry EBS# 82785.exeGet hashmaliciousAgentTeslaBrowse
                        • 43.255.154.55
                        Enquiry - ENQ#16801.exeGet hashmaliciousAgentTeslaBrowse
                        • 43.255.154.55
                        SecuriteInfo.com.Trojan.Heur3.CTR.301bbRm0@amk5Nyl.20112.16423.exeGet hashmaliciousAgentTeslaBrowse
                        • 43.255.154.55
                        Enquiry - ENQ#16801.exeGet hashmaliciousAgentTeslaBrowse
                        • 43.255.154.55
                        PROFORMA INVOICE.exeGet hashmaliciousAgentTeslaBrowse
                        • 43.255.154.55
                        Advance payment.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                        • 43.255.154.55
                        documents.exeGet hashmaliciousAgentTeslaBrowse
                        • 43.255.154.55
                        quote image.exeGet hashmaliciousAgentTeslaBrowse
                        • 43.255.154.55
                        Requirements.exeGet hashmaliciousAgentTeslaBrowse
                        • 43.255.154.55
                        api.ipify.orghttps://fiffr-12d16.web.appGet hashmaliciousUnknownBrowse
                        • 172.67.74.152
                        Swift Copy.exeGet hashmaliciousAgentTeslaBrowse
                        • 172.67.74.152
                        SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exeGet hashmaliciousAgentTeslaBrowse
                        • 172.67.74.152
                        ynhHNexysa.exeGet hashmaliciousAgentTeslaBrowse
                        • 172.67.74.152
                        2FBexXRCHR.rtfGet hashmaliciousAgentTeslaBrowse
                        • 172.67.74.152
                        https://pub-bc1e99c17d21413c8c62ead228907d1f.r2.dev/auth_gen.html?folder=inf0gudkij&module&user-agent=Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/86.0.4240.75+Safari/537.36Get hashmaliciousGreatness Phishing Kit, HTMLPhisherBrowse
                        • 104.26.13.205
                        https://b14d.lnsd.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                        • 104.26.13.205
                        LisectAVT_2403002A_124.exeGet hashmaliciousAgentTeslaBrowse
                        • 104.26.12.205
                        LisectAVT_2403002A_127.exeGet hashmaliciousAgentTeslaBrowse
                        • 104.26.13.205
                        LisectAVT_2403002A_133.exeGet hashmaliciousAgentTeslaBrowse
                        • 172.67.74.152

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        AS-26496-GO-DADDY-COM-LLCUSNew Order#9.exeGet hashmaliciousFormBookBrowse
                        • 148.66.138.133
                        Swift Copy.exeGet hashmaliciousAgentTeslaBrowse
                        • 148.66.136.151
                        file.exeGet hashmaliciousSystemBCBrowse
                        • 132.148.72.102
                        LisectAVT_2403002A_2.exeGet hashmaliciousAgentTeslaBrowse
                        • 182.50.135.77
                        LisectAVT_2403002A_59.exeGet hashmaliciousAgentTeslaBrowse
                        • 182.50.135.77
                        DEBIT NOTE.exeGet hashmaliciousAgentTeslaBrowse
                        • 148.66.136.151
                        httP://151.28.168.184.host.secureserver.net/documento=24/07/2024/U04cVk3Ovkp..VkcI/6VnUVdvU8k1Oz8c2H4/maud.gaume@gmail.com-282072__;!!P3IToRM6tg!mhHYI3NP1FN47238PV4Ejpyi3ZOkGxwJydSJnD9HyjmCKYq9ZCB_iRj7Oz_yw96WdDsvl9wksR7V4C9z2rZDtUTV_FwEQ6ffgUAMko4$Get hashmaliciousUnknownBrowse
                        • 184.168.28.151
                        LisectAVT_2403002B_412.exeGet hashmaliciousFormBookBrowse
                        • 166.62.6.144
                        LisectAVT_2403002C_15.exeGet hashmaliciousAgentTeslaBrowse
                        • 148.66.145.151
                        https://msms.live/index.phpGet hashmaliciousUnknownBrowse
                        • 118.139.181.13
                        CLOUDFLARENETUSNew Order#9.exeGet hashmaliciousFormBookBrowse
                        • 172.67.185.114
                        https://fiffr-12d16.web.appGet hashmaliciousUnknownBrowse
                        • 172.67.74.152
                        https://disney.apexanalytix.com/Help/DownloadFile?ID=P%2fgMga3n7lQ%3dGet hashmaliciousUnknownBrowse
                        • 104.16.40.28
                        Swift Copy.exeGet hashmaliciousAgentTeslaBrowse
                        • 172.67.74.152
                        https://olive-hummingbird-763499.hostingersite.com/Onedrive-inboxmessage/onenote.html#asa@aan.ptGet hashmaliciousUnknownBrowse
                        • 104.18.11.207
                        https://forms.office.com/Pages/ResponsePage.aspx?id=F0il39lMqEiGOt9WRpZx4wvO-e767m5Jgq527TAyuTxUNFdESUY2VVdIOU5UTDkxN01BVUg0V1dIWi4uGet hashmaliciousUnknownBrowse
                        • 104.18.11.213
                        Built.exeGet hashmaliciousBlank GrabberBrowse
                        • 162.159.135.233
                        One_Docx 1.pdfGet hashmaliciousHTMLPhisherBrowse
                        • 104.17.25.14
                        file.exeGet hashmaliciousBabadedaBrowse
                        • 172.64.41.3
                        RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                        • 188.114.96.3

                        JA3 Fingerprints

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        3b5074b1b5d032e5620f69f9f700ff0ehttps://fiffr-12d16.web.appGet hashmaliciousUnknownBrowse
                        • 104.26.13.205
                        Swift Copy.exeGet hashmaliciousAgentTeslaBrowse
                        • 104.26.13.205
                        https://pendingdelivery864.s3.us-east.cloud-object-storage.appdomain.cloud/%2540%2523%2524%2525%255E%2526%2526()(%2526%2526%255E%255E%2525%2525%2524%2524%2524%2523%2523.html#nogueira@carboclor.com.arGet hashmaliciousUnknownBrowse
                        • 104.26.13.205
                        6SoKuOqyNh.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                        • 104.26.13.205
                        Payment Advice__HSBC Banking.pdf.lnkGet hashmaliciousRemcosBrowse
                        • 104.26.13.205
                        https://rtntrack.rediff.com/click?url=___https://www.firstpost.com/health/covid-19-puts-kidney-patients-at-high-risk-as-poor-immunity-ill-equipped-dialysis-centres-exposes-patients-to-infection-8627161.html___&service=instasearch&clientip=66.249.79.152&pos=readfullarticle&Ruw=&Rl=&q=&destinationurl=https://My.ha51000.com/.de/c2FsbHkuYmVldHlAcXVpbHRlci5jb20=Get hashmaliciousPhisherBrowse
                        • 104.26.13.205
                        http://cursostop10.com.br/adm/rudd/?email=nathalie.petillon@chirec.beGet hashmaliciousHTMLPhisherBrowse
                        • 104.26.13.205
                        file.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                        • 104.26.13.205
                        SecuriteInfo.com.Trojan.PackedNET.738.1574.9831.exeGet hashmaliciousAgentTeslaBrowse
                        • 104.26.13.205
                        http://cs9.bizGet hashmaliciousUnknownBrowse
                        • 104.26.13.205

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe.log

                        Download File
                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1216
                        Entropy (8bit):5.34331486778365
                        Encrypted:false
                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                        Malicious:true
                        Reputation:high, very likely benign file
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):2232
                        Entropy (8bit):5.379401388151058
                        Encrypted:false
                        SSDEEP:48:fWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugeC/ZPUyus:fLHxvIIwLgZ2KRHWLOug8s
                        MD5:AF15464AFD6EB7D301162A1DC8E01662
                        SHA1:A974B8FEC71BF837B8E72FE43AB43E447FC43A86
                        SHA-256:103A67F6744C098E5121D2D732753DFA4B54FA0EFD918FEC3941A3C052F5E211
                        SHA-512:7B5B7B7F6EAE4544BAF61F9C02BF0138950E5D7D1B0457DE2FAB2C4C484220BDD1AB42D6884838E798AD46CE1B5B5426CEB825A1690B1190857D3B643ABFAB37
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fbgschxn.kih.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h1dar5yr.bdu.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lngavjba.apm.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zxo0n2ij.imt.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):7.889429323677744
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        • Win32 Executable (generic) a (10002005/4) 49.78%
                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        • DOS Executable Generic (2002/1) 0.01%
                        File name:SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe
                        File size:708'096 bytes
                        MD5:68b43f31a73b4ceccb149056b6a7aafa
                        SHA1:067ddfcf7a22a17e438a1c26cfa37c1427bdc0d1
                        SHA256:b07cd71f9882bdd5e28f47863b84634b985bebb1dab1e5cc84e246b94fe8c864
                        SHA512:8f72fbd2b9f31e1b848fbe40308181091acabf8b41bfde8aeed97bafa200f3c5b013c529fea171f49a04d9df339b715774eaa9d2f2bd3d34e7e2fc88e73ef2a5
                        SSDEEP:12288:pHao7c1AQS1Gk1GAEMtXU5Kazq+qw1iwVgADl6pe/2KUnrpe+6ztu7a7Id0O:xaogiKk1GAjkMazq+qwVNOE2pn
                        TLSH:0CE4E09D7250B1EFC86BC9768AA81C64AA6134B7531BD313A45722ECDE0D69BCF101F3
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...._.f..............0.................. ........@.. .......................@............@................................

                        File Icon

                        Icon Hash:00928e8e8686b000

                        Static PE Info

                        General

                        Entrypoint:0x4ae3de
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Time Stamp:0x66A35F05 [Fri Jul 26 08:32:05 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0xae38c0x4f.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xb00000x5a8.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xb20000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000xac3e40xac4000c29db73c752226fb069cfe904cbbb3aFalse0.9179786715348331data7.89519410569211IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rsrc0xb00000x5a80x600215d3bb138d4cbcae2cb2437ed5c565aFalse0.4205729166666667data4.078006909895276IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0xb20000xc0x20005dcc6a7e0d896361ad57d26fb69b41aFalse0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_VERSION0xb00a00x31cdata0.435929648241206
                        RT_MANIFEST0xb03bc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                        2024-07-26T15:23:54.956611+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971720.114.59.183192.168.2.5
                        2024-07-26T15:23:16.624272+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971120.114.59.183192.168.2.5

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jul 26, 2024 15:23:00.086524010 CEST49706443192.168.2.5104.26.13.205
                        Jul 26, 2024 15:23:00.086575031 CEST44349706104.26.13.205192.168.2.5
                        Jul 26, 2024 15:23:00.086663008 CEST49706443192.168.2.5104.26.13.205
                        Jul 26, 2024 15:23:00.092745066 CEST49706443192.168.2.5104.26.13.205
                        Jul 26, 2024 15:23:00.092757940 CEST44349706104.26.13.205192.168.2.5
                        Jul 26, 2024 15:23:00.596949100 CEST44349706104.26.13.205192.168.2.5
                        Jul 26, 2024 15:23:00.597094059 CEST49706443192.168.2.5104.26.13.205
                        Jul 26, 2024 15:23:00.605382919 CEST49706443192.168.2.5104.26.13.205
                        Jul 26, 2024 15:23:00.605407000 CEST44349706104.26.13.205192.168.2.5
                        Jul 26, 2024 15:23:00.605792999 CEST44349706104.26.13.205192.168.2.5
                        Jul 26, 2024 15:23:00.656692028 CEST49706443192.168.2.5104.26.13.205
                        Jul 26, 2024 15:23:00.662822962 CEST49706443192.168.2.5104.26.13.205
                        Jul 26, 2024 15:23:00.708504915 CEST44349706104.26.13.205192.168.2.5
                        Jul 26, 2024 15:23:00.785769939 CEST44349706104.26.13.205192.168.2.5
                        Jul 26, 2024 15:23:00.785850048 CEST44349706104.26.13.205192.168.2.5
                        Jul 26, 2024 15:23:00.789113045 CEST49706443192.168.2.5104.26.13.205
                        Jul 26, 2024 15:23:00.796560049 CEST49706443192.168.2.5104.26.13.205
                        Jul 26, 2024 15:23:02.165143013 CEST49708587192.168.2.543.255.154.55
                        Jul 26, 2024 15:23:02.171118975 CEST5874970843.255.154.55192.168.2.5
                        Jul 26, 2024 15:23:02.172246933 CEST49708587192.168.2.543.255.154.55
                        Jul 26, 2024 15:23:03.307527065 CEST5874970843.255.154.55192.168.2.5
                        Jul 26, 2024 15:23:03.307787895 CEST49708587192.168.2.543.255.154.55
                        Jul 26, 2024 15:23:03.312815905 CEST5874970843.255.154.55192.168.2.5
                        Jul 26, 2024 15:23:03.671519041 CEST5874970843.255.154.55192.168.2.5
                        Jul 26, 2024 15:23:03.671756983 CEST49708587192.168.2.543.255.154.55
                        Jul 26, 2024 15:23:03.676763058 CEST5874970843.255.154.55192.168.2.5
                        Jul 26, 2024 15:23:04.009937048 CEST5874970843.255.154.55192.168.2.5
                        Jul 26, 2024 15:23:04.010380983 CEST49708587192.168.2.543.255.154.55
                        Jul 26, 2024 15:23:04.015378952 CEST5874970843.255.154.55192.168.2.5
                        Jul 26, 2024 15:23:04.360352039 CEST5874970843.255.154.55192.168.2.5
                        Jul 26, 2024 15:23:04.360513926 CEST5874970843.255.154.55192.168.2.5
                        Jul 26, 2024 15:23:04.360882044 CEST49708587192.168.2.543.255.154.55
                        Jul 26, 2024 15:23:04.361140966 CEST5874970843.255.154.55192.168.2.5
                        Jul 26, 2024 15:23:04.361152887 CEST5874970843.255.154.55192.168.2.5
                        Jul 26, 2024 15:23:04.361211061 CEST49708587192.168.2.543.255.154.55
                        Jul 26, 2024 15:23:04.447927952 CEST5874970843.255.154.55192.168.2.5
                        Jul 26, 2024 15:23:04.480743885 CEST49708587192.168.2.543.255.154.55
                        Jul 26, 2024 15:23:04.485507011 CEST5874970843.255.154.55192.168.2.5
                        Jul 26, 2024 15:23:04.816914082 CEST5874970843.255.154.55192.168.2.5
                        Jul 26, 2024 15:23:04.820854902 CEST49708587192.168.2.543.255.154.55
                        Jul 26, 2024 15:23:04.825792074 CEST5874970843.255.154.55192.168.2.5
                        Jul 26, 2024 15:23:05.168003082 CEST5874970843.255.154.55192.168.2.5
                        Jul 26, 2024 15:23:05.168935061 CEST49708587192.168.2.543.255.154.55
                        Jul 26, 2024 15:23:05.175079107 CEST5874970843.255.154.55192.168.2.5
                        Jul 26, 2024 15:23:05.528973103 CEST5874970843.255.154.55192.168.2.5
                        Jul 26, 2024 15:23:05.529895067 CEST49708587192.168.2.543.255.154.55
                        Jul 26, 2024 15:23:05.534785986 CEST5874970843.255.154.55192.168.2.5
                        Jul 26, 2024 15:23:05.874629021 CEST5874970843.255.154.55192.168.2.5
                        Jul 26, 2024 15:23:05.874908924 CEST49708587192.168.2.543.255.154.55
                        Jul 26, 2024 15:23:05.879889965 CEST5874970843.255.154.55192.168.2.5
                        Jul 26, 2024 15:23:06.211183071 CEST5874970843.255.154.55192.168.2.5
                        Jul 26, 2024 15:23:06.211399078 CEST49708587192.168.2.543.255.154.55
                        Jul 26, 2024 15:23:06.217319012 CEST5874970843.255.154.55192.168.2.5
                        Jul 26, 2024 15:23:06.596935034 CEST5874970843.255.154.55192.168.2.5
                        Jul 26, 2024 15:23:06.597142935 CEST49708587192.168.2.543.255.154.55
                        Jul 26, 2024 15:23:06.602735043 CEST5874970843.255.154.55192.168.2.5
                        Jul 26, 2024 15:23:06.933352947 CEST5874970843.255.154.55192.168.2.5
                        Jul 26, 2024 15:23:06.934178114 CEST49708587192.168.2.543.255.154.55
                        Jul 26, 2024 15:23:06.934305906 CEST49708587192.168.2.543.255.154.55
                        Jul 26, 2024 15:23:06.934305906 CEST49708587192.168.2.543.255.154.55
                        Jul 26, 2024 15:23:06.934346914 CEST49708587192.168.2.543.255.154.55
                        Jul 26, 2024 15:23:06.939538956 CEST5874970843.255.154.55192.168.2.5
                        Jul 26, 2024 15:23:06.939549923 CEST5874970843.255.154.55192.168.2.5
                        Jul 26, 2024 15:23:06.939675093 CEST5874970843.255.154.55192.168.2.5
                        Jul 26, 2024 15:23:06.939683914 CEST5874970843.255.154.55192.168.2.5
                        Jul 26, 2024 15:23:16.474056005 CEST5874970843.255.154.55192.168.2.5
                        Jul 26, 2024 15:23:16.515974998 CEST49708587192.168.2.543.255.154.55
                        Jul 26, 2024 15:24:41.703706026 CEST49708587192.168.2.543.255.154.55
                        Jul 26, 2024 15:24:41.709258080 CEST5874970843.255.154.55192.168.2.5
                        Jul 26, 2024 15:24:42.058021069 CEST5874970843.255.154.55192.168.2.5
                        Jul 26, 2024 15:24:42.058757067 CEST49708587192.168.2.543.255.154.55

