Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Heur.31042.29735.exe

Overview

General Information

Sample name:SecuriteInfo.com.Heur.31042.29735.exe
Analysis ID:1532750
MD5:cb4903c1c4f23b021905da634c002f04
SHA1:c2ccf3a1e5037c6e540b94a59e2c367ba8cd9090
SHA256:49945b5eb3f80e6bb9dba81c6c6f643245bb0831ce2f6e5abf4db12ab6709b76
Tags:exe
Infos:

Detection

PureLog Stealer, zgRAT
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
Machine Learning detection for sample
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Potential key logger detected (key state polling based)
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.Heur.31042.29735.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
    SecuriteInfo.com.Heur.31042.29735.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
      SecuriteInfo.com.Heur.31042.29735.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000000.1418148749.0000000000C22000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          00000000.00000002.2672803940.0000000004427000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.SecuriteInfo.com.Heur.31042.29735.exe.c20000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              0.0.SecuriteInfo.com.Heur.31042.29735.exe.c20000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                0.0.SecuriteInfo.com.Heur.31042.29735.exe.c20000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  0.2.SecuriteInfo.com.Heur.31042.29735.exe.4427a60.0.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    0.2.SecuriteInfo.com.Heur.31042.29735.exe.4427a60.0.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                      Click to see the 3 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Suricata Signatures

                      No Suricata rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Machine Learning detection for sample
                      Source: SecuriteInfo.com.Heur.31042.29735.exeJoe Sandbox ML: detected
                      Source: SecuriteInfo.com.Heur.31042.29735.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                      Source: SecuriteInfo.com.Heur.31042.29735.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: Demon Lookup.pdb source: SecuriteInfo.com.Heur.31042.29735.exe
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_02FB0910
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]0_2_056A82F4
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]0_2_056A9940
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeCode function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh0_2_056A9A4D
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeCode function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh0_2_056A9A58
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeCode function: 4x nop then mov esp, ebp0_2_09582CF8
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeCode function: 4x nop then mov esp, ebp0_2_09582CEA
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeCode function: 4x nop then mov ecx, dword ptr [ebp-4Ch]0_2_09D9E158
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeCode function: 4x nop then mov ecx, dword ptr [ebp-4Ch]0_2_09D9D88C
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeCode function: 4x nop then mov ecx, dword ptr [ebp-4Ch]0_2_09D9D880

                      Networking

                      barindex
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: SecuriteInfo.com.Heur.31042.29735.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.SecuriteInfo.com.Heur.31042.29735.exe.c20000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Heur.31042.29735.exe.4427a60.0.raw.unpack, type: UNPACKEDPE
                      Source: SecuriteInfo.com.Heur.31042.29735.exeString found in binary or memory: Demon Toolsshttps://www.youtube.com/channel/UCYARbqAHQhZjOeS-Jn_5ubw?%Segoe UI Semilight equals www.youtube.com (Youtube)
                      Source: SecuriteInfo.com.Heur.31042.29735.exeString found in binary or memory: http://ip-api.com/line/
                      Source: SecuriteInfo.com.Heur.31042.29735.exeString found in binary or memory: http://www.newtonsoft.com/jsonschema
                      Source: SecuriteInfo.com.Heur.31042.29735.exeString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                      Source: SecuriteInfo.com.Heur.31042.29735.exeString found in binary or memory: https://www.youtube.com/channel/UCYARbqAHQhZjOeS-Jn_5ubw?%Segoe
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeCode function: 0_2_09582618 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_09582618
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeCode function: 0_2_02FB0C780_2_02FB0C78
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeCode function: 0_2_02FB0FBA0_2_02FB0FBA
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeCode function: 0_2_02FB0C6A0_2_02FB0C6A
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeCode function: 0_2_02FB10180_2_02FB1018
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeCode function: 0_2_02FB100C0_2_02FB100C
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeCode function: 0_2_056A8AE00_2_056A8AE0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeCode function: 0_2_056A8AF00_2_056A8AF0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeCode function: 0_2_094468C80_2_094468C8
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeCode function: 0_2_0944AD2F0_2_0944AD2F
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeCode function: 0_2_094468B70_2_094468B7
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeCode function: 0_2_0944BA700_2_0944BA70
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeCode function: 0_2_0944BFC80_2_0944BFC8
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeCode function: 0_2_09D9BEB00_2_09D9BEB0
                      Source: SecuriteInfo.com.Heur.31042.29735.exe, 00000000.00000002.2668999337.00000000013DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Heur.31042.29735.exe
                      Source: SecuriteInfo.com.Heur.31042.29735.exe, 00000000.00000000.1418148749.0000000000C22000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDemon Lookup.exe8 vs SecuriteInfo.com.Heur.31042.29735.exe
                      Source: SecuriteInfo.com.Heur.31042.29735.exe, 00000000.00000002.2672803940.0000000004427000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDemon Lookup.exe8 vs SecuriteInfo.com.Heur.31042.29735.exe
                      Source: SecuriteInfo.com.Heur.31042.29735.exe, 00000000.00000002.2670117964.0000000003248000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclrjit.dllT vs SecuriteInfo.com.Heur.31042.29735.exe
                      Source: SecuriteInfo.com.Heur.31042.29735.exe, 00000000.00000002.2670117964.0000000003248000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs SecuriteInfo.com.Heur.31042.29735.exe
                      Source: SecuriteInfo.com.Heur.31042.29735.exe, 00000000.00000002.2670117964.0000000003248000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $gq,\\StringFileInfo\\040904B0\\OriginalFilename vs SecuriteInfo.com.Heur.31042.29735.exe
                      Source: SecuriteInfo.com.Heur.31042.29735.exeBinary or memory string: OriginalFilenameDemon Lookup.exe8 vs SecuriteInfo.com.Heur.31042.29735.exe
                      Source: SecuriteInfo.com.Heur.31042.29735.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                      Source: SecuriteInfo.com.Heur.31042.29735.exe, nCP5vtxT3QjsSeuiK3.csCryptographic APIs: 'CreateDecryptor'
                      Source: SecuriteInfo.com.Heur.31042.29735.exe, nCP5vtxT3QjsSeuiK3.csCryptographic APIs: 'CreateDecryptor'
                      Source: SecuriteInfo.com.Heur.31042.29735.exe, nCP5vtxT3QjsSeuiK3.csCryptographic APIs: 'CreateDecryptor'
                      Source: classification engineClassification label: mal68.troj.evad.winEXE@1/0@0/0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeMutant created: NULL
                      Source: SecuriteInfo.com.Heur.31042.29735.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: SecuriteInfo.com.Heur.31042.29735.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.69%
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeSection loaded: mscorjit.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeSection loaded: iconcodecservice.dllJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: SecuriteInfo.com.Heur.31042.29735.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: SecuriteInfo.com.Heur.31042.29735.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: SecuriteInfo.com.Heur.31042.29735.exeStatic file information: File size 2200064 > 1048576
                      Source: SecuriteInfo.com.Heur.31042.29735.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x211800
                      Source: SecuriteInfo.com.Heur.31042.29735.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: SecuriteInfo.com.Heur.31042.29735.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: Demon Lookup.pdb source: SecuriteInfo.com.Heur.31042.29735.exe