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jul 26, 2024 15:23:00.065773964 CEST5774653192.168.2.51.1.1.1
                        Jul 26, 2024 15:23:00.076059103 CEST53577461.1.1.1192.168.2.5
                        Jul 26, 2024 15:23:01.681045055 CEST6157653192.168.2.51.1.1.1
                        Jul 26, 2024 15:23:02.163706064 CEST53615761.1.1.1192.168.2.5

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Jul 26, 2024 15:23:00.065773964 CEST192.168.2.51.1.1.10x2aStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                        Jul 26, 2024 15:23:01.681045055 CEST192.168.2.51.1.1.10xf7ffStandard query (0)phoenixblowers.comA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Jul 26, 2024 15:23:00.076059103 CEST1.1.1.1192.168.2.50x2aNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                        Jul 26, 2024 15:23:00.076059103 CEST1.1.1.1192.168.2.50x2aNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                        Jul 26, 2024 15:23:00.076059103 CEST1.1.1.1192.168.2.50x2aNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                        Jul 26, 2024 15:23:02.163706064 CEST1.1.1.1192.168.2.50xf7ffNo error (0)phoenixblowers.com43.255.154.55A (IP address)IN (0x0001)false

                        HTTP Request Dependency Graph

                        • api.ipify.org

                        HTTPS Proxied Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.549706104.26.13.2054434332C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                        TimestampBytes transferredDirectionData
                        2024-07-26 13:23:00 UTC155OUTGET / HTTP/1.1
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                        Host: api.ipify.org
                        Connection: Keep-Alive
                        2024-07-26 13:23:00 UTC211INHTTP/1.1 200 OK
                        Date: Fri, 26 Jul 2024 13:23:00 GMT
                        Content-Type: text/plain
                        Content-Length: 11
                        Connection: close
                        Vary: Origin
                        CF-Cache-Status: DYNAMIC
                        Server: cloudflare
                        CF-RAY: 8a94b3a97c6c8cda-EWR
                        2024-07-26 13:23:00 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                        Data Ascii: 8.46.123.33


                        SMTP Packets

                        TimestampSource PortDest PortSource IPDest IPCommands
                        Jul 26, 2024 15:23:03.307527065 CEST5874970843.255.154.55192.168.2.5220-sg2plzcpnl505839.prod.sin2.secureserver.net ESMTP Exim 4.96.2 #2 Fri, 26 Jul 2024 06:23:03 -0700
                        220-We do not authorize the use of this system to transport unsolicited,
                        220 and/or bulk e-mail.
                        Jul 26, 2024 15:23:03.307787895 CEST49708587192.168.2.543.255.154.55EHLO 610930
                        Jul 26, 2024 15:23:03.671519041 CEST5874970843.255.154.55192.168.2.5250-sg2plzcpnl505839.prod.sin2.secureserver.net Hello 610930 [8.46.123.33]
                        250-SIZE 52428800
                        250-8BITMIME
                        250-PIPELINING
                        250-PIPECONNECT
                        250-AUTH PLAIN LOGIN
                        250-STARTTLS
                        250 HELP
                        Jul 26, 2024 15:23:03.671756983 CEST49708587192.168.2.543.255.154.55STARTTLS
                        Jul 26, 2024 15:23:04.009937048 CEST5874970843.255.154.55192.168.2.5220 TLS go ahead

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:09:22:56
                        Start date:26/07/2024
                        Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe"
                        Imagebase:0x360000
                        File size:708'096 bytes
                        MD5 hash:68B43F31A73B4CECCB149056B6A7AAFA
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2034973185.0000000003736000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2034973185.0000000003736000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:3
                        Start time:09:22:58
                        Start date:26/07/2024
                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31904.27419.exe"
                        Imagebase:0x230000
                        File size:433'152 bytes
                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:4
                        Start time:09:22:58
                        Start date:26/07/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:5
                        Start time:09:22:58
                        Start date:26/07/2024
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                        Imagebase:0x270000
                        File size:45'984 bytes
                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:6
                        Start time:09:22:58
                        Start date:26/07/2024
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                        Imagebase:0x720000
                        File size:45'984 bytes
                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3238002300.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3238002300.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3239532526.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3239532526.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3239532526.0000000002917000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:high
                        Has exited:false

                        General

                        Target ID:7
                        Start time:09:23:00
                        Start date:26/07/2024
                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                        Imagebase:0x7ff6ef0c0000
                        File size:496'640 bytes
                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                        Has elevated privileges:true
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:16.9%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:126
                          Total number of Limit Nodes:9
                          execution_graph 12800 8f9b9d8 12801 8f9bb63 12800->12801 12803 8f9b9fe 12800->12803 12803->12801 12804 8f9b518 12803->12804 12805 8f9bcb0 PostMessageW 12804->12805 12806 8f9bd5d 12805->12806 12806->12803 12807 253c860 12809 253c887 12807->12809 12808 253c964 12809->12808 12811 253c4f4 12809->12811 12812 253dd18 CreateActCtxA 12811->12812 12814 253de1e 12812->12814 12655 2538318 12656 2538365 VirtualProtect 12655->12656 12657 25383d1 12656->12657 12658 8f98b74 12659 8f98b90 12658->12659 12660 8f98c5b 12658->12660 12660->12659 12663 8f9a3ae 12660->12663 12679 8f9a341 12660->12679 12664 8f9a33c 12663->12664 12666 8f9a3b1 12663->12666 12665 8f9a38e 12664->12665 12694 8f9a954 12664->12694 12698 8f9ab75 12664->12698 12703 8f9aa95 12664->12703 12708 8f9abde 12664->12708 12712 8f9a8fc 12664->12712 12717 8f9a7d9 12664->12717 12721 8f9aee4 12664->12721 12726 8f9aa45 12664->12726 12733 8f9ac42 12664->12733 12737 8f9aac8 12664->12737 12742 8f9a849 12664->12742 12747 8f9a857 12664->12747 12665->12659 12666->12659 12680 8f9a36a 12679->12680 12681 8f9a7d9 2 API calls 12680->12681 12682 8f9a8fc 2 API calls 12680->12682 12683 8f9abde 2 API calls 12680->12683 12684 8f9aa95 2 API calls 12680->12684 12685 8f9ab75 2 API calls 12680->12685 12686 8f9a954 2 API calls 12680->12686 12687 8f9a857 2 API calls 12680->12687 12688 8f9a849 2 API calls 12680->12688 12689 8f9aac8 2 API calls 12680->12689 12690 8f9ac42 2 API calls 12680->12690 12691 8f9aa45 4 API calls 12680->12691 12692 8f9aee4 2 API calls 12680->12692 12693 8f9a38e 12680->12693 12681->12693 12682->12693 12683->12693 12684->12693 12685->12693 12686->12693 12687->12693 12688->12693 12689->12693 12690->12693 12691->12693 12692->12693 12693->12659 12752 8f97fa8 12694->12752 12756 8f97fa0 12694->12756 12695 8f9a977 12695->12665 12700 8f9a83f 12698->12700 12699 8f9af47 12699->12665 12700->12699 12760 8f97a78 12700->12760 12764 8f97a80 12700->12764 12705 8f9a83f 12703->12705 12704 8f9af47 12704->12665 12705->12704 12706 8f97a78 ResumeThread 12705->12706 12707 8f97a80 ResumeThread 12705->12707 12706->12705 12707->12705 12768 8f980c9 12708->12768 12772 8f980d0 12708->12772 12709 8f9ac15 12713 8f9a922 12712->12713 12776 8f981e8 12713->12776 12780 8f981f0 12713->12780 12714 8f9afdf 12784 8f9856c 12717->12784 12788 8f98578 12717->12788 12722 8f9b01b 12721->12722 12792 8f98348 12722->12792 12796 8f98340 12722->12796 12723 8f9b03d 12729 8f97fa8 Wow64SetThreadContext 12726->12729 12730 8f97fa0 Wow64SetThreadContext 12726->12730 12727 8f9af47 12727->12665 12728 8f9a83f 12728->12727 12731 8f97a78 ResumeThread 12728->12731 12732 8f97a80 ResumeThread 12728->12732 12729->12728 12730->12728 12731->12728 12732->12728 12735 8f981e8 WriteProcessMemory 12733->12735 12736 8f981f0 WriteProcessMemory 12733->12736 12734 8f9ac66 12734->12665 12735->12734 12736->12734 12738 8f9a83f 12737->12738 12738->12737 12739 8f9af47 12738->12739 12740 8f97a78 ResumeThread 12738->12740 12741 8f97a80 ResumeThread 12738->12741 12739->12665 12740->12738 12741->12738 12744 8f9a83f 12742->12744 12743 8f9af47 12743->12665 12744->12743 12745 8f97a78 ResumeThread 12744->12745 12746 8f97a80 ResumeThread 12744->12746 12745->12744 12746->12744 12748 8f9a87a 12747->12748 12750 8f981e8 WriteProcessMemory 12748->12750 12751 8f981f0 WriteProcessMemory 12748->12751 12749 8f9a9ff 12749->12665 12750->12749 12751->12749 12753 8f97ff1 Wow64SetThreadContext 12752->12753 12755 8f98069 12753->12755 12755->12695 12757 8f97f9a 12756->12757 12757->12756 12758 8f98033 Wow64SetThreadContext 12757->12758 12759 8f98069 12758->12759 12759->12695 12761 8f97a72 12760->12761 12761->12760 12762 8f97add ResumeThread 12761->12762 12763 8f97b10 12762->12763 12763->12700 12765 8f97ac4 ResumeThread 12764->12765 12767 8f97b10 12765->12767 12767->12700 12769 8f98114 VirtualAllocEx 12768->12769 12771 8f9818c 12769->12771 12771->12709 12773 8f98114 VirtualAllocEx 12772->12773 12775 8f9818c 12773->12775 12775->12709 12777 8f981e2 12776->12777 12777->12776 12778 8f98296 WriteProcessMemory 12777->12778 12779 8f982d5 12778->12779 12779->12714 12781 8f9823c WriteProcessMemory 12780->12781 12783 8f982d5 12781->12783 12783->12714 12785 8f985ff CreateProcessA 12784->12785 12787 8f98854 12785->12787 12789 8f985ff CreateProcessA 12788->12789 12791 8f98854 12789->12791 12793 8f98394 ReadProcessMemory 12792->12793 12795 8f9840c 12793->12795 12795->12723 12797 8f98394 ReadProcessMemory 12796->12797 12799 8f9840c 12797->12799 12799->12723 12815 8f98b04 12817 8f98a9a 12815->12817 12816 8f98bef 12817->12816 12818 8f9a3ae 12 API calls 12817->12818 12819 8f9a341 12 API calls 12817->12819 12818->12816 12819->12816