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: SecuriteInfo.com.Heur.31042.29735.exe, nCP5vtxT3QjsSeuiK3.cs.Net Code: Type.GetTypeFromHandle(nla1WKOGMY5oN5nImw.YLTPhkyqLF6F9(16777922)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(nla1WKOGMY5oN5nImw.YLTPhkyqLF6F9(16777319)),Type.GetTypeFromHandle(nla1WKOGMY5oN5nImw.YLTPhkyqLF6F9(16777307))})
                      Source: SecuriteInfo.com.Heur.31042.29735.exeStatic PE information: 0xC37D13F1 [Wed Dec 6 02:50:25 2073 UTC]
                      Source: SecuriteInfo.com.Heur.31042.29735.exe, XmlDeserializer.csHigh entropy of concatenated method names: 'AShxtKNgpRu', 'JphxtDpp9ZN', 'U32xtZfmmca', 'pwpxthD16wC', 'XNhxtQgkNHU', 'ADixt3qGeuH', 'GK9xxt7adJW', 'fS9xxYij6Bj', 'oEcxxrIjElC', 'rIMxxMrPNk7'
                      Source: SecuriteInfo.com.Heur.31042.29735.exe, JsonSerializerInternalReader.csHigh entropy of concatenated method names: 'B5PEjXG5Xl', 'AXxEfX2uad', 'tsHEaMxpd4', 'DsvEnkfYjQ', 'mWhE5Ei3R8', 'Populate', 'aXcjZGErTb', 'Deserialize', 'kKojhYbUAI', 'QJ6jQabmqQ'
                      Source: SecuriteInfo.com.Heur.31042.29735.exe, JsonSerializerInternalWriter.csHigh entropy of concatenated method names: 'Serialize', 'SKly85pJff', 'u2dybPOxw8', 'b5Wy4KdUOg', 'IgKyXisRU7', 'yAnyGmbC2e', 'RfEydedQhd', 'crwyjmHn3J', 'NPoyyXg9ED', 'JDNyfCe3T9'
                      Source: SecuriteInfo.com.Heur.31042.29735.exe, nCP5vtxT3QjsSeuiK3.csHigh entropy of concatenated method names: 'WiPxz4ErS9', 'wF8A8TaRGh', 'HefA1kxtZZ', 'KDCAxb9WJB', 'gNsAAIBaNY', 'm2sAbvmr5t', 'JUvPhkwy9pJ5A', 'yI41JQ64h', 'uqQx0MUPHVl', 'Ok2x0ONlBS5'
                      Source: SecuriteInfo.com.Heur.31042.29735.exe, BsonReader.csHigh entropy of concatenated method names: 'Ohls3770UV', 'Read', 'Close', 'T76sS6pEZ7', 'JO7sT7eNdp', 'f4wsRiYhWL', 'AqGswuGdGS', 'uHTsB6PR2j', 'BiysJcdKmA', 'UgCszixwGx'
                      Source: SecuriteInfo.com.Heur.31042.29735.exe, Http.csHigh entropy of concatenated method names: 'E9IBEMeHUB', 'JGYBKrg4V0', 'A6yBZtRDiZ', 'lQJBhh40up', 'qVSBTu5q5B', 'OSUBBRQITN', 'kBsBJETI6i', 'q3yJxAKMMl', 'njSJYy6jYf', 'hDBJMVeL1D'
                      Source: SecuriteInfo.com.Heur.31042.29735.exe, JPath.csHigh entropy of concatenated method names: 'IRd5DFp9Rr', 'aJk5ZsZewv', 'd8T5hj9Kmi', 'cqk5Qg6Phr', 'TD953ToHso', 'jpT5SHCAhm', 'PgP5T3OD6u', 'R145Rg2OsS', 'HoH5wCkD7T', 'n9m5BGkSy9'
                      Source: SecuriteInfo.com.Heur.31042.29735.exe, Form1.csHigh entropy of concatenated method names: 'mgrx1nbMT', 'koacLhthy', 'enqHrZLpx', 'G40YZ1axj', 'JNFPKQw5w', 'uu2rf64qx', 'ywmptPsbR', 'urtMQvvGC', 'HRCOmT5JL', 'P0dvTb2Xe'
                      Source: SecuriteInfo.com.Heur.31042.29735.exe, XmlNodeConverter.csHigh entropy of concatenated method names: 'WriteJson', 'IAts1P9knp', 'yRNsiDqkYM', 'fqesUTR5qR', 'p04sIySFhY', 'YvhsNAGh9Q', 'SkusmiS3Ru', 'j1SsVchA2O', 'O04s9XEEbm', 'oHBs22PvIM'
                      Source: SecuriteInfo.com.Heur.31042.29735.exe, JsonValidatingReader.csHigh entropy of concatenated method names: 'RRJKZmRIen', 'XrpKhtFVUr', 'gpPKQUUhls', 'n4ZK3kihot', 'PfdKSbUhBA', 'ynBkZsLJ4G', 'KvYkhZTKeG', 'qkek3sBS2b', 'NDtkSEHOYm', 'CMXkR7Bdpq'
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeMemory allocated: 1560000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeMemory allocated: 3200000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeMemory allocated: 3010000 memory reserve | memory write watchJump to behavior
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeProcess token adjusted: DebugJump to behavior
                      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeQueries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: SecuriteInfo.com.Heur.31042.29735.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.SecuriteInfo.com.Heur.31042.29735.exe.c20000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Heur.31042.29735.exe.4427a60.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Heur.31042.29735.exe.4427a60.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.1418148749.0000000000C22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2672803940.0000000004427000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Yara detected zgRAT
                      Source: Yara matchFile source: SecuriteInfo.com.Heur.31042.29735.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.SecuriteInfo.com.Heur.31042.29735.exe.c20000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Heur.31042.29735.exe.4427a60.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Heur.31042.29735.exe.4427a60.0.unpack, type: UNPACKEDPE