                          Executed Functions

                          Function 02533568 Relevance: 5.2, Strings: 4, Instructions: 189COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 310 2533568-253358d 311 2533594-25335b1 310->311 312 253358f 310->312 313 25335b9 311->313 312->311 314 25335c0-25335dc 313->314 315 25335e5-25335e6 314->315 316 25335de 314->316 317 25339e5-25339ec 315->317 318 25335fa-253361a 315->318 316->313 316->318 319 25337b3-25337b7 316->319 320 25338b2-25338c7 316->320 321 2533994-25339ab 316->321 322 25336f9-2533705 316->322 323 25337e3-25337f8 316->323 324 25336e2-25336f4 316->324 325 2533961-2533978 316->325 326 2533767-253377e 316->326 327 2533646-2533652 316->327 328 253392b-2533944 call 2533c00 316->328 329 2533908-2533926 316->329 330 253374d-2533762 316->330 331 25338cc-25338de 316->331 318->314 332 25337ca-25337d1 319->332 333 25337b9-25337c8 319->333 320->314 321->314 336 2533707 322->336 337 253370c-2533722 322->337 323->314 324->314 325->314 326->314 334 2533654 327->334 335 2533659-2533675 327->335 338 253394a-253395c 328->338 329->314 330->314 331->314 339 25337d8-25337de 332->339 333->339 334->335 335->314 336->337 344 2533724 337->344 345 2533729-2533748 337->345 338->314 339->314 344->345 345->314
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2033925754.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: @zAz$@zAz$FO$U
                          • API String ID: 0-2132718400
                          • Opcode ID: 9a9a3400a4b41c395ae8673cb45b8fc604357be059795dfff65d17770ba297c2
                          • Instruction ID: 3e66d8e9ab0ef70d3e4b9f8bc3c78080e46260f6ad7b72dfa41a279b60a37676
                          • Opcode Fuzzy Hash: 9a9a3400a4b41c395ae8673cb45b8fc604357be059795dfff65d17770ba297c2
                          • Instruction Fuzzy Hash: 9581EC71E0520ADFCB08CFA6C5814AEFBB2FF89311B14E865D515AB264D738DA42CF94
                          Function 0253367A Relevance: 5.2, Strings: 4, Instructions: 160COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 348 253367a-253369a 350 25335c0-25335dc 348->350 351 25335e5-25335e6 350->351 352 25335de 350->352 353 25339e5-25339ec 351->353 354 25335fa-253361a 351->354 352->354 355 25337b3-25337b7 352->355 356 25338b2-25338c7 352->356 357 2533994-25339ab 352->357 358 25336f9-2533705 352->358 359 25335b9 352->359 360 25337e3-25337f8 352->360 361 25336e2-25336f4 352->361 362 2533961-2533978 352->362 363 2533767-253377e 352->363 364 2533646-2533652 352->364 365 253392b-2533944 call 2533c00 352->365 366 2533908-2533926 352->366 367 253374d-2533762 352->367 368 25338cc-25338de 352->368 354->350 369 25337ca-25337d1 355->369 370 25337b9-25337c8 355->370 356->350 357->350 373 2533707 358->373 374 253370c-2533722 358->374 359->350 360->350 361->350 362->350 363->350 371 2533654 364->371 372 2533659-2533675 364->372 375 253394a-253395c 365->375 366->350 367->350 368->350 376 25337d8-25337de 369->376 370->376 371->372 372->350 373->374 381 2533724 374->381 382 2533729-2533748 374->382 375->350 376->350 381->382 382->350
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2033925754.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: @zAz$FO$Z%Ku$U
                          • API String ID: 0-2740011037
                          • Opcode ID: 02b3caad2c6db9cd39b69fbcc6da71f8838bb801dd65db3e2e099ac65ff998b7
                          • Instruction ID: 52b61edde56eefa9dd982da7851ec838160a98c08e44704dd6dd1dd48f127200
                          • Opcode Fuzzy Hash: 02b3caad2c6db9cd39b69fbcc6da71f8838bb801dd65db3e2e099ac65ff998b7
                          • Instruction Fuzzy Hash: 39611F71E05206EFCB08CFA5C5814AEFBB2FF89315B24E855D415AB264D738DA42CF94
                          Function 02531338 Relevance: 4.0, Strings: 3, Instructions: 253COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 385 2531338-2531403 386 2531405 385->386 387 253140a-2531480 call 25300e4 385->387 386->387 393 2531483 387->393 394 253148a-25314a6 393->394 395 25314a8 394->395 396 25314af-25314b0 394->396 395->393 397 25315c3-25315df 395->397 398 25314e0-2531508 395->398 399 25314b5-25314bd call 2531c20 395->399 400 2531594-25315be 395->400 401 25315e4-2531654 call 25300f4 395->401 402 253150a-253150e 395->402 403 253153a-2531573 395->403 404 2531578-253158f 395->404 396->399 396->401 397->394 398->394 411 25314c3-25314de 399->411 400->394 420 2531656 call 2532761 401->420 421 2531656 call 2532815 401->421 422 2531656 call 2532744 401->422 423 2531656 call 25331e8 401->423 424 2531656 call 2532668 401->424 425 2531656 call 25327a8 401->425 426 2531656 call 253278f 401->426 405 2531521-2531528 402->405 406 2531510-253151f 402->406 403->394 404->394 409 253152f-2531535 405->409 406->409 409->394 411->394 418 253165c-2531666 420->418 421->418 422->418 423->418 424->418 425->418 426->418
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2033925754.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: Tesq$Tesq$_VID
                          • API String ID: 0-3813750289
                          • Opcode ID: f11dc3073ede1b73327d3969227edff5a681c922de8357639b740e48f34baa1e
                          • Instruction ID: 2644330f35d81e5f2b432ae95d015014a8576a86d877ac709287a9c435934fe8
                          • Opcode Fuzzy Hash: f11dc3073ede1b73327d3969227edff5a681c922de8357639b740e48f34baa1e
                          • Instruction Fuzzy Hash: 87B12770E056488FCB05CFA9C890ADEFFB2FF89310F18D46AD855AB255D7349806CB64
                          Function 025334FE Relevance: 4.0, Strings: 3, Instructions: 225COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 427 25334fe-253358d 428 2533594-25335b1 427->428 429 253358f 427->429 430 25335b9 428->430 429->428 431 25335c0-25335dc 430->431 432 25335e5-25335e6 431->432 433 25335de 431->433 434 25339e5-25339ec 432->434 435 25335fa-253361a 432->435 433->430 433->435 436 25337b3-25337b7 433->436 437 25338b2-25338c7 433->437 438 2533994-25339ab 433->438 439 25336f9-2533705 433->439 440 25337e3-25337f8 433->440 441 25336e2-25336f4 433->441 442 2533961-2533978 433->442 443 2533767-253377e 433->443 444 2533646-2533652 433->444 445 253392b-2533944 call 2533c00 433->445 446 2533908-2533926 433->446 447 253374d-2533762 433->447 448 25338cc-25338de 433->448 435->431 449 25337ca-25337d1 436->449 450 25337b9-25337c8 436->450 437->431 438->431 453 2533707 439->453 454 253370c-2533722 439->454 440->431 441->431 442->431 443->431 451 2533654 444->451 452 2533659-2533675 444->452 455 253394a-253395c 445->455 446->431 447->431 448->431 456 25337d8-25337de 449->456 450->456 451->452 452->431 453->454 461 2533724 454->461 462 2533729-2533748 454->462 455->431 456->431 461->462 462->431
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2033925754.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: @zAz$FO$U
                          • API String ID: 0-2123906176
                          • Opcode ID: 61e920356cc8becc6064b4bac5232c6a45adf0efdf3fa80e6cc084044b00da07
                          • Instruction ID: 6fd0da0eb720224f6d36c8ce585aee49c023468688b3121519b99ccdaef5708e
                          • Opcode Fuzzy Hash: 61e920356cc8becc6064b4bac5232c6a45adf0efdf3fa80e6cc084044b00da07
                          • Instruction Fuzzy Hash: 47916A71D05246EFCB09CFA5C4814AEFFB2FF89210B19D89AD805AB225D738D942CF94
                          Function 025313E0 Relevance: 3.9, Strings: 3, Instructions: 195COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 465 25313e0-2531403 466 2531405 465->466 467 253140a-2531480 call 25300e4 465->467 466->467 473 2531483 467->473 474 253148a-25314a6 473->474 475 25314a8 474->475 476 25314af-25314b0 474->476 475->473 477 25315c3-25315df 475->477 478 25314e0-2531508 475->478 479 25314b5-25314bd call 2531c20 475->479 480 2531594-25315be 475->480 481 25315e4-2531654 call 25300f4 475->481 482 253150a-253150e 475->482 483 253153a-2531573 475->483 484 2531578-253158f 475->484 476->479 476->481 477->474 478->474 491 25314c3-25314de 479->491 480->474 500 2531656 call 2532761 481->500 501 2531656 call 2532815 481->501 502 2531656 call 2532744 481->502 503 2531656 call 25331e8 481->503 504 2531656 call 2532668 481->504 505 2531656 call 25327a8 481->505 506 2531656 call 253278f 481->506 485 2531521-2531528 482->485 486 2531510-253151f 482->486 483->474 484->474 489 253152f-2531535 485->489 486->489 489->474 491->474 498 253165c-2531666 500->498 501->498 502->498 503->498 504->498 505->498 506->498
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2033925754.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: Tesq$Tesq$_VID
                          • API String ID: 0-3813750289
                          • Opcode ID: 791417ddab10330472c47e55bb63b73a0cb43f9c4bf14e5ce87f809be010da3f
                          • Instruction ID: d3d8a79b4bb77b3046b4cb968994aec1c6321a1f6f05b8017f0c61468b197f7c
                          • Opcode Fuzzy Hash: 791417ddab10330472c47e55bb63b73a0cb43f9c4bf14e5ce87f809be010da3f
                          • Instruction Fuzzy Hash: 2E81B374E016098FDB08CFAAC98469EFBB2FF88311F20942AD419AB354D7719945CF54
                          Function 0253381B Relevance: 3.9, Strings: 3, Instructions: 187COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 507 253381b-253383d 509 2533844-253385a 507->509 510 253383f 507->510 512 2533861-253387d 509->512 513 253385c 509->513 510->509 515 25338b2-25338c7 512->515 516 25335c0-25335dc 512->516 513->512 515->516 517 25335e5-25335e6 516->517 518 25335de 516->518 519 25339e5-25339ec 517->519 520 25335fa-253361a 517->520 518->515 518->520 521 25337b3-25337b7 518->521 522 2533994-25339ab 518->522 523 25336f9-2533705 518->523 524 25335b9 518->524 525 25337e3-25337f8 518->525 526 25336e2-25336f4 518->526 527 2533961-2533978 518->527 528 2533767-253377e 518->528 529 2533646-2533652 518->529 530 253392b-2533944 call 2533c00 518->530 531 2533908-2533926 518->531 532 253374d-2533762 518->532 533 25338cc-25338de 518->533 520->516 534 25337ca-25337d1 521->534 535 25337b9-25337c8 521->535 522->516 538 2533707 523->538 539 253370c-2533722 523->539 524->516 525->516 526->516 527->516 528->516 536 2533654 529->536 537 2533659-2533675 529->537 540 253394a-253395c 530->540 531->516 532->516 533->516 541 25337d8-25337de 534->541 535->541 536->537 537->516 538->539 546 2533724 539->546 547 2533729-2533748 539->547 540->516 541->516 546->547 547->516
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2033925754.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: @zAz$FO$U
                          • API String ID: 0-2123906176
                          • Opcode ID: ecb76656b94c52e82a0a34e5de0efd6a278b3d720c837f011110bfc0e571ccc8
                          • Instruction ID: 1a9141342f94c018ed0263ce279945aa8d891c56b333394ac2a90ebcd7d983e4
                          • Opcode Fuzzy Hash: ecb76656b94c52e82a0a34e5de0efd6a278b3d720c837f011110bfc0e571ccc8
                          • Instruction Fuzzy Hash: A0813D75E05206EFC708CFA5C5814AEFBB2FF89314B24E995D415AB264D338DA82CF94
                          Function 025338A1 Relevance: 3.9, Strings: 3, Instructions: 179COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 550 25338a1-25338a6 551 2533833-253383d 550->551 552 25338a8-25338af 550->552 554 2533844-253385a 551->554 555 253383f 551->555 553 25338b2-25338c7 552->553 556 25335c0-25335dc 553->556 560 2533861-253387d 554->560 561 253385c 554->561 555->554 558 25335e5-25335e6 556->558 559 25335de 556->559 562 25339e5-25339ec 558->562 563 25335fa-253361a 558->563 559->553 559->563 564 25337b3-25337b7 559->564 565 2533994-25339ab 559->565 566 25336f9-2533705 559->566 567 25335b9 559->567 568 25337e3-25337f8 559->568 569 25336e2-25336f4 559->569 570 2533961-2533978 559->570 571 2533767-253377e 559->571 572 2533646-2533652 559->572 573 253392b-2533944 call 2533c00 559->573 574 2533908-2533926 559->574 575 253374d-2533762 559->575 576 25338cc-25338de 559->576 560->553 560->556 561->560 563->556 577 25337ca-25337d1 564->577 578 25337b9-25337c8 564->578 565->556 581 2533707 566->581 582 253370c-2533722 566->582 567->556 568->556 569->556 570->556 571->556 579 2533654 572->579 580 2533659-2533675 572->580 583 253394a-253395c 573->583 574->556 575->556 576->556 584 25337d8-25337de 577->584 578->584 579->580 580->556 581->582 590 2533724 582->590 591 2533729-2533748 582->591 583->556 584->556 590->591 591->556
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2033925754.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: @zAz$FO$U
                          • API String ID: 0-2123906176
                          • Opcode ID: 433da5cc28ce299e1e2d237a5d77cd852bf5f8653792565c47b1b8be9a130384
                          • Instruction ID: 0862928b1074282a2fbc3a75aaeb7f6ccfb3d83e51d68593cae777207158e335
                          • Opcode Fuzzy Hash: 433da5cc28ce299e1e2d237a5d77cd852bf5f8653792565c47b1b8be9a130384
                          • Instruction Fuzzy Hash: 1D713E75E05206EFC708CFA5C5814AEFBB2FF89310B14E995D415AB254D338DA82CF94
                          Function 0253379D Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 594 253379d-25337af 597 25337b3-25337b7 594->597 598 25337ca-25337d1 597->598 599 25337b9-25337c8 597->599 600 25337d8-25337de 598->600 599->600 601 25335c0-25335dc 600->601 602 25335e5-25335e6 601->602 603 25335de 601->603 604 25339e5-25339ec 602->604 605 25335fa-253361a 602->605 603->597 603->605 606 25338b2-25338c7 603->606 607 2533994-25339ab 603->607 608 25336f9-2533705 603->608 609 25335b9 603->609 610 25337e3-25337f8 603->610 611 25336e2-25336f4 603->611 612 2533961-2533978 603->612 613 2533767-253377e 603->613 614 2533646-2533652 603->614 615 253392b-2533944 call 2533c00 603->615 616 2533908-2533926 603->616 617 253374d-2533762 603->617 618 25338cc-25338de 603->618 605->601 606->601 607->601 621 2533707 608->621 622 253370c-2533722 608->622 609->601 610->601 611->601 612->601 613->601 619 2533654 614->619 620 2533659-2533675 614->620 623 253394a-253395c 615->623 616->601 617->601 618->601 619->620 620->601 621->622 628 2533724 622->628 629 2533729-2533748 622->629 623->601 628->629 629->601
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2033925754.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: @zAz$FO$U
                          • API String ID: 0-2123906176
                          • Opcode ID: 00b55fe44c777b047f3b4a5d5ce298715678bd75580ff3837cb8c823f762574a
                          • Instruction ID: 97ec0fb059e835f26987d9c74fb4ce6795ec22f5b2e2b3387fd5069af4b5ccff
                          • Opcode Fuzzy Hash: 00b55fe44c777b047f3b4a5d5ce298715678bd75580ff3837cb8c823f762574a
                          • Instruction Fuzzy Hash: 84614075D0520AEFC708CFA5C5814AEFBB2FF89314B24E895D415AB264E738DA42CF94
                          Function 0253361C Relevance: 3.9, Strings: 3, Instructions: 161COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 632 253361c-2533628 633 253362a 632->633 634 253362f-2533641 632->634 633->634 636 25335c0-25335dc 634->636 637 2533646-2533652 634->637 640 25335e5-25335e6 636->640 641 25335de 636->641 638 2533654 637->638 639 2533659-2533675 637->639 638->639 639->636 642 25339e5-25339ec 640->642 643 25335fa-253361a 640->643 641->637 641->643 644 25337b3-25337b7 641->644 645 25338b2-25338c7 641->645 646 2533994-25339ab 641->646 647 25336f9-2533705 641->647 648 25335b9 641->648 649 25337e3-25337f8 641->649 650 25336e2-25336f4 641->650 651 2533961-2533978 641->651 652 2533767-253377e 641->652 653 253392b-2533944 call 2533c00 641->653 654 2533908-2533926 641->654 655 253374d-2533762 641->655 656 25338cc-25338de 641->656 643->636 657 25337ca-25337d1 644->657 658 25337b9-25337c8 644->658 645->636 646->636 660 2533707 647->660 661 253370c-2533722 647->661 648->636 649->636 650->636 651->636 652->636 662 253394a-253395c 653->662 654->636 655->636 656->636 663 25337d8-25337de 657->663 658->663 660->661 667 2533724 661->667 668 2533729-2533748 661->668 662->636 663->636 667->668 668->636
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2033925754.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: @zAz$FO$U
                          • API String ID: 0-2123906176
                          • Opcode ID: 603818baa9d09951d234c5f50384e7eda60cbe7554cac0b2e24148b481ef26e8
                          • Instruction ID: fe8887ad131b590c01e587d269344e4fcda08132b591ed982cee137e15ec5bdb
                          • Opcode Fuzzy Hash: 603818baa9d09951d234c5f50384e7eda60cbe7554cac0b2e24148b481ef26e8
                          • Instruction Fuzzy Hash: B3611F71E0520AEFC704CFA5C5814AEFBB2FF89314B14E895D415AB254D738DA82CF94
                          Function 025336D7 Relevance: 3.9, Strings: 3, Instructions: 159COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 671 25336d7-25336dc 673 25336e2-25336f4 671->673 674 25335c0-25335dc 673->674 675 25335e5-25335e6 674->675 676 25335de 674->676 677 25339e5-25339ec 675->677 678 25335fa-253361a 675->678 676->673 676->678 679 25337b3-25337b7 676->679 680 25338b2-25338c7 676->680 681 2533994-25339ab 676->681 682 25336f9-2533705 676->682 683 25335b9 676->683 684 25337e3-25337f8 676->684 685 2533961-2533978 676->685 686 2533767-253377e 676->686 687 2533646-2533652 676->687 688 253392b-2533944 call 2533c00 676->688 689 2533908-2533926 676->689 690 253374d-2533762 676->690 691 25338cc-25338de 676->691 678->674 692 25337ca-25337d1 679->692 693 25337b9-25337c8 679->693 680->674 681->674 696 2533707 682->696 697 253370c-2533722 682->697 683->674 684->674 685->674 686->674 694 2533654 687->694 695 2533659-2533675 687->695 698 253394a-253395c 688->698 689->674 690->674 691->674 699 25337d8-25337de 692->699 693->699 694->695 695->674 696->697 704 2533724 697->704 705 2533729-2533748 697->705 698->674 699->674 704->705 705->674
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2033925754.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: @zAz$FO$U
                          • API String ID: 0-2123906176
                          • Opcode ID: 39e1532f5ba45a91f681e375aa93baa7bde580bb660dd50ef761c1c473375c6a
                          • Instruction ID: a19d1c71f12c6f68bbe53f69d52f2b6f1d4bd768aa97acb028267380e348775a
                          • Opcode Fuzzy Hash: 39e1532f5ba45a91f681e375aa93baa7bde580bb660dd50ef761c1c473375c6a
                          • Instruction Fuzzy Hash: 59614F71D05206EFCB08CFA5C5814AEFBB2FF89310B24E955D416AB264D338DA42CF94
                          Function 025335EB Relevance: 3.9, Strings: 3, Instructions: 155COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 708 25335eb-25335f8 709 25335c0-25335dc 708->709 710 25335fa-253361a 708->710 711 25335e5-25335e6 709->711 712 25335de 709->712 710->709 711->710 713 25339e5-25339ec 711->713 712->710 714 25337b3-25337b7 712->714 715 25338b2-25338c7 712->715 716 2533994-25339ab 712->716 717 25336f9-2533705 712->717 718 25335b9 712->718 719 25337e3-25337f8 712->719 720 25336e2-25336f4 712->720 721 2533961-2533978 712->721 722 2533767-253377e 712->722 723 2533646-2533652 712->723 724 253392b-2533944 call 2533c00 712->724 725 2533908-2533926 712->725 726 253374d-2533762 712->726 727 25338cc-25338de 712->727 729 25337ca-25337d1 714->729 730 25337b9-25337c8 714->730 715->709 716->709 733 2533707 717->733 734 253370c-2533722 717->734 718->709 719->709 720->709 721->709 722->709 731 2533654 723->731 732 2533659-2533675 723->732 735 253394a-253395c 724->735 725->709 726->709 727->709 736 25337d8-25337de 729->736 730->736 731->732 732->709 733->734 740 2533724 734->740 741 2533729-2533748 734->741 735->709 736->709 740->741 741->709
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2033925754.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: @zAz$FO$U
                          • API String ID: 0-2123906176
                          • Opcode ID: 1837592f9086f22a10bcffb5039743ed5cec3fd61b8c2fb42969a175e0c98233
                          • Instruction ID: c11b10c9338b2f2a03f0f4853fb21c289d7f701ff1232f947ca46dcc4eb15d13
                          • Opcode Fuzzy Hash: 1837592f9086f22a10bcffb5039743ed5cec3fd61b8c2fb42969a175e0c98233
                          • Instruction Fuzzy Hash: DC610C75E0520AEFCB08CFA5C5814AEFBB2FF89314B14E855D415AB264E738DA42CF94
                          Function 02531C20 Relevance: 2.7, Strings: 2, Instructions: 157COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2033925754.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: b0U$b0U
                          • API String ID: 0-1204568421
                          • Opcode ID: bbc55f1d9cc5714844fb7081420f0388d27ec558d0573b8ab281f9e00b1b6365
                          • Instruction ID: 0ca06eea4290a1fe02de0fb9a8a0bea8c61015b3b4c4c61c0d14fd50dacc6bd7
                          • Opcode Fuzzy Hash: bbc55f1d9cc5714844fb7081420f0388d27ec558d0573b8ab281f9e00b1b6365
                          • Instruction Fuzzy Hash: B7511970E0560A8FCB08CFAAC5405AEFFF2FB89300F14E46AD419A7254D7348A42DF68
                          Function 08F9D5B0 Relevance: .4, Instructions: 355COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2043770353.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f90000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 98092fee74bda56161c793d0b0dde06694ca4bc01ec3fdfcbc450ed3949add88
                          • Instruction ID: efa6fd1bbe98a0889a631b1ec6d042d4e142aa3d7be4a1a086de87f080d589ad
                          • Opcode Fuzzy Hash: 98092fee74bda56161c793d0b0dde06694ca4bc01ec3fdfcbc450ed3949add88
                          • Instruction Fuzzy Hash: FBD1BEB1B016008FEB15EB75C86076EBBE6AF89601F20846DD185DB3D0DB35E905CB92
                          Function 02532668 Relevance: .1, Instructions: 109COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2033925754.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9b03c1931324beab9c7891c8074e154bafd99ba376d478912e44399c2bd0787e
                          • Instruction ID: b5ea608e3ab93fb31c649b6926b6ca86776799a03484b683e9f450d7c980a113
                          • Opcode Fuzzy Hash: 9b03c1931324beab9c7891c8074e154bafd99ba376d478912e44399c2bd0787e
                          • Instruction Fuzzy Hash: 97414670E01618CBDB29CFA6D9806DEBBF2BF89310F14D1AAD409AB224DB345E55CF54
                          Function 08F9AAFB Relevance: .0, Instructions: 26COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2043770353.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f90000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 876e5a1d85c68da9c910b8580a9f59881cdc2edfe30309df638d5830a11149d0
                          • Instruction ID: 23a72f00f5f54065baf26c99de040293108c1fe6c23c224e106c31dd410257b9
                          • Opcode Fuzzy Hash: 876e5a1d85c68da9c910b8580a9f59881cdc2edfe30309df638d5830a11149d0
                          • Instruction Fuzzy Hash: 09E04839E0D028DEDB509E7474045F4B779EB46223F4420E6C54D97202E52046548B14
                          Function 08F9856C Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08F9883F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2043770353.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f90000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: ac3f2db9ff38ab6620643c575e6b6c61e82080e10d793085c9c84087564da780
                          • Instruction ID: 6a9a016f2d0f7ea67d86942f8045afc68af7e74e8b7ffb64f4038d4a6101a94e
                          • Opcode Fuzzy Hash: ac3f2db9ff38ab6620643c575e6b6c61e82080e10d793085c9c84087564da780
                          • Instruction Fuzzy Hash: 93C115B1D00229CFDF20CFA8C841BEDBBB1BB49341F1095A9D859B7250EB749A85CF95
                          Function 08F98578 Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08F9883F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2043770353.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f90000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: ff82fd80d7c06e422a683f54fd90a31abe57e636f0442fc4d88dfd5a9483bd18
                          • Instruction ID: 8978b2bb21042262b382da5031a6d3dea9da2b3b055a73068eb29a427e78299e
                          • Opcode Fuzzy Hash: ff82fd80d7c06e422a683f54fd90a31abe57e636f0442fc4d88dfd5a9483bd18
                          • Instruction Fuzzy Hash: 52C115B1D00229CFDF20CFA8C841BEDBBB1BB49341F0095A9D859B7250DB749A85CF95
                          Function 0253C4F4 Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                          Download Yara Rule
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 0253DE09
                          Memory Dump Source
                          • Source File: 00000000.00000002.2033925754.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: 01c4a5ba296bd3c740b7b63fc2446f7dfe862782353889bd1250d86f39a3637c
                          • Instruction ID: 122191c2c96ced34f371b6bc762417992a6e68f883e117f869db69dc5a0f2692
                          • Opcode Fuzzy Hash: 01c4a5ba296bd3c740b7b63fc2446f7dfe862782353889bd1250d86f39a3637c
                          • Instruction Fuzzy Hash: 525104B1D00218DFDB21DFA8C940B9EBBF5BF49304F1084AAD109AB251DB716A85CF90
                          Function 08F981E8 Relevance: 1.6, APIs: 1, Instructions: 123injectionCOMMON
                          Download Yara Rule
                          APIs
                          • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08F982C3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2043770353.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f90000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: 09534e15d158cc2f9e319984f00857f17bcec536c500d9b351a244ad14e9f4da
                          • Instruction ID: e32eaa3382130c1e781dee135e4ccdb9a14ef3fcd3a17611641c3f468b264bd1
                          • Opcode Fuzzy Hash: 09534e15d158cc2f9e319984f00857f17bcec536c500d9b351a244ad14e9f4da
                          • Instruction Fuzzy Hash: E841BBB5D052488FDF10CFA9D984AEEBBF1BB4A310F24942AE459B7250C374AA45CF64
                          Function 08F981F0 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                          Download Yara Rule
                          APIs
                          • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08F982C3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2043770353.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f90000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: f98551b13239128626ba004ee576e36fef815bd987f2dc51b37700bacd9c3379
                          • Instruction ID: 92ce1d1bb3b3bd13bcaca8d8aa74e9e3e0febd8b9eaea78593225feee6f31a8b
                          • Opcode Fuzzy Hash: f98551b13239128626ba004ee576e36fef815bd987f2dc51b37700bacd9c3379
                          • Instruction Fuzzy Hash: 1F41A9B5D012589FCF10CFA9D984AEEFBF1BB49310F20902AE818B7210C774AA45CF64
                          Function 08F98340 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                          Download Yara Rule
                          APIs
                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08F983FA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2043770353.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f90000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: a681594b907c54fbba7cd45935a239aab21f3ebc134e5e7832e4468d5c0d5155
                          • Instruction ID: 8adcd6ac8ac62b8d7322f67149a5db391008c2c80b8855af58597a4c92a4567d
                          • Opcode Fuzzy Hash: a681594b907c54fbba7cd45935a239aab21f3ebc134e5e7832e4468d5c0d5155
                          • Instruction Fuzzy Hash: 8F41BAB5D002589FCF10CFA9D884AEEFBB1BF59320F14942AE819B7210C775A945CF64
                          Function 08F98348 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                          Download Yara Rule
                          APIs
                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08F983FA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2043770353.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f90000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: 2fa0e9ee39002aa7a5d3a87d08b020c2af6a8b80d0ed658f2005e6dd349cf0c9