                      Remote Access Functionality

                      barindex
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: SecuriteInfo.com.Heur.31042.29735.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.SecuriteInfo.com.Heur.31042.29735.exe.c20000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Heur.31042.29735.exe.4427a60.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Heur.31042.29735.exe.4427a60.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.1418148749.0000000000C22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2672803940.0000000004427000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Yara detected zgRAT
                      Source: Yara matchFile source: SecuriteInfo.com.Heur.31042.29735.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.SecuriteInfo.com.Heur.31042.29735.exe.c20000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Heur.31042.29735.exe.4427a60.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Heur.31042.29735.exe.4427a60.0.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Virtualization/Sandbox Evasion                      		1
                      Input Capture                      		1
                      Virtualization/Sandbox Evasion                      		Remote Services1
                      Input Capture                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                      Disable or Modify Tools                      		LSASS Memory13
                      System Information Discovery                      		Remote Desktop Protocol11
                      Archive Collected Data                      		Junk DataExfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                      Software Packing                      		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      Deobfuscate/Decode Files or Information                      		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Timestomp                      		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      DLL Side-Loading                      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Obfuscated Files or Information                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      SecuriteInfo.com.Heur.31042.29735.exe8%ReversingLabs
                      SecuriteInfo.com.Heur.31042.29735.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://www.nuget.org/packages/Newtonsoft.Json.Bson0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://www.nuget.org/packages/Newtonsoft.Json.BsonSecuriteInfo.com.Heur.31042.29735.exefalse
                      • URL Reputation: safe
                      		unknown
                      https://www.youtube.com/channel/UCYARbqAHQhZjOeS-Jn_5ubw?%SegoeSecuriteInfo.com.Heur.31042.29735.exefalse
                        		unknown
                        http://ip-api.com/line/SecuriteInfo.com.Heur.31042.29735.exefalse
                          		unknown
                          http://www.newtonsoft.com/jsonschemaSecuriteInfo.com.Heur.31042.29735.exefalse
                            		unknown

                            World Map of Contacted IPs

                            No contacted IP infos

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1532750
                            Start date and time:2024-10-13 21:33:33 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 5m 13s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:7
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:SecuriteInfo.com.Heur.31042.29735.exe
                            Detection:MAL
                            Classification:mal68.troj.evad.winEXE@1/0@0/0
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 95%
                            • Number of executed functions: 54
                            • Number of non-executed functions: 15
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • VT rate limit hit for: SecuriteInfo.com.Heur.31042.29735.exe

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASNs

                            No context

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.056183703433297
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.69%
                            • Win32 Executable (generic) a (10002005/4) 49.65%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • InstallShield setup (43055/19) 0.21%
                            • Windows Screen Saver (13104/52) 0.07%
                            File name:SecuriteInfo.com.Heur.31042.29735.exe
                            File size:2'200'064 bytes
                            MD5:cb4903c1c4f23b021905da634c002f04
                            SHA1:c2ccf3a1e5037c6e540b94a59e2c367ba8cd9090
                            SHA256:49945b5eb3f80e6bb9dba81c6c6f643245bb0831ce2f6e5abf4db12ab6709b76
                            SHA512:7f632331ba7f2fdd3c76f7f158a1cd6e79be796f2dc9f9149b7a071bb77b35fc4f0c6f189a8179eaf4947533513a3f926c879c50c8cf6cb13abdd424113f48fa
                            SSDEEP:49152:PFkR/VWoA1QfIBoq2Pkbu5Gk6hQW/3f2V1mPzidqz/CIaB2w:NkR/VMCGvj/vYkP9aB
                            TLSH:7DA59E1577EA8E2AD3EA2F345497A5310A75E9169B13A39F033842352FE33B40EC479D
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....}...............0...!..x.......6!.. ...@!...@.. ........................!...........`................................

                            File Icon

                            Icon Hash:72d6d492ccd65431

                            Static PE Info

                            General

                            Entrypoint:0x6136ae
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0xC37D13F1 [Wed Dec 6 02:50:25 2073 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x2136600x4b.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x2140000x74e8.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x21c0000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x21361a0x1c.text
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000x2116b40x2118008487873d5278e6bb95fbd29b0514b61funknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0x2140000x74e80x76009936b421d60a7a22d14a4da9e7f68683False0.9635195974576272data7.894279640436669IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x21c0000xc0x200a6466d1f21cccb55110552bad5096cbeFalse0.044921875MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "!"0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0x2141300x6e51PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced1.0004603236429306
                            RT_GROUP_ICON0x21af840x14data1.05
                            RT_VERSION0x21af980x364data0.4009216589861751
                            RT_MANIFEST0x21b2fc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Network Behavior

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Oct 13, 2024 21:35:04.617449045 CEST53561901.1.1.1192.168.2.11