                          • Instruction ID: 15f63465178a654001a6e3f4b44889cd9912a029d66e73de5bddb027c2c316f3
                          • Opcode Fuzzy Hash: 2fa0e9ee39002aa7a5d3a87d08b020c2af6a8b80d0ed658f2005e6dd349cf0c9
                          • Instruction Fuzzy Hash: C841AAB5D002589FCF10CFAAD984AEEFBB1BF59310F10942AE814B7210C775A945CF64
                          Function 08F980C9 Relevance: 1.6, APIs: 1, Instructions: 102memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08F9817A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2043770353.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f90000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 77da917759080070f734ca3f2c7a5473931b5efde9e75dd957001bc410c0145c
                          • Instruction ID: 566a558932ee091ac50eb312d92f542e72c94692c7c444fdb4d796f48e248a44
                          • Opcode Fuzzy Hash: 77da917759080070f734ca3f2c7a5473931b5efde9e75dd957001bc410c0145c
                          • Instruction Fuzzy Hash: F23198B9D002589FCF10CFA9D981AEEFBB1BB59320F20A42AE815B7210D775A945CF54
                          Function 08F980D0 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08F9817A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2043770353.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f90000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 1235218fa379fea9e78a061f2206cfc7dce14fef5f874ef51ff59c7e6dea51f7
                          • Instruction ID: 5ca233054d0d7ec8693b90eb9974353ba54f5fc0d3eb29631622a98f3138a896
                          • Opcode Fuzzy Hash: 1235218fa379fea9e78a061f2206cfc7dce14fef5f874ef51ff59c7e6dea51f7
                          • Instruction Fuzzy Hash: 313197B9D002589FCF10CFA9D980A9EFBB5FB49320F20A42AE814B7210D735A941CF64
                          Function 08F97FA0 Relevance: 1.6, APIs: 1, Instructions: 99threadCOMMON
                          Download Yara Rule
                          APIs
                          • Wow64SetThreadContext.KERNEL32(?,?), ref: 08F98057
                          Memory Dump Source
                          • Source File: 00000000.00000002.2043770353.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f90000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ContextThreadWow64
                          • String ID:
                          • API String ID: 983334009-0
                          • Opcode ID: 2e68128b592643d5c6e632b2852c53e2465f1354a607d4c272ed3e59da8596c7
                          • Instruction ID: c40a5bcf3648ac33e322cbacd9eda14cadcf951e29fc1d2a21f43ab0f17704f5
                          • Opcode Fuzzy Hash: 2e68128b592643d5c6e632b2852c53e2465f1354a607d4c272ed3e59da8596c7
                          • Instruction Fuzzy Hash: 9941EDB5D012489FDF10CFA9D885AEEBFF0AF49310F24806AE454B7250C7785949CF54
                          Function 02538311 Relevance: 1.6, APIs: 1, Instructions: 99memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 025383BF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2033925754.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ProtectVirtual
                          • String ID:
                          • API String ID: 544645111-0
                          • Opcode ID: 22a50811907578bf4741226dca6789e28532bcbf93735e7b550499d1ca0f7a6d
                          • Instruction ID: fdff937e9946dba29e6dd97c8ca08395c2eb5690b74ee24f9ddfb036bf141a1f
                          • Opcode Fuzzy Hash: 22a50811907578bf4741226dca6789e28532bcbf93735e7b550499d1ca0f7a6d
                          • Instruction Fuzzy Hash: 6831ABB5D002589FCB10CFA9E584AEEFBB1FB59310F24A06AE854B7310C375A945CF54
                          Function 08F97FA8 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                          Download Yara Rule
                          APIs
                          • Wow64SetThreadContext.KERNEL32(?,?), ref: 08F98057
                          Memory Dump Source
                          • Source File: 00000000.00000002.2043770353.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f90000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ContextThreadWow64
                          • String ID:
                          • API String ID: 983334009-0
                          • Opcode ID: 3c2d035eb2de87476ce94931a3b32b140c42e381b19ba22b1d6f190346dd3b91
                          • Instruction ID: ab032d49ec0c080b97ef7706331471880c745bfbfd24684cb1906d1f5b1b53d0
                          • Opcode Fuzzy Hash: 3c2d035eb2de87476ce94931a3b32b140c42e381b19ba22b1d6f190346dd3b91
                          • Instruction Fuzzy Hash: AF31CBB5D002589FDF10CFAAD885AEEBBF1FB49310F24802AE418B7210C779A945CF54
                          Function 02538318 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 025383BF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2033925754.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ProtectVirtual
                          • String ID:
                          • API String ID: 544645111-0
                          • Opcode ID: cfa81fb9efb4a8ad829b4a086d7c171cc8cb27511b8852d0080477dc32399af2
                          • Instruction ID: 640fbcefa81c7f69a45848ab6f183c71e302556ac681965ea61aaf5cd450aa07
                          • Opcode Fuzzy Hash: cfa81fb9efb4a8ad829b4a086d7c171cc8cb27511b8852d0080477dc32399af2
                          • Instruction Fuzzy Hash: 393199B9D002589FCB14CFA9D984ADEFBF5BB19310F24A02AE814B7310D375A945CF64
                          Function 08F9B518 Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,?,?,00000000), ref: 08F9BD4B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2043770353.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f90000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: 09decfdd4740e430f01a91481ae3f0f677c112708b1cea9bc3eac986777da291
                          • Instruction ID: 627b5ce71fd2b48ca9bbeb7acc02ab9bf2d956dd64800d2186069d1974f17246
                          • Opcode Fuzzy Hash: 09decfdd4740e430f01a91481ae3f0f677c112708b1cea9bc3eac986777da291
                          • Instruction Fuzzy Hash: 663179B9D04258DFCB10CFA9E584A9EFBF5EB49320F24901AE814B7310D375A945CF64
                          Function 08F9BCAA Relevance: 1.6, APIs: 1, Instructions: 87windowCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,?,?,00000000), ref: 08F9BD4B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2043770353.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f90000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: 3959fcef51994678d7fea5217051575d576f93362ff6f485a156fc486e41e544
                          • Instruction ID: 1e787f9c9ff317f7b8e9124cd98c1c181eb7b5db19cfb37c4ebc737fe6d40a81
                          • Opcode Fuzzy Hash: 3959fcef51994678d7fea5217051575d576f93362ff6f485a156fc486e41e544
                          • Instruction Fuzzy Hash: EC3197B8D012589FCB10CFA9E584A9EFBF5AB49320F24901AE858BB310C375A945CF54
                          Function 08F97A78 Relevance: 1.6, APIs: 1, Instructions: 80threadCOMMON
                          Download Yara Rule
                          APIs
                          • ResumeThread.KERNELBASE(?), ref: 08F97AFE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2043770353.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f90000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: 98b0de7bfeb8ee50351ee87cf9a74c26673763d87b0bb82e86a5bb888fabe895
                          • Instruction ID: 5b69c2eeba520334e60c0f9b07232fe8ab297f890accc21e3515e98b7bcb777d
                          • Opcode Fuzzy Hash: 98b0de7bfeb8ee50351ee87cf9a74c26673763d87b0bb82e86a5bb888fabe895
                          • Instruction Fuzzy Hash: C731EBB4D053489FCF10CFA9D881AAEFFB1AF49320F24945AE454B7210C774A905CF64
                          Function 08F97A80 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                          Download Yara Rule
                          APIs
                          • ResumeThread.KERNELBASE(?), ref: 08F97AFE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2043770353.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f90000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: 1c34ea8ebe32856c2e2739806028165044b519455a869c03ce7f2359fba3598a
                          • Instruction ID: 94066002f3e1adb433a92232f5fb007ba16a3edaa70aced346f2422a78390fee
                          • Opcode Fuzzy Hash: 1c34ea8ebe32856c2e2739806028165044b519455a869c03ce7f2359fba3598a
                          • Instruction Fuzzy Hash: EE31CBB4D012189FCF10DFAAD985AAEFBB4AB48320F10942AE414B7300C775A901CF54
                          Function 0249D3D8 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2033540291.000000000249D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0249D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_249d000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0078df210171c8eb088ecd59c74cb0ecd616d6c250ef87ef77d089dd2739efb9
                          • Instruction ID: d8b9011d46e6a0eeb4fe7794c80606f506b910e781a266d71c30dc57d5d540cd
                          • Opcode Fuzzy Hash: 0078df210171c8eb088ecd59c74cb0ecd616d6c250ef87ef77d089dd2739efb9
                          • Instruction Fuzzy Hash: 532106B1904204DFDF19EF14D9C0B27BF65FB84324F24C56AE90A0B256C336E456CAA1
                          Function 024AD01C Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2033614985.00000000024AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 024AD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_24ad000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5ead0853108f5e34e79c5ea06e1a006434793f1bd25761ff00137b9e7f4045b0
                          • Instruction ID: 1c3217c202cfd68822b9735a71421d257038569431ecfb180496c826bfc57465
                          • Opcode Fuzzy Hash: 5ead0853108f5e34e79c5ea06e1a006434793f1bd25761ff00137b9e7f4045b0
                          • Instruction Fuzzy Hash: CB2137B1908200DFDB14DF14D9D1B26BB65FB94318F20C56ED90A4B756C336D447CE61
                          Function 024AD1D4 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2033614985.00000000024AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 024AD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_24ad000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bd66509b923ebe620db887648a34d52fbfeab8c5082e82d0ec5989347c9661fe
                          • Instruction ID: c3f9a8f9afbbe33cf58688a70ed7669dbc60f81f605520863b3fec3aed139019
                          • Opcode Fuzzy Hash: bd66509b923ebe620db887648a34d52fbfeab8c5082e82d0ec5989347c9661fe
                          • Instruction Fuzzy Hash: 0F2104B6904200EFDB05DF14D9D0B26BBA5FB98314F24C96EE90A4F752C73AD846CA61
                          Function 024AD006 Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2033614985.00000000024AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 024AD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_24ad000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 150878c5a857b68086cd5c48b882e4050655fe244dcb42c594b65259e5590465
                          • Instruction ID: 440a61f4ab2985e3ad08595be18cf4fb2050af635efea0d46e6c03773060d04c
                          • Opcode Fuzzy Hash: 150878c5a857b68086cd5c48b882e4050655fe244dcb42c594b65259e5590465
                          • Instruction Fuzzy Hash: BC218075509380CFCB12CF24D590716BF71EB46218F28C5DBD8498F6A7C33A980ACB62
                          Function 0249D3D3 Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2033540291.000000000249D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0249D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_249d000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                          • Instruction ID: 0afeddb6f65a7a36dfd8e4d704107b37adc6a14232922350098d124e68bba6dd
                          • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                          • Instruction Fuzzy Hash: 0611DF72804240CFCF16DF00D9C0B16BF72FB84324F24C2AAD8090B656C33AE45ACBA1
                          Function 024AD1CF Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2033614985.00000000024AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 024AD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_24ad000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                          • Instruction ID: 3ad1ad8c1b16944a99f0cfe38efd9a51b3bfca3ad55ec92bf3555728cbaa4e6d
                          • Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                          • Instruction Fuzzy Hash: B5118E76904240DFDB15CF14D5D4B16BB61FB84314F24C6AAD8494F766C33AD44ACB51
                          Function 0249D759 Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2033540291.000000000249D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0249D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_249d000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 89d64e582f36273aba8fedae1fbe2391802bd697925eb8e4f883b3c5c7bb1ff9
                          • Instruction ID: 5070528e8bbf7654576fb4b82b8cc02e1997bca6819c673b0c21ef9db73a51cb
                          • Opcode Fuzzy Hash: 89d64e582f36273aba8fedae1fbe2391802bd697925eb8e4f883b3c5c7bb1ff9
                          • Instruction Fuzzy Hash: EE01AC71505B40DADF105B25DCC4767BF98DF41724F18C95BED494A346C77A9440C671
                          Function 0249D758 Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2033540291.000000000249D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0249D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_249d000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3ceea3b11d604b7d07f15b371c0b38ce6cfce31070b3a4afd7d3f74aed615a15
                          • Instruction ID: e492e115d069a5904c1e4e099b4c419ac7a65f7c887b8ddf3657c98da234a09f
                          • Opcode Fuzzy Hash: 3ceea3b11d604b7d07f15b371c0b38ce6cfce31070b3a4afd7d3f74aed615a15
                          • Instruction Fuzzy Hash: 84F0C271404740AEEB208B1ADCC4B63FFA8EF51724F18C45BED484A386C379A840CAB0