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:0
                            Start time:15:34:44
                            Start date:13/10/2024
                            Path:C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Heur.31042.29735.exe"
                            Imagebase:0xc20000
                            File size:2'200'064 bytes
                            MD5 hash:CB4903C1C4F23B021905DA634C002F04
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1418148749.0000000000C22000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2672803940.0000000004427000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:false

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:12.5%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:3.7%
                              Total number of Nodes:217
                              Total number of Limit Nodes:18
                              execution_graph 40201 56a7928 40202 56a796e GetCurrentProcess 40201->40202 40204 56a79c0 GetCurrentThread 40202->40204 40207 56a79b9 40202->40207 40205 56a79fd GetCurrentProcess 40204->40205 40208 56a79f6 40204->40208 40206 56a7a33 40205->40206 40209 56a7a5b GetCurrentThreadId 40206->40209 40207->40204 40208->40205 40210 56a7a8c 40209->40210 40211 56aa3a8 40212 56aa3ba 40211->40212 40215 56a5e68 40212->40215 40214 56aa3ce 40216 56a5e84 40215->40216 40217 56a5ea8 40216->40217 40219 56a5ec2 40216->40219 40217->40214 40223 56a6462 40219->40223 40233 56a6480 40219->40233 40220 56a5eed 40220->40217 40224 56a64e3 40223->40224 40225 56a65f7 GetActiveWindow 40224->40225 40226 56a6625 40224->40226 40231 56a66c5 40224->40231 40225->40226 40230 56a6677 40226->40230 40243 56a4bf4 40226->40243 40230->40231 40250 56a4c00 40230->40250 40231->40220 40234 56a64e3 40233->40234 40235 56a65f7 GetActiveWindow 40234->40235 40236 56a6625 40234->40236 40241 56a66c5 40234->40241 40235->40236 40237 56a4bf4 GetModuleHandleW 40236->40237 40240 56a6677 40236->40240 40238 56a665e 40237->40238 40238->40240 40242 56a6e90 GetModuleHandleW 40238->40242 40239 56a4c00 MessageBoxW 40239->40241 40240->40239 40240->40241 40241->40220 40242->40240 40244 56a6da0 GetModuleHandleW 40243->40244 40246 56a665e 40244->40246 40246->40230 40247 56a6e90 40246->40247 40248 56a4bf4 GetModuleHandleW 40247->40248 40249 56a6ea4 40248->40249 40249->40230 40251 56a9d50 MessageBoxW 40250->40251 40253 56a9e33 40251->40253 40253->40231 40320 56a8188 40321 56a81ba 40320->40321 40322 56a7838 OleInitialize 40320->40322 40322->40321 40323 9d98c3b 40324 9d98c4e 40323->40324 40328 9d98f60 40324->40328 40331 9d98f30 40324->40331 40325 9d98c71 40329 9d98f65 PostMessageW 40328->40329 40330 9d9900d 40329->40330 40330->40325 40332 9d98f60 40331->40332 40333 9d98f65 PostMessageW 40331->40333 40332->40333 40334 9d9900d 40333->40334 40334->40325 40335 9d92130 40338 9d92131 40335->40338 40336 9d9216a 40338->40336 40339 9d91dd4 GetFocus 40338->40339 40339->40336 40254 56a9f20 40259 56a837c 40254->40259 40260 56a8387 40259->40260 40261 56a9f44 40260->40261 40268 56a9b20 GetActiveWindow GetFocus 40260->40268 40263 56a7838 40261->40263 40265 56a7843 40263->40265 40264 56a86a1 40265->40264 40269 56a826c 40265->40269 40267 56a86c4 40268->40261 40270 56a8277 40269->40270 40272 56a89db 40270->40272 40273 56a8288 40270->40273 40272->40267 40274 56a8a10 OleInitialize 40273->40274 40276 56a8a97 40274->40276 40276->40272 40193 2fbdad0 40196 2fbdb24 LoadLibraryA 40193->40196 40195 2fbdbeb 40196->40195 40277 151d01c 40278 151d034 40277->40278 40279 151d08f 40278->40279 40281 2fbe530 40278->40281 40282 2fbe589 40281->40282 40285 2fbeb08 40282->40285 40283 2fbe5be 40286 2fbeb32 40285->40286 40289 2fbecbc 40286->40289 40290 2fbd948 40286->40290 40289->40283 40292 2fbd96f 40290->40292 40294 2fbde48 40292->40294 40295 2fbde91 VirtualProtect 40294->40295 40297 2fbda2c 40295->40297 40297->40283 40147 9d927c8 40148 9d927c9 40147->40148 40150 9d927eb 40148->40150 40151 9d91ee8 40148->40151 40152 9d91ef3 40151->40152 40155 9d99138 40152->40155 40154 9d9980a 40154->40150 40156 9d99143 40155->40156 40157 9d998e6 40156->40157 40159 9d91dd4 GetFocus 40156->40159 40157->40154 40159->40157 40160 9d9a3c8 40161 9d9a3da 40160->40161 40162 9d9a4f5 40161->40162 40164 9d91dd4 GetFocus 40161->40164 40164->40162 40197 9d938e8 40198 9d9393b 40197->40198 40199 9d9394d SetWindowTextW 40197->40199 40198->40199 40200 9d93998 40199->40200 40298 9d97988 40299 9d97998 40298->40299 40303 56aa2a8 SendMessageW 40299->40303 40305 56aa2a1 SendMessageW 40299->40305 40300 9d979a9 40304 56aa355 40303->40304 40304->40300 40306 56aa355 40305->40306 40306->40300 40340 56a3398 40341 56a33aa 40340->40341 40352 56a34b0 40341->40352 40357 56a34e7 40341->40357 40342 56a33b9 40349 56a5e68 4 API calls 40342->40349 40343 56a33c8 40363 56a2b58 40343->40363 40345 56a33de 40367 9d91748 40345->40367 40372 9d91758 40345->40372 40346 56a33e7 40349->40343 40353 56a34d5 40352->40353 40377 56a35c0 40353->40377 40381 56a35b0 40353->40381 40358 56a34ad 40357->40358 40360 56a34f6 40357->40360 40361 56a35c0 CreateActCtxA 40358->40361 40362 56a35b0 CreateActCtxA 40358->40362 40359 56a34df 40359->40342 40360->40342 40361->40359 40362->40359 40364 56a2b63 40363->40364 40365 56a5e68 4 API calls 40364->40365 40366 56aa42a 40365->40366 40366->40345 40368 9d91758 40367->40368 40389 9d91850 40368->40389 40395 9d91860 40368->40395 40373 9d9176a 40372->40373 40375 9d91850 5 API calls 40373->40375 40376 9d91860 5 API calls 40373->40376 40374 9d9178a 40374->40346 40375->40374 40376->40374 40379 56a35e7 40377->40379 40378 56a36c4 40378->40378 40379->40378 40385 56a31e0 40379->40385 40382 56a35e7 40381->40382 40383 56a31e0 CreateActCtxA 40382->40383 40384 56a36c4 40382->40384 40383->40384 40386 56a4678 CreateActCtxA 40385->40386 40388 56a477e 40386->40388 40391 9d91854 40389->40391 40390 9d9178a 40390->40346 40391->40390 40400 9d918cd 40391->40400 40405 9d918e0 40391->40405 40392 9d9189c 40392->40392 40396 9d91861 40395->40396 40398 9d918cd 5 API calls 40396->40398 40399 9d918e0 5 API calls 40396->40399 40397 9d9189c 40397->40397 40398->40397 40399->40397 40401 9d918d4 40400->40401 40401->40400 40402 9d91b41 40401->40402 40410 9d9beb0 40401->40410 40417 9d9bea0 40401->40417 40402->40392 40406 9d918e1 40405->40406 40407 9d91b41 40406->40407 40408 9d9beb0 4 API calls 40406->40408 40409 9d9bea0 4 API calls 40406->40409 40407->40392 40408->40407 40409->40407 40411 9d9bf15 40410->40411 40412 9d9b4e8 PeekMessageW 40411->40412 40414 9d9c378 WaitMessage 40411->40414 40416 9d9bf62 40411->40416 40424 9d9b500 40411->40424 40427 9d9b534 40411->40427 40412->40411 40414->40411 40416->40402 40421 9d9bf15 40417->40421 40418 9d9b4e8 PeekMessageW 40418->40421 40419 9d9b500 KiUserCallbackDispatcher 40419->40421 40420 9d9c378 WaitMessage 40420->40421 40421->40418 40421->40419 40421->40420 40422 9d9b534 DispatchMessageW 40421->40422 40423 9d9bf62 40421->40423 40422->40421 40423->40402 40425 9d9c7d8 KiUserCallbackDispatcher 40424->40425 40426 9d9c88a 40425->40426 40426->40411 40428 9d9cd38 DispatchMessageW 40427->40428 40429 9d9cdc5 40428->40429 40429->40411 40307 2fbf028 40308 2fbf06c VirtualAlloc 40307->40308 40310 2fbf0d9 40308->40310 40165 9581cc0 DispatchMessageA 40166 9581d4d 40165->40166 40167 56a7b70 DuplicateHandle 40168 56a7c4d 40167->40168 40311 56add30 40312 56add3f 40311->40312 40314 56ade18 40311->40314 40315 56ade39 40314->40315 40319 56ade53 40314->40319 40316 56a4bf4 GetModuleHandleW 40315->40316 40317 56ade44 40316->40317 40318 56a6e90 GetModuleHandleW 40317->40318 40317->40319 40318->40319 40319->40312 40169 56a81f7 40172 56a7848 40169->40172 40173 56a7853 40172->40173 40177 56a9858 40173->40177 40183 56a9848 40173->40183 40174 56a8204 40178 56a98a7 GetCurrentThreadId 40177->40178 40180 56a98ed 40178->40180 40189 56a82f4 40180->40189 40184 56a98a7 GetCurrentThreadId 40183->40184 40186 56a98ed 40184->40186 40187 56a82f4 EnumThreadWindows 40186->40187 40188 56a9928 40187->40188 40188->40174 40190 56a9948 EnumThreadWindows 40189->40190 40192 56a9928 40190->40192 40192->40174