                          Non-executed Functions

                          Function 025320E8 Relevance: 2.7, Strings: 2, Instructions: 172COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2033925754.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: %K!n$%K!n
                          • API String ID: 0-4166761646
                          • Opcode ID: 8d95bdf33a37a7aac5fd85ebcffa2ae430dd48f8f151a8c8a8982d0cdfab8175
                          • Instruction ID: 7182e6441afe4416c8286832749245d5414dd711ff0e63bb7d57c4f89cd3dd69
                          • Opcode Fuzzy Hash: 8d95bdf33a37a7aac5fd85ebcffa2ae430dd48f8f151a8c8a8982d0cdfab8175
                          • Instruction Fuzzy Hash: F0712874E0460ADFCB05CFA9D580AEEFBB1FB89310F14A51AD915EB260D3349A42CF94
                          Function 025355B1 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2033925754.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: ,yW
                          • API String ID: 0-3507755697
                          • Opcode ID: 5e802b7400b8ad393553d5de06a5145e5cfc3a6022f83398a881d89fa28d39b2
                          • Instruction ID: 24ae3a26c385886d28db00bcaa68696b24af85cf845f8b4d0bf2be8a2e8d5cef
                          • Opcode Fuzzy Hash: 5e802b7400b8ad393553d5de06a5145e5cfc3a6022f83398a881d89fa28d39b2
                          • Instruction Fuzzy Hash: 0D41D970E0520A9FCB05CFAAC5815EEFBF2BB88310F54E56AC415AB254E3349A52CF95
                          Function 025355C0 Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2033925754.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: ,yW
                          • API String ID: 0-3507755697
                          • Opcode ID: d49ab313aa6d8de0f1d370cd9a8fa44be1d2b01921bf5954b45a4696f8232df7
                          • Instruction ID: f681012d5e3ef28d726a9c4f8cbb5051a85a57fd696515646cb8aa2bd71fc169
                          • Opcode Fuzzy Hash: d49ab313aa6d8de0f1d370cd9a8fa44be1d2b01921bf5954b45a4696f8232df7
                          • Instruction Fuzzy Hash: 7541DA74E0420ADFCB04CFAAC5415EEFBF2BB88310F54E46AC415AB254E3349A51CF99
                          Function 02530871 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2033925754.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: &>'k
                          • API String ID: 0-2320362961
                          • Opcode ID: bf81256f5569cd124c79a58c2403326da81ed56e7f5e741cbd743b70d262e1a2
                          • Instruction ID: 3408ef27eb28b64495a823236372f67209ee4870524b7361519114c347e99274
                          • Opcode Fuzzy Hash: bf81256f5569cd124c79a58c2403326da81ed56e7f5e741cbd743b70d262e1a2
                          • Instruction Fuzzy Hash: B031D871E046588FEB58CFAAD84079EFBB3BFC9300F14C5AAC408AB254DB344A468F55
                          Function 08F971D8 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2043770353.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f90000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3d1a334b84fd862bfffb309f214671a5930640b1ffa5eb62c323042a0fb391e5
                          • Instruction ID: 8da4e60e585736dfbe9d82e7116f0afae05ea83ea378fa486a5493a476f4b699
                          • Opcode Fuzzy Hash: 3d1a334b84fd862bfffb309f214671a5930640b1ffa5eb62c323042a0fb391e5
                          • Instruction Fuzzy Hash: DCE11AB4E11219CFDB14DFA9C5809AEFBB2FF89301F248169D854AB355D730A942CFA0
                          Function 08F95118 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2043770353.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f90000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 124cbce3f94d5bc69e552a071032339a97c080f0afac37f54c581689ab30bc16
                          • Instruction ID: 988f92ba1f76089abd75c5e76f1af05eb2aebbf8a3d717d58c9ff8d7d6ee004c
                          • Opcode Fuzzy Hash: 124cbce3f94d5bc69e552a071032339a97c080f0afac37f54c581689ab30bc16
                          • Instruction Fuzzy Hash: 25E12AB4E01219CFDB14DFA9C5809AEFBB2FF89305F248169D855AB355D730A942CFA0
                          Function 08F97B70 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2043770353.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f90000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f453d19b19191fa2a25b398cf0cc2570e6312398000c233234b78795ecbe19bb
                          • Instruction ID: ef1a91e9ebc88fade3b3cd485cf12c699a04661aaf452012145f6d5b5f1f6ce6
                          • Opcode Fuzzy Hash: f453d19b19191fa2a25b398cf0cc2570e6312398000c233234b78795ecbe19bb
                          • Instruction Fuzzy Hash: 34E11A74E11219CFDB14DFA9C5809AEFBB2FF88305F248159E855AB355D730A942CFA0
                          Function 08F96DA0 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2043770353.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f90000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 07f520d055cd14916b714e262100a273c9f4787e2aacd21a48f61a7019f6f6b7
                          • Instruction ID: 7f6aa996c22846e6b5e9c6b9e59e3d367630e6a68373c4fdb71305f52bea3c36
                          • Opcode Fuzzy Hash: 07f520d055cd14916b714e262100a273c9f4787e2aacd21a48f61a7019f6f6b7
                          • Instruction Fuzzy Hash: 75E10D74E01219CFDB14DFA9C5809AEFBB2FF89305F248169D455A7355D730A982CFA0
                          Function 08F95550 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2043770353.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f90000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ddfa5303f8c8ed0c8eb82589f043bd775ace42c6a1e8cfe02c197606966faad5
                          • Instruction ID: 942f485ec2a727fd69b868dc79ae9aef75df9e172f470d03fddd9d2e4629f090
                          • Opcode Fuzzy Hash: ddfa5303f8c8ed0c8eb82589f043bd775ace42c6a1e8cfe02c197606966faad5
                          • Instruction Fuzzy Hash: BDE119B4E01219CFDB14DFA9C5809AEFBB2FF89305F248169D855AB355D730A942CFA0
                          Function 025357F8 Relevance: .2, Instructions: 167COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2033925754.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1f67ea03c557b592f2cdec9fafaf2840769f1e26755cb0a66391cb8401e0c5c1
                          • Instruction ID: 773370d81e51c43dab55d5510461a3ddd00e6be07965691099fd68ef6eec5059
                          • Opcode Fuzzy Hash: 1f67ea03c557b592f2cdec9fafaf2840769f1e26755cb0a66391cb8401e0c5c1
                          • Instruction Fuzzy Hash: E261D575E15609DFCB08CFA9C5805DEFBF2FB89310F64A82AD41AB7214E3349941CB68
                          Function 025357E8 Relevance: .2, Instructions: 165COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2033925754.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 53bbb6530b4bc82cd19c493518bdacff3cc306e4dd6f9a4c10e7cb5053bc9e57
                          • Instruction ID: 3c456a493d8bdf24392a7a0743671fc9d876296b7e0578a459086b521136b6e0
                          • Opcode Fuzzy Hash: 53bbb6530b4bc82cd19c493518bdacff3cc306e4dd6f9a4c10e7cb5053bc9e57
                          • Instruction Fuzzy Hash: 8361D671E05609CFCB09CFA9C5805DEFBF2BB89320F64A86AD415B7254E3349941CB69
                          Function 08F95108 Relevance: .1, Instructions: 135COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2043770353.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f90000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e8fb2f5f82bb534d2ee77887287eb295d3884d27634f7da7e4ef04c9edc84e7d
                          • Instruction ID: 22c5ae2300cf37ff6cd3b99ffa4150b8109595ce83ca1a51995bee2528930156
                          • Opcode Fuzzy Hash: e8fb2f5f82bb534d2ee77887287eb295d3884d27634f7da7e4ef04c9edc84e7d
                          • Instruction Fuzzy Hash: B9514970E012198FDB15CFA9C9805AEFBF2BF89305F24C16AD458AB356D7309942CFA1
                          Function 08F95540 Relevance: .1, Instructions: 131COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2043770353.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_8f90000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4e41eba7cbd0cd15301efbd6c3d0a93036d03bcc7c2506416d38875b744d34ce
                          • Instruction ID: 5a0a5bf6027b3d487d9581d7eeb9f9012ed37488b0743a668233d5faba4a3447
                          • Opcode Fuzzy Hash: 4e41eba7cbd0cd15301efbd6c3d0a93036d03bcc7c2506416d38875b744d34ce
                          • Instruction Fuzzy Hash: 2D5119B0E012198FDB14CFA9C5805AEFBF2BF89305F24C16AD459AB356D7309942CFA1
                          Function 02535A62 Relevance: .1, Instructions: 122COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2033925754.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d64cd8d6ae0bee8dfe132bef3c58639f81061542c6c560e2ff61e03e8cd5f90d
                          • Instruction ID: ac4cce9ab8e362e2d34fd239d7fb04f6b1f85809876450d9ecb8b0b2b0114a9f
                          • Opcode Fuzzy Hash: d64cd8d6ae0bee8dfe132bef3c58639f81061542c6c560e2ff61e03e8cd5f90d
                          • Instruction Fuzzy Hash: B151FC74E0524A8FCB04CFA5C5815AEFBB2FF88301F68E46AC415E7254E3349A41DB55
                          Function 02535A70 Relevance: .1, Instructions: 120COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2033925754.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aec6829ad3058320e76ac80bc38c161215bac9bcfa06fa1fa61ad72df7b1edfa
                          • Instruction ID: 999a3e3aa0698c2ebadd7c3d66bbcdc186bea3d5bb7defa0590bfd2ff7f1c762
                          • Opcode Fuzzy Hash: aec6829ad3058320e76ac80bc38c161215bac9bcfa06fa1fa61ad72df7b1edfa
                          • Instruction Fuzzy Hash: D651EB74E0520A8BCB04CFA9C5815AEFBF2FF88301F64E869C415B7254E7349A41DB99
                          Function 02535C70 Relevance: .1, Instructions: 112COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2033925754.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2530000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 55f4f0b5ddf5e152aceaeaeee68975232afaeba3d13f32f67ac94f1ca117924e
                          • Instruction ID: c1aec65f1fe7ef50a36ed1a95bfd7f56244089b999707e04ea1a5685c7702310
                          • Opcode Fuzzy Hash: 55f4f0b5ddf5e152aceaeaeee68975232afaeba3d13f32f67ac94f1ca117924e
                          • Instruction Fuzzy Hash: 36416F71E016588BDB29CF6B9D4469DFBF3BFC9300F14C5BA854CAA215EB700A868F15

                          Execution Graph

                          Execution Coverage:13.8%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:3
                          Total number of Limit Nodes:0
                          execution_graph 28573 641ea98 28574 641eade GlobalMemoryStatusEx 28573->28574 28575 641eb0e 28574->28575