                              Executed Functions

                              Function 0944AD2F Relevance: 3.2, Strings: 2, Instructions: 702COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 829 944ad2f-944ae58 834 944ae5e-944af2a 829->834 835 944af2f-944af39 829->835 847 944b268-944b274 834->847 836 944b0d6-944b25c 835->836 837 944af3f-944b0c5 835->837 836->847 864 944b0d1 837->864 848 944b276-944b27d 847->848 849 944b2a9-944b2d2 847->849 853 944b286-944b28d 848->853 854 944b27f-944b284 848->854 850 944b345-944b39a 849->850 865 944b3a5-944b438 850->865 866 944b39c 850->866 856 944b293-944b2a2 853->856 857 944b28f-944b291 853->857 855 944b2a5-944b2a7 854->855 855->849 858 944b2d4-944b33e 855->858 856->855 857->855 858->850 864->847 876 944b443-944b4b7 865->876 877 944b43a 865->877 866->865 867 944b39e 866->867 867->865 886 944b573-944b5a9 876->886 887 944b4bd-944b563 876->887 877->876 878 944b43c 877->878 878->876 893 944b5bd-944b5ca 886->893 894 944b5ab 886->894 887->886 890 944b565-944b572 887->890 890->886 898 944b5cb-944b5d5 893->898 894->893 895 944b5ad-944b5bb 894->895 895->898 899 944b645-944b655 898->899 900 944b5d7-944b5ef 898->900 903 944b656-944b7b6 899->903 900->903 904 944b5f1-944b5f8 900->904 927 944b7c4 903->927 928 944b7b8 903->928 905 944b601-944b608 904->905 906 944b5fa-944b5ff 904->906 909 944b60e-944b61d 905->909 910 944b60a-944b60c 905->910 908 944b620-944b622 906->908 908->903 911 944b624-944b643 908->911 909->908 910->908 911->903 928->927
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2678576184.0000000009440000.00000040.00000800.00020000.00000000.sdmp, Offset: 09440000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9440000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID: \aB$fff?
                              • API String ID: 0-2032288996
                              • Opcode ID: 268883a0f51e76ceb7acc85879a650b02d42325ba5279f27a311e2ac6d822185
                              • Instruction ID: 4ad3aa748fb7b70676018d98758d7cd0a71c5eb35af4f1c63a42c3c49d182f49
                              • Opcode Fuzzy Hash: 268883a0f51e76ceb7acc85879a650b02d42325ba5279f27a311e2ac6d822185
                              • Instruction Fuzzy Hash: 0A623936810A1ADFCF11DF50C884AD9B7B2FF99300F1586D5E9086B165EB72AAD5CF80
                              Function 09D9BEB0 Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2679063451.0000000009D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9d90000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: DispatchMessage
                              • String ID:
                              • API String ID: 2061451462-0
                              • Opcode ID: ca38d6b982687c023518e3e1816030c35e00c174aec3a16f2d7cb2fcfb1c4bf8
                              • Instruction ID: c33c8617f7faf4fcd7ef2f3a9021544e9a8bf1af9c45b878542d3b5fa0191270
                              • Opcode Fuzzy Hash: ca38d6b982687c023518e3e1816030c35e00c174aec3a16f2d7cb2fcfb1c4bf8
                              • Instruction Fuzzy Hash: ADF18B30A60209CFDF14EFA9C944BADBBF1FF88304F158119E449AF6A5DB75A945CB80
                              Function 056A8AE0 Relevance: 1.8, APIs: 1, Instructions: 255comCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2674992347.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_56a0000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Initialize
                              • String ID:
                              • API String ID: 2538663250-0
                              • Opcode ID: 27414650dd607e8628753cf407775d1f2779f92db6d575cba2d02fcf412f7700
                              • Instruction ID: bb3f8618e3607ab98a9d83945e676b44ddceb8e651064deb715a14c2daf29968
                              • Opcode Fuzzy Hash: 27414650dd607e8628753cf407775d1f2779f92db6d575cba2d02fcf412f7700
                              • Instruction Fuzzy Hash: 9FD115B1B02745CBE710EF64EA4818A7BB1FB89B24F158209D1A16F2D8D7BC148BDF54
                              Function 056A82F4 Relevance: 1.6, APIs: 1, Instructions: 90threadCOMMON
                              Download Yara Rule
                              APIs
                              • EnumThreadWindows.USER32(056A3C24,00000000,056A3C0C), ref: 056A99E8
                              Memory Dump Source
                              • Source File: 00000000.00000002.2674992347.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_56a0000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: EnumThreadWindows
                              • String ID:
                              • API String ID: 2941952884-0
                              • Opcode ID: c2cdd1eff0ab0713854a5773f6c65c0663c114ae397593be56087052949f93b7
                              • Instruction ID: d3012bfc9bb5d21cda26ae8b97215618a3e98ee73727b7e0b5324598a5701a37
                              • Opcode Fuzzy Hash: c2cdd1eff0ab0713854a5773f6c65c0663c114ae397593be56087052949f93b7
                              • Instruction Fuzzy Hash: 9D31CBB5C052589FCB10CFAAD584AEDFBF5EB49310F24902AE414B7310D335AA45CF54
                              Function 056A9940 Relevance: 1.6, APIs: 1, Instructions: 89threadCOMMON
                              Download Yara Rule
                              APIs
                              • EnumThreadWindows.USER32(056A3C24,00000000,056A3C0C), ref: 056A99E8
                              Memory Dump Source
                              • Source File: 00000000.00000002.2674992347.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_56a0000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: EnumThreadWindows
                              • String ID:
                              • API String ID: 2941952884-0
                              • Opcode ID: 388be188c4c7551b53024b2752c61a69ef65ba25e03cd918f6304790caf94a0c
                              • Instruction ID: 5212381d003742e37018fab762c3892881a056d84c3dfe22d0950a7c580f9ee3
                              • Opcode Fuzzy Hash: 388be188c4c7551b53024b2752c61a69ef65ba25e03cd918f6304790caf94a0c
                              • Instruction Fuzzy Hash: 6531AAB5C052589FCB10CFAAE584AEEFBF5AB49310F24902AE414B7350D739AA45CF54
                              Function 02FB0C6A Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2669792235.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2fb0000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID: 4'gq
                              • API String ID: 0-1857117253
                              • Opcode ID: 7009987801a4a20f267228e13d3336590f5ef7f2bb9cec39d99106f0844cc3be
                              • Instruction ID: c95942edb9cc67a85c58a24943965db826fb175693f388e1a4fae01af2148272
                              • Opcode Fuzzy Hash: 7009987801a4a20f267228e13d3336590f5ef7f2bb9cec39d99106f0844cc3be
                              • Instruction Fuzzy Hash: 7A714EB0A006468FD74ADF7EE44869ABBF3FBC8300F14C569D4159F2AADB745849DB40
                              Function 02FB0C78 Relevance: 1.4, Strings: 1, Instructions: 163COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2669792235.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2fb0000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID: 4'gq
                              • API String ID: 0-1857117253
                              • Opcode ID: 9ef00a11fd8dea684d4c22dee0c2d3596abe903c4dbcd9a39369da177ef5eae8
                              • Instruction ID: 893985da09297a67304a25982bf9180028e7ac7c08d04a61ddd616d6215b2f84
                              • Opcode Fuzzy Hash: 9ef00a11fd8dea684d4c22dee0c2d3596abe903c4dbcd9a39369da177ef5eae8
                              • Instruction Fuzzy Hash: 0E612EB0A0060A8FD745DFBFE84869ABBF3FBC8300F14C529D4159F269EB7458498B50
                              Function 094468B7 Relevance: .7, Instructions: 679COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2678576184.0000000009440000.00000040.00000800.00020000.00000000.sdmp, Offset: 09440000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9440000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 68381c56529f593731d08e4412d5a281e792858cc5a6405f9b2e46bd3ec7f6f6
                              • Instruction ID: d74b4f22f0d90b35e77557bd12fc8112b2569b2ce1941915ef44ee8c2c31e7cc
                              • Opcode Fuzzy Hash: 68381c56529f593731d08e4412d5a281e792858cc5a6405f9b2e46bd3ec7f6f6
                              • Instruction Fuzzy Hash: D272A034901629CFDB65EF68C844BD9BBB2FF4A300F5081E9D549AB260DB31AE95CF50
                              Function 094468C8 Relevance: .7, Instructions: 676COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2678576184.0000000009440000.00000040.00000800.00020000.00000000.sdmp, Offset: 09440000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9440000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 98c774c9638e2d9407e90467ff826f164f489eaf25b12ac8eba9aaa732ddf1fe
                              • Instruction ID: ece91d152c72e2aefd74d18bfd4c9ac00624d1a3be5cab402253ec1dfab86070
                              • Opcode Fuzzy Hash: 98c774c9638e2d9407e90467ff826f164f489eaf25b12ac8eba9aaa732ddf1fe
                              • Instruction Fuzzy Hash: ED72A034901629CFDB65EF68C844BD9BBB2FF8A300F5081E9D5496B260DB31AE95CF50
                              Function 056A7918 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 378 56a7918-56a79b7 GetCurrentProcess 382 56a79b9-56a79bf 378->382 383 56a79c0-56a79f4 GetCurrentThread 378->383 382->383 384 56a79fd-56a7a31 GetCurrentProcess 383->384 385 56a79f6-56a79fc 383->385 386 56a7a3a-56a7a52 384->386 387 56a7a33-56a7a39 384->387 385->384 399 56a7a55 call 56a7af8 386->399 400 56a7a55 call 56a7f48 386->400 387->386 391 56a7a5b-56a7a8a GetCurrentThreadId 392 56a7a8c-56a7a92 391->392 393 56a7a93-56a7af5 391->393 392->393 399->391 400->391
                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 056A79A6
                              • GetCurrentThread.KERNEL32 ref: 056A79E3
                              • GetCurrentProcess.KERNEL32 ref: 056A7A20
                              • GetCurrentThreadId.KERNEL32 ref: 056A7A79
                              Memory Dump Source
                              • Source File: 00000000.00000002.2674992347.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_56a0000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Current$ProcessThread
                              • String ID:
                              • API String ID: 2063062207-0
                              • Opcode ID: 03bb4015d4611557334d99cdd729f634b141a970a12e43e9c448e54ff4df8053
                              • Instruction ID: b9dc6a131551846de1df12aee425f3b1d6b257523af3e42193fa3622fda5077c
                              • Opcode Fuzzy Hash: 03bb4015d4611557334d99cdd729f634b141a970a12e43e9c448e54ff4df8053
                              • Instruction Fuzzy Hash: EF5153B0901249CFDB14CFAAD948B9EBFF5EF88314F248459E409AB3A0DB346944CF65
                              Function 056A7928 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 401 56a7928-56a79b7 GetCurrentProcess 405 56a79b9-56a79bf 401->405 406 56a79c0-56a79f4 GetCurrentThread 401->406 405->406 407 56a79fd-56a7a31 GetCurrentProcess 406->407 408 56a79f6-56a79fc 406->408 409 56a7a3a-56a7a52 407->409 410 56a7a33-56a7a39 407->410 408->407 422 56a7a55 call 56a7af8 409->422 423 56a7a55 call 56a7f48 409->423 410->409 414 56a7a5b-56a7a8a GetCurrentThreadId 415 56a7a8c-56a7a92 414->415 416 56a7a93-56a7af5 414->416 415->416 422->414 423->414
                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 056A79A6
                              • GetCurrentThread.KERNEL32 ref: 056A79E3
                              • GetCurrentProcess.KERNEL32 ref: 056A7A20
                              • GetCurrentThreadId.KERNEL32 ref: 056A7A79
                              Memory Dump Source
                              • Source File: 00000000.00000002.2674992347.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_56a0000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Current$ProcessThread
                              • String ID:
                              • API String ID: 2063062207-0
                              • Opcode ID: b86aeec8fb0e5044dff8c18a337578088c4765464ff307156b5bfcac01038f49
                              • Instruction ID: c3e68242cd55402a19d2a127cfbefe87757f4e37c3123d9129fa0ed255284484
                              • Opcode Fuzzy Hash: b86aeec8fb0e5044dff8c18a337578088c4765464ff307156b5bfcac01038f49
                              • Instruction Fuzzy Hash: 125164B0900249CFDB14CFAAD948B9EBBF5FF88314F208469E409AB360DB346944CF65