                          Executed Functions

                          Function 00F3A960 Relevance: 2.8, Instructions: 2824COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0f152e8651215cbabdaa5fb169c17a76f439d0eaf851a7bb8d6f442815c6cfbe
                          • Instruction ID: bd126443d49ffa2c0f853ddce1dfdb5a16d6b0a6930bf5c4a04c962697844686
                          • Opcode Fuzzy Hash: 0f152e8651215cbabdaa5fb169c17a76f439d0eaf851a7bb8d6f442815c6cfbe
                          • Instruction Fuzzy Hash: 19531731D10B1A8ACB11EF68C8806A9F7B1FF99310F51D79AE45877125FB70AAD4CB81
                          Function 00F3DBD8 Relevance: 2.3, Instructions: 2336COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 816ff2da3d3c6d5d569331db31f083909827e888d54888709bc3de6dbbe20c32
                          • Instruction ID: fce9d0f27f7246394ccfb8846eb4f60341dd4768f9643b2d85aaae22c6e1789e
                          • Opcode Fuzzy Hash: 816ff2da3d3c6d5d569331db31f083909827e888d54888709bc3de6dbbe20c32
                          • Instruction Fuzzy Hash: 2E331C31D107198ECB11EF68C8846ADF7B1FF99310F15C79AE458A7225EB70AAC5CB81
                          Function 00F33E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID: \Vol
                          • API String ID: 0-1859086111
                          • Opcode ID: 1a99cf0e480a11a3242879fe35de5cad9d05105885a801f289e4511207dddf60
                          • Instruction ID: 3f54078d9317c3ddd9127738d80560e8231aa8963918f67f97b0617ac7bc1a50
                          • Opcode Fuzzy Hash: 1a99cf0e480a11a3242879fe35de5cad9d05105885a801f289e4511207dddf60
                          • Instruction Fuzzy Hash: 69918EB0E00209CFDF14DFA9C9857DEBBF2AF98324F148129E415E7254EB74A985DB81
                          Function 00F34A98 Relevance: .3, Instructions: 266COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 76c13b6d277196b149ddc3a465b051a88ff84238d7c85b0b4f045dab313c8484
                          • Instruction ID: da8f13d60722cf4c4378540aab8de038cca9205cd56e7d974be30b8633715534
                          • Opcode Fuzzy Hash: 76c13b6d277196b149ddc3a465b051a88ff84238d7c85b0b4f045dab313c8484
                          • Instruction Fuzzy Hash: 10B14C71E002098FDB10CFA9C98579DBBF2AF88364F248529E815E7394EB74E845DB81
                          Function 00F34810 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1768 f34810-f3489c 1771 f348e6-f348e8 1768->1771 1772 f3489e-f348a9 1768->1772 1773 f348ea-f34902 1771->1773 1772->1771 1774 f348ab-f348b7 1772->1774 1781 f34904-f3490f 1773->1781 1782 f3494c-f3494e 1773->1782 1775 f348da-f348e4 1774->1775 1776 f348b9-f348c3 1774->1776 1775->1773 1778 f348c7-f348d6 1776->1778 1779 f348c5 1776->1779 1778->1778 1780 f348d8 1778->1780 1779->1778 1780->1775 1781->1782 1783 f34911-f3491d 1781->1783 1784 f34950-f34995 1782->1784 1785 f34940-f3494a 1783->1785 1786 f3491f-f34929 1783->1786 1792 f3499b-f349a9 1784->1792 1785->1784 1788 f3492b 1786->1788 1789 f3492d-f3493c 1786->1789 1788->1789 1789->1789 1790 f3493e 1789->1790 1790->1785 1793 f349b2-f34a0f 1792->1793 1794 f349ab-f349b1 1792->1794 1801 f34a11-f34a15 1793->1801 1802 f34a1f-f34a23 1793->1802 1794->1793 1801->1802 1803 f34a17-f34a1a call f30ab8 1801->1803 1804 f34a33-f34a37 1802->1804 1805 f34a25-f34a29 1802->1805 1803->1802 1808 f34a47-f34a4b 1804->1808 1809 f34a39-f34a3d 1804->1809 1805->1804 1807 f34a2b-f34a2e call f30ab8 1805->1807 1807->1804 1812 f34a5b 1808->1812 1813 f34a4d-f34a51 1808->1813 1809->1808 1811 f34a3f 1809->1811 1811->1808 1815 f34a5c 1812->1815 1813->1812 1814 f34a53 1813->1814 1814->1812 1815->1815
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID: \Vol$\Vol
                          • API String ID: 0-2552536679
                          • Opcode ID: 1896d89466fee393939abb5111047c591e71806f2433a0ebc9670ad716cf249f
                          • Instruction ID: d6289623b80e59cdde406d6654628d01d77c63ce241f70ac693f632a5ca93113
                          • Opcode Fuzzy Hash: 1896d89466fee393939abb5111047c591e71806f2433a0ebc9670ad716cf249f
                          • Instruction Fuzzy Hash: 9D717AB0E00249CFDF10CFA9C98579EBBF2FF88324F148129E414A7254EB78A841DB95
                          Function 00F34807 Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1816 f34807-f3489c 1819 f348e6-f348e8 1816->1819 1820 f3489e-f348a9 1816->1820 1821 f348ea-f34902 1819->1821 1820->1819 1822 f348ab-f348b7 1820->1822 1829 f34904-f3490f 1821->1829 1830 f3494c-f3494e 1821->1830 1823 f348da-f348e4 1822->1823 1824 f348b9-f348c3 1822->1824 1823->1821 1826 f348c7-f348d6 1824->1826 1827 f348c5 1824->1827 1826->1826 1828 f348d8 1826->1828 1827->1826 1828->1823 1829->1830 1831 f34911-f3491d 1829->1831 1832 f34950-f34962 1830->1832 1833 f34940-f3494a 1831->1833 1834 f3491f-f34929 1831->1834 1839 f34969-f34995 1832->1839 1833->1832 1836 f3492b 1834->1836 1837 f3492d-f3493c 1834->1837 1836->1837 1837->1837 1838 f3493e 1837->1838 1838->1833 1840 f3499b-f349a9 1839->1840 1841 f349b2-f34a0f 1840->1841 1842 f349ab-f349b1 1840->1842 1849 f34a11-f34a15 1841->1849 1850 f34a1f-f34a23 1841->1850 1842->1841 1849->1850 1851 f34a17-f34a1a call f30ab8 1849->1851 1852 f34a33-f34a37 1850->1852 1853 f34a25-f34a29 1850->1853 1851->1850 1856 f34a47-f34a4b 1852->1856 1857 f34a39-f34a3d 1852->1857 1853->1852 1855 f34a2b-f34a2e call f30ab8 1853->1855 1855->1852 1860 f34a5b 1856->1860 1861 f34a4d-f34a51 1856->1861 1857->1856 1859 f34a3f 1857->1859 1859->1856 1863 f34a5c 1860->1863 1861->1860 1862 f34a53 1861->1862 1862->1860 1863->1863
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID: \Vol$\Vol
                          • API String ID: 0-2552536679
                          • Opcode ID: f2c00eff9305c6fdfbd975e831a3bafb08457f982efd89ea26e77f7edfdf8b61
                          • Instruction ID: bbae340e9f8553d5a83db49a41b91998302501d35160220a5d62e880df338219
                          • Opcode Fuzzy Hash: f2c00eff9305c6fdfbd975e831a3bafb08457f982efd89ea26e77f7edfdf8b61
                          • Instruction Fuzzy Hash: 9E715AB0E00249CFDF10DFA9C9857DEBBF2BF48324F148129E414AB254EB78A845DB95
                          Function 0641EA90 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2545 641ea90-641ead6 2547 641eade-641eb0c GlobalMemoryStatusEx 2545->2547 2548 641eb15-641eb3d 2547->2548 2549 641eb0e-641eb14 2547->2549 2549->2548
                          APIs
                          • GlobalMemoryStatusEx.KERNELBASE ref: 0641EAFF
                          Memory Dump Source
                          • Source File: 00000006.00000002.3243651934.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6410000_RegSvcs.jbxd
                          Similarity
                          • API ID: GlobalMemoryStatus
                          • String ID:
                          • API String ID: 1890195054-0
                          • Opcode ID: c38f4103c940afad66b1b32cc675a25fa43bbea7e99f5fb9dff8cc7776965ee6
                          • Instruction ID: f6d44eb45d2f386441fb639b9c6551f1c08ffcb1fbe351db058cc87c1d2885c5
                          • Opcode Fuzzy Hash: c38f4103c940afad66b1b32cc675a25fa43bbea7e99f5fb9dff8cc7776965ee6
                          • Instruction Fuzzy Hash: E31117B1C006599BCB10CF9AC445BDEFBF4FF48324F14816AD818A7240D779A940CFA5
                          Function 0641EA98 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                          Download Yara Rule
                          APIs
                          • GlobalMemoryStatusEx.KERNELBASE ref: 0641EAFF
                          Memory Dump Source
                          • Source File: 00000006.00000002.3243651934.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_6410000_RegSvcs.jbxd
                          Similarity
                          • API ID: GlobalMemoryStatus
                          • String ID:
                          • API String ID: 1890195054-0
                          • Opcode ID: 50f60008c4755979a1dbeed923030a01a8f9c8dc05dfa316bdc3dee24e977161
                          • Instruction ID: 9944dbc05ad48384d6790119385204649969709781ba99a0cc7cca17929d76d1
                          • Opcode Fuzzy Hash: 50f60008c4755979a1dbeed923030a01a8f9c8dc05dfa316bdc3dee24e977161
                          • Instruction Fuzzy Hash: 0D1123B1C0025A9BCB10CF9AC445BDEFBF8EF48324F14816AD818A7240D378A940CFA5
                          Function 00F33E74 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID: \Vol
                          • API String ID: 0-1859086111
                          • Opcode ID: 5328d05dfdcfbe56c646bbe51d2bd927384292b5a13b609d4b1285c3e33fa363
                          • Instruction ID: 3709eed746fe0af8c21a15ace924066245d624f9f2b95de444c9534b01b94056
                          • Opcode Fuzzy Hash: 5328d05dfdcfbe56c646bbe51d2bd927384292b5a13b609d4b1285c3e33fa363
                          • Instruction Fuzzy Hash: 8AA17CB0E00609CFDF14DFA8C9857DEBBF2AF58324F148129E814E7254EB74A985DB91
                          Function 00F36ED7 Relevance: 1.4, Strings: 1, Instructions: 171COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID: LRsq
                          • API String ID: 0-3165563352
                          • Opcode ID: baf95489a0f7e72dbb7d6716947c703aa7f8de60640e590cd8e0e3bd50ce827a
                          • Instruction ID: bef13ea35a1c66bc320902d12d3924d4b75929f7f26a331876ce4608427db959
                          • Opcode Fuzzy Hash: baf95489a0f7e72dbb7d6716947c703aa7f8de60640e590cd8e0e3bd50ce827a
                          • Instruction Fuzzy Hash: D9519F74B042149FCB14EB78C498AAD7BF2EF89324F2040A9E406EB3A1DB759C41DB91
                          Function 00F37D28 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID: LRsq
                          • API String ID: 0-3165563352
                          • Opcode ID: 1ad9447da3ebf137cbe6156511b5f62bf994c1fbfaef54eb3a3d8d891cfa77b9
                          • Instruction ID: 6da6ff38973cad33b68dd3f10ff0ffbc2f9ee05215edef8e2a6c8a63f3d73b8e
                          • Opcode Fuzzy Hash: 1ad9447da3ebf137cbe6156511b5f62bf994c1fbfaef54eb3a3d8d891cfa77b9
                          • Instruction Fuzzy Hash: 5C315EB1E043498FDB26DF69C8407AEB7B2EF96320F208569E401EB250E7709C85DB50
                          Function 00F37D98 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID: LRsq
                          • API String ID: 0-3165563352
                          • Opcode ID: 571d8c0d5862af66e1f454f5b9f2030e97b779486de3f5f047a9c5a447aa2edc
                          • Instruction ID: 10483e6ae09d7369fbe68e98fcea52c8f4561d9f2021a6129a30231fda0590ab
                          • Opcode Fuzzy Hash: 571d8c0d5862af66e1f454f5b9f2030e97b779486de3f5f047a9c5a447aa2edc
                          • Instruction Fuzzy Hash: EB314071E04309DBDB24EFA5C8407AEB7B1FF85320F608565E405EB250E770AD85DB50
                          Function 00F36BA0 Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID: LRsq
                          • API String ID: 0-3165563352
                          • Opcode ID: fa70d50ccf3dee4747384166e1c2242b100ff63126d37411da8aab2fb80de411
                          • Instruction ID: 75f31fbbd9d151c5a131ffbc023492df00d88474c267347618e105f2f301434c
                          • Opcode Fuzzy Hash: fa70d50ccf3dee4747384166e1c2242b100ff63126d37411da8aab2fb80de411
                          • Instruction Fuzzy Hash: 72210A3070C6805FCB16E778949169DBFF2EF8A310B0488EED045CB256DA658C46C792
                          Function 00F30838 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID: Ko
                          • API String ID: 0-716275355
                          • Opcode ID: 3b87a87993d04cb342f5610ec0bb2db414202e561277ca5dd3a95427ffdd81d5
                          • Instruction ID: 0516cb683d98d136482c00d5f16af19cd9ef18819007de7a04b0c63f861b7635
                          • Opcode Fuzzy Hash: 3b87a87993d04cb342f5610ec0bb2db414202e561277ca5dd3a95427ffdd81d5
                          • Instruction Fuzzy Hash: C811E331E052049FEF266679986076A3760EB92334F10497BD442CF282EE65CC86ABD2
                          Function 00F30848 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID: Ko
                          • API String ID: 0-716275355
                          • Opcode ID: 24229d088d29d1a3f38fe12093ad879b58313b4192cbc3fd4b49418eea9be551
                          • Instruction ID: 12ae3507275d0fa8979749970430036d7c7f9209bea9ddf87231729b4afe1f86
                          • Opcode Fuzzy Hash: 24229d088d29d1a3f38fe12093ad879b58313b4192cbc3fd4b49418eea9be551
                          • Instruction Fuzzy Hash: 79119E31F012089BEF69AB79D86072A3355EB86334F20497BD006CF351DE25CC82ABD2
                          Function 00F386C8 Relevance: .6, Instructions: 632COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6a99630c1bbc1379027d3567e574b41531d0863f2003ad29ebe6d245195d7876
                          • Instruction ID: 122b806bb42e68e710de497e2e6bddc908b642d765e5fc71b06bba65ea77ab44
                          • Opcode Fuzzy Hash: 6a99630c1bbc1379027d3567e574b41531d0863f2003ad29ebe6d245195d7876
                          • Instruction Fuzzy Hash: 003291307016069BDB29A738E89172837A2FBC5360F14597DE006DB395CF75DD8BAB82
                          Function 00F3A1B2 Relevance: .4, Instructions: 398COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d6e0bd24201b10f83770b7a1ab96e57f3cb47c90681ee471f56576151c0c3986
                          • Instruction ID: 100250aef98ee80ed4779cd27bc9cf8d031db7d0320dac73f2e71c2cc0b9f055
                          • Opcode Fuzzy Hash: d6e0bd24201b10f83770b7a1ab96e57f3cb47c90681ee471f56576151c0c3986
                          • Instruction Fuzzy Hash: E7E1B234B002158FDF14DB69D984A6EB7B2FF88320F248429E846DB395DB75DD42DB82
                          Function 00F34A8F Relevance: .3, Instructions: 262COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f38806e48883da5438d900d5bc44fa763b726e6a1adcbdb7b323e9e681fce720
                          • Instruction ID: a726e9c08f413316595b4a6e47eb8ccbc3ccabb8590a66b6dd3618e6cc8ba3ee
                          • Opcode Fuzzy Hash: f38806e48883da5438d900d5bc44fa763b726e6a1adcbdb7b323e9e681fce720
                          • Instruction Fuzzy Hash: 87B14E70E002098FDB10CFA9D9957DDBBF1AF88364F248529E815E7254EB74B845DF81
                          Function 00F3A6C0 Relevance: .1, Instructions: 139COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b995a91be955bc34798cada039f8ff317dbffd33a694203f9a69fde215a39087
                          • Instruction ID: 0cc6e9a6b2a28f6ae510d1386a2b9ec998875e1008d6cf438aa079ee3138b890
                          • Opcode Fuzzy Hash: b995a91be955bc34798cada039f8ff317dbffd33a694203f9a69fde215a39087
                          • Instruction Fuzzy Hash: 74514D75A00205CFDB14DF69E984B99FBB2FF88320F14C1A9E9089F395E7709945CB91
                          Function 00F36CDC Relevance: .1, Instructions: 134COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a8243ba7c53d44a61d63dcea6ab340ca877f5fac35ebc496514777a9ee579afe
                          • Instruction ID: bd2b28d3dede10d8f89a56dea25c480ca9b968e6a382d9d08b1254699258cc8f
                          • Opcode Fuzzy Hash: a8243ba7c53d44a61d63dcea6ab340ca877f5fac35ebc496514777a9ee579afe
                          • Instruction Fuzzy Hash: 555135B5E002199FDB18CFA9C885B9DBBF1BF48320F14811AE815BB395DB74A844DF94
                          Function 00F31111 Relevance: .1, Instructions: 133COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 44166f1094631b6f58dc1e73d64b58cc9cb72f4266ab90ae82663a28cf1a069f
                          • Instruction ID: c197e628bd728f0d5b9745699a2c44545acada05657a203dea937279d76b1eb3
                          • Opcode Fuzzy Hash: 44166f1094631b6f58dc1e73d64b58cc9cb72f4266ab90ae82663a28cf1a069f
                          • Instruction Fuzzy Hash: 1D515E70152E468FE71AFF2DF8D49553FA1FBD330470499DAE004AB27ADA702949DB81
                          Function 00F36CE8 Relevance: .1, Instructions: 132COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5dacdddc5627d0d51ef17f3a87bdaee40a3a152dfd377459862487402c687010
                          • Instruction ID: 013410bf24fdb7981cb6bf953461ddaf9db0c15a0a5883853cb199ba65dc1e91
                          • Opcode Fuzzy Hash: 5dacdddc5627d0d51ef17f3a87bdaee40a3a152dfd377459862487402c687010
                          • Instruction Fuzzy Hash: 475134B5E002199FDB18CFA9C884B9DBBF1BF48320F148419E819BB355DB74A844DF94
                          Function 00F31138 Relevance: .1, Instructions: 112COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a7ac71abec62fdf1da4193dd485718bffe29754943005c827fc099b4a6af573b
                          • Instruction ID: db4eb5b8d8c715731e40cf7865fc5bc3b20212e9b2acf6043ed71175186d8955
                          • Opcode Fuzzy Hash: a7ac71abec62fdf1da4193dd485718bffe29754943005c827fc099b4a6af573b
                          • Instruction Fuzzy Hash: 4F512E70252E468FE71AFF2EFCD49553B61F7D3304304AD99E004AB27ADA706949DB81
                          Function 00F326DC Relevance: .1, Instructions: 91COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7f46ecb89d6b6a49317431dc3aa69fa2ab376276c19ba9361a387c5b1d8be490
                          • Instruction ID: 0b1c58cdd8eeed048138e934e23670f520859bd0dd9d04186bf8e576fc246115
                          • Opcode Fuzzy Hash: 7f46ecb89d6b6a49317431dc3aa69fa2ab376276c19ba9361a387c5b1d8be490
                          • Instruction Fuzzy Hash: 5441F0B0D00349DFDB10DFA9C984A9EBFB5FF48320F24842AE419AB254DB75A945CB90
                          Function 00F31488 Relevance: .1, Instructions: 90COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0b009a1a86e767c614e9a9c4c9488b428317da752726ec6b0649695e1b5bb914
                          • Instruction ID: 288177d5b15ab3bf204dbd0435754b4b3fe96e19a9b50fe06859c0c13a775a73
                          • Opcode Fuzzy Hash: 0b009a1a86e767c614e9a9c4c9488b428317da752726ec6b0649695e1b5bb914
                          • Instruction Fuzzy Hash: 22315171E002158FDB61EB78D8552AD77A1FF89371F14047AE806D7341EA35CD41AB91
                          Function 00F326E8 Relevance: .1, Instructions: 90COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3fa1f6dbbe147c95dd0e256807b3ed0ba479c73ea8e432c660cb23008b91373e
                          • Instruction ID: 6b53aa4547c497b41c9e950c8e695582f30139ed0195b114549353bd2353092b
                          • Opcode Fuzzy Hash: 3fa1f6dbbe147c95dd0e256807b3ed0ba479c73ea8e432c660cb23008b91373e
                          • Instruction Fuzzy Hash: 1641DFB0D00349DFDB10DFA9C584A9EBFF5FF48320F24842AE419AB254DB75A945DB90
                          Function 00F317C0 Relevance: .1, Instructions: 89COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c39436dee8a99f7d1eb3e313f5d0f340fe2bb4c8726e0d15b7952574fb89b59b
                          • Instruction ID: 71bfa57da96754f774fa4ad2d71adbba6fd6cbae71863cfb7d33d92de20e1ebb
                          • Opcode Fuzzy Hash: c39436dee8a99f7d1eb3e313f5d0f340fe2bb4c8726e0d15b7952574fb89b59b
                          • Instruction Fuzzy Hash: 9821D175F006028BDF21AB79E8847AA7BA5FB89370F144A65E906C7354EB348C41DB91
                          Function 00EDD005 Relevance: .1, Instructions: 86COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.3238982325.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_edd000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 903164265999fc99aef3304ab75ba5aeb5d8b39a8b8256ed75d6315278f9e9db
                          • Instruction ID: 93ae998d37cb58152543bf5bef30b2a8182d0064de327581d1afc6f3ef55b986
                          • Opcode Fuzzy Hash: 903164265999fc99aef3304ab75ba5aeb5d8b39a8b8256ed75d6315278f9e9db
                          • Instruction Fuzzy Hash: 5C312D7154E7C09FD7038B24C9A4711BF75EB47214F2985DBD885CF2A7C22A984ACB62
                          Function 00F3169F Relevance: .1, Instructions: 83COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: eaebc0b9745437974543e1be5124e4b088cd027cf4eb37ceca031583838f95eb
                          • Instruction ID: 6c43c8169a87752121ee027266b10f4e2d0d790909066096994e70819ce51d0e
                          • Opcode Fuzzy Hash: eaebc0b9745437974543e1be5124e4b088cd027cf4eb37ceca031583838f95eb
                          • Instruction Fuzzy Hash: DE2128B8A009015FEF26EB7CECC47593755FB85330F145AA6E005CB265EE64DC42EB92
                          Function 00F3A070 Relevance: .1, Instructions: 82COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ab33da3803d2d0f6a87c3097e238ffc7bcc520773e5801d30d7e99ee2cd998c3
                          • Instruction ID: 16e4e71fce7a76bb98083c591be192e78a6ffe2bacf21c5f9a2b6a821a90ec90
                          • Opcode Fuzzy Hash: ab33da3803d2d0f6a87c3097e238ffc7bcc520773e5801d30d7e99ee2cd998c3
                          • Instruction Fuzzy Hash: D1318170E0460A9BDB09DFA9D844B9EF7B2FF85320F10C519E805FB241DB719945DB51
                          Function 00F3A080 Relevance: .1, Instructions: 78COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4155f11a43a291041571cc96c16b92f0673bb3215d1cd757839a7884e4b61063
                          • Instruction ID: 769cd4c2de347c9670f85e4a7914feaef5b7eb7cbdb943054bd7a370b30bc70c
                          • Opcode Fuzzy Hash: 4155f11a43a291041571cc96c16b92f0673bb3215d1cd757839a7884e4b61063
                          • Instruction Fuzzy Hash: 39217171E0020A9BDB09DF65D85469EF7B2FF85320F10C529E805EB240DB719C81DB51
                          Function 00F3A853 Relevance: .1, Instructions: 76COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ccce7142c68ec9825fc034db69df8573d430e7b13196f498ba7c9ff4df623ee3
                          • Instruction ID: da251ac8be22565d1c4bc3060fe71ee567ecf40434bc381959970bddb4e787dc
                          • Opcode Fuzzy Hash: ccce7142c68ec9825fc034db69df8573d430e7b13196f498ba7c9ff4df623ee3
                          • Instruction Fuzzy Hash: 2321A171B001049FEB14DB6AC854BAEB7F6EF88730F218169E501FB3A4DA75DD018B91
                          Function 00F39F70 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c387c425fc3496453d2f11d5fd24bc5eb72d8780fc0215e116cb3cc4e37ad132
                          • Instruction ID: 9679ddc431f8ca09653c767efbda235bfdf39871e488ece0a7e5cb6476ea984d
                          • Opcode Fuzzy Hash: c387c425fc3496453d2f11d5fd24bc5eb72d8780fc0215e116cb3cc4e37ad132
                          • Instruction Fuzzy Hash: 38218371E042159BDB19CFB5D4546DEB7B2AF85320F20862AE812FB380DBB09C45CB41
                          Function 00F34F8B Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b01dcac8d2d01a56845e81118588eb2665b0efaa564678c72921077a30815f89
                          • Instruction ID: 3fa90605d51ebc785b14981fe014b729f1ac89c95bb3a4637f759cd02e66a32c
                          • Opcode Fuzzy Hash: b01dcac8d2d01a56845e81118588eb2665b0efaa564678c72921077a30815f89
                          • Instruction Fuzzy Hash: 98212B70A005058FDB18EB79C958AAD77F1EF89714F2004A8E406EB361DB769D05DB90
                          Function 00EDD044 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.3238982325.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_edd000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9a7b7bd8726a66f9c80893079af0f72b8fec0db9d0684b41bda6bbb6c160d60c
                          • Instruction ID: 9389f51d09dd73959658fa68a92a732e75ad54c7757d5d583b4237901d5bb58a
                          • Opcode Fuzzy Hash: 9a7b7bd8726a66f9c80893079af0f72b8fec0db9d0684b41bda6bbb6c160d60c
                          • Instruction Fuzzy Hash: 1D21F2B1508204AFCB14CF24CDC0B26BB66FB84318F24C96EE9495B392C73AD847DA61
                          Function 00F31878 Relevance: .1, Instructions: 71COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f3b6e412638bf9b017ead6091934d0641624a70273bcae56a4942931974dbddf
                          • Instruction ID: 8f176561957ec2acf4ca222539d5179521f83060b13b284396b2055e0c90c37e
                          • Opcode Fuzzy Hash: f3b6e412638bf9b017ead6091934d0641624a70273bcae56a4942931974dbddf
                          • Instruction Fuzzy Hash: F8216931B052058FDB24EB74C9697AD77F2BF89321F2004A9C002EB3A1DB768D45EB55
                          Function 00F31888 Relevance: .1, Instructions: 70COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a20a95865ac03e90f8c930d028a49a9369f7d267ce3532fcc110fbbda2ce9fdb
                          • Instruction ID: a21a20a6563a4ad9649e51b34c5e21a85424e0cfb84d129b70569c02fd5e44a0
                          • Opcode Fuzzy Hash: a20a95865ac03e90f8c930d028a49a9369f7d267ce3532fcc110fbbda2ce9fdb
                          • Instruction Fuzzy Hash: B2213B30B012048FDB14EB64C5657AD77F2BB89361F100468D005EB364DF368D41EB55
                          Function 00F39F80 Relevance: .1, Instructions: 70COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: af1bcc2587aba557bab977518933a48b37c7387e5f7181b6d111234a1fd0a6ed
                          • Instruction ID: 8c0126738981afac04832a442232beca9d281996a9eb810391a1bd555a4106ba
                          • Opcode Fuzzy Hash: af1bcc2587aba557bab977518933a48b37c7387e5f7181b6d111234a1fd0a6ed
                          • Instruction Fuzzy Hash: 3C216571E043199BDB18CFA5D85469EB7B2FF89320F20851AE816FB390DBB09C45DB51
                          Function 00F31383 Relevance: .1, Instructions: 69COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7c629d838b3df96298927eb826039cb9ff299f110d1c862807025876c52c0874
                          • Instruction ID: 82e261944841bae2fc19584f42cddb37812c540d2a87e515dea0feb7cb54fb60
                          • Opcode Fuzzy Hash: 7c629d838b3df96298927eb826039cb9ff299f110d1c862807025876c52c0874
                          • Instruction Fuzzy Hash: 2221A270A047418FDB35A738E8D836D3B61FB97331F1009A9E446C73A1DA25CC85EB82
                          Function 00F316B0 Relevance: .1, Instructions: 69COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4e7196afeb1fff7547cba3f1c107492b189781504c3238103ed04e3937c3acf5
                          • Instruction ID: 7f2ea2c43f6861d7cf5ad1b06b3287dceb48098fd23a8e200a37f97ebd21c540
                          • Opcode Fuzzy Hash: 4e7196afeb1fff7547cba3f1c107492b189781504c3238103ed04e3937c3acf5
                          • Instruction Fuzzy Hash: FE21E478A009019BEF25EB2CECC47593755FB85330F145A65E006CB269EE74DC81EB91
                          Function 00F34F98 Relevance: .1, Instructions: 68COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bb8d3081d62032ce82862f96a48d0269e3a2fea33ebec8ac4738f3d4cd14a301
                          • Instruction ID: 41bebf078b9ed65eaf5ffa520ad8e41e2cda402e0036b79e6c4902ab1650dbfc
                          • Opcode Fuzzy Hash: bb8d3081d62032ce82862f96a48d0269e3a2fea33ebec8ac4738f3d4cd14a301
                          • Instruction Fuzzy Hash: BA214A70B00605CFCB18EB79C958AAD77F1BB89724F2004A8E406EB3A1DB369D04DB90
                          Function 00F31498 Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b959d832f6d85c8ac76bfbc764a61a06006926de25c0df815246301564762b36
                          • Instruction ID: 44dd60981afb1ace1d18561ce92ab9050ee2f661314a3325c9bec8a3fbbe04f0
                          • Opcode Fuzzy Hash: b959d832f6d85c8ac76bfbc764a61a06006926de25c0df815246301564762b36
                          • Instruction Fuzzy Hash: A6012D31E002159BDF61EFB888512AE7BE5FB49330F24447AD805E7305EB35C8419B91
                          Function 00F3A6BD Relevance: .0, Instructions: 48COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0716371f1a1de78838811894f72cfccc68e6fb2c3b43f163e72ce60d339975f8
                          • Instruction ID: a213e25bb69a6acccfdee4aa730f816c0c059697a4fb9442e6c70bbc3db2d15a
                          • Opcode Fuzzy Hash: 0716371f1a1de78838811894f72cfccc68e6fb2c3b43f163e72ce60d339975f8
                          • Instruction Fuzzy Hash: 47019231A001048FCB14DFA5D984B8ABBB5FF84321F54C568D80C6F296DB71AD46CBA1
                          Function 00F38F10 Relevance: .0, Instructions: 41COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 434c4bc9dac987451394bc4c48bdc5eef1ee3883e8a1bfe9677daaa8371e3e83
                          • Instruction ID: 46c2418a9e43f2ce9d473bc2a164a4d9819cb79e5d8c09895ffa62aaa2aa12b6
                          • Opcode Fuzzy Hash: 434c4bc9dac987451394bc4c48bdc5eef1ee3883e8a1bfe9677daaa8371e3e83
                          • Instruction Fuzzy Hash: CA01D474900548AFDB09FBB8E9916DC7BF1EF41300B10A5E9C005AB251EE311E069B52
                          Function 00F37EB0 Relevance: .0, Instructions: 34COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f2c2be94ea83f6a0a219c72e0f48b032b92ca8e96df584ea0b1f8debbcf1caea
                          • Instruction ID: f9f13531d6d4765022256efac94f19ac54a6befd7589e1bef8a92596cfea5969
                          • Opcode Fuzzy Hash: f2c2be94ea83f6a0a219c72e0f48b032b92ca8e96df584ea0b1f8debbcf1caea
                          • Instruction Fuzzy Hash: 85F0C979B002088FCB14EB64D999B6D77B2EF88325F5145A8E5069B3B4DB31AD42DF40
                          Function 00F38F20 Relevance: .0, Instructions: 33COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000006.00000002.3239209453.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_6_2_f30000_RegSvcs.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d009b2bfb73c99d1379c52ec2f090b89b15b225b46e3f33f5b15ce452c477e50
                          • Instruction ID: 4aaf428516e9f6bd281358f22e0707ff55a2de071805cba967d0867eca508a7a
                          • Opcode Fuzzy Hash: d009b2bfb73c99d1379c52ec2f090b89b15b225b46e3f33f5b15ce452c477e50
                          • Instruction Fuzzy Hash: 0FF0A4709005099FDF08FFB8F981A9C7BB1EB40300F10A6ACD405AB244EF712F459B81