                              Function 056A6480 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 338COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 424 56a6480-56a6502 428 56a6508-56a652d 424->428 429 56a6746-56a6779 424->429 434 56a6533-56a6558 428->434 435 56a6780-56a67b5 428->435 429->435 442 56a655e-56a656e 434->442 443 56a67bc-56a67f1 434->443 435->443 448 56a67f8-56a6824 442->448 449 56a6574-56a6578 442->449 443->448 453 56a682b-56a6869 448->453 450 56a657a-56a6580 449->450 451 56a6586-56a658b 449->451 450->451 450->453 454 56a6599-56a659f 451->454 455 56a658d-56a6593 451->455 457 56a6870-56a68ae 453->457 459 56a65b0-56a65c4 454->459 460 56a65a1-56a65a9 454->460 455->454 455->457 493 56a68b5-56a6931 457->493 471 56a65ca 459->471 472 56a65c6-56a65c8 459->472 460->459 475 56a65cf-56a65e7 471->475 472->475 477 56a65e9-56a65ef 475->477 478 56a65f1-56a65f5 475->478 477->478 480 56a6644-56a6651 477->480 481 56a6638-56a6641 478->481 482 56a65f7-56a6623 GetActiveWindow 478->482 491 56a6653-56a6669 call 56a4bf4 480->491 492 56a6691 480->492 481->480 485 56a662c-56a6636 482->485 486 56a6625-56a662b 482->486 485->480 486->485 502 56a666b-56a6671 call 56a6e90 491->502 503 56a6688-56a668e 491->503 527 56a6691 call 56a7438 492->527 528 56a6691 call 56a7470 492->528 520 56a699e 493->520 521 56a6933-56a693e 493->521 496 56a6697-56a66e5 call 56a4c00 call 56a9ee8 512 56a66eb-56a66f5 496->512 506 56a6677-56a6682 502->506 503->492 506->493 506->503 512->429 524 56a69af-56a69b4 520->524 525 56a69a0-56a69ac 520->525 522 56a694b 521->522 523 56a6940-56a6949 521->523 526 56a694d-56a6953 522->526 523->526 527->496 528->496
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2674992347.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_56a0000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ActiveWindow
                              • String ID: Hkq$Hkq
                              • API String ID: 2558294473-2158860719
                              • Opcode ID: 34e2bfbe07db06f664ba23169adf3a16326e89ced46631468bdf59a38ed928ba
                              • Instruction ID: 08a2378afabad18e89a63aaeee35080cb6e94d1adff3bf1f49aafb6000edb075
                              • Opcode Fuzzy Hash: 34e2bfbe07db06f664ba23169adf3a16326e89ced46631468bdf59a38ed928ba
                              • Instruction Fuzzy Hash: 86C19F71F102599FCB19DFA9D4546ADBAEBBFC8300F148429E406EB394DE789C42CB61
                              Function 056A6462 Relevance: 1.7, APIs: 1, Instructions: 178COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2674992347.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_56a0000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ActiveWindow
                              • String ID:
                              • API String ID: 2558294473-0
                              • Opcode ID: 0c68338a410608bcd63c05d2fb5f871a7b7e1768ee62c399407130e1cca08692
                              • Instruction ID: b1ce13327f359ddb080fed306d5080617ac6813d08af5a68c2181f1fdd2f3cd8
                              • Opcode Fuzzy Hash: 0c68338a410608bcd63c05d2fb5f871a7b7e1768ee62c399407130e1cca08692
                              • Instruction Fuzzy Hash: 1571A971E1020A9FDB14DFA4D558BADBBFAFF88300F188429E806AB794DB749841CF51
                              Function 056A31E0 Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                              Download Yara Rule
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 056A4769
                              Memory Dump Source
                              • Source File: 00000000.00000002.2674992347.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_56a0000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: 5d3bacd3ede90a64dd8545e19912ac69842a4e6f041230f97b29621695e97c2d
                              • Instruction ID: 07562ef8f299859be004189def645057efe5a9d24504e51743c034112ca12a75
                              • Opcode Fuzzy Hash: 5d3bacd3ede90a64dd8545e19912ac69842a4e6f041230f97b29621695e97c2d
                              • Instruction Fuzzy Hash: BB51C5B1D04219CFDB24DFA9D880BDEBBF5AF49300F10809AD509AB251DA756A89CF91
                              Function 056A4670 Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                              Download Yara Rule
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 056A4769
                              Memory Dump Source
                              • Source File: 00000000.00000002.2674992347.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_56a0000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: a399625ae97edd272f0b36ab62944853e8bc38062f8ea86cdf4b73f36ad28541
                              • Instruction ID: 76b563cc413e3e7243f8fa54d23dbbc99e29113db29d0255ad64660aafe2f786
                              • Opcode Fuzzy Hash: a399625ae97edd272f0b36ab62944853e8bc38062f8ea86cdf4b73f36ad28541
                              • Instruction Fuzzy Hash: 9851E6B1D00219CFDB24DFA9D880BCEBBB5BF49300F10809AD509BB251DA756A89CF51
                              Function 02FBDAD0 Relevance: 1.6, APIs: 1, Instructions: 112libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNELBASE(?), ref: 02FBDBD9
                              Memory Dump Source
                              • Source File: 00000000.00000002.2669792235.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2fb0000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 44376861a15a5b2d4192bfd695130c4c428c9fe25ea33f79faa3022529b44bf6
                              • Instruction ID: a8c6d2b261cd8209fd46fec8bba17567cc4f471054a0c8c0efbad47bbd57e76d
                              • Opcode Fuzzy Hash: 44376861a15a5b2d4192bfd695130c4c428c9fe25ea33f79faa3022529b44bf6
                              • Instruction Fuzzy Hash: 774100B0D002588FDB15CFAAD885BDDBBF1BF48314F109129E814AB394D7B89845CF46
                              Function 09D945C0 Relevance: 1.6, APIs: 1, Instructions: 112windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,?,?,?), ref: 09D94663
                              Memory Dump Source
                              • Source File: 00000000.00000002.2679063451.0000000009D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9d90000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID:
                              • API String ID: 3850602802-0
                              • Opcode ID: 6b6870df9d63271d35b5085d8e9daf1daa224a09b69f614df99ce48740a740dd
                              • Instruction ID: 8fee2811a71947109d27b9d88b7e8e5801b8e3d120e936f2909022353f2ba789
                              • Opcode Fuzzy Hash: 6b6870df9d63271d35b5085d8e9daf1daa224a09b69f614df99ce48740a740dd
                              • Instruction Fuzzy Hash: 3B41CFB5D10258AFCB10DF99D884ADEFBF5EB89320F14902AE814A7320D775A945CFA4
                              Function 056A6D18 Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 056A6E32
                              Memory Dump Source
                              • Source File: 00000000.00000002.2674992347.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_56a0000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 09f6714b394d51a2d361c7e561270498c0c7ca99bfd404baeb38ebf8da601e95
                              • Instruction ID: 5aaed813910f1ac04e42eb3f4a5e706cda2767e8affff41e23cd28ed3011882f
                              • Opcode Fuzzy Hash: 09f6714b394d51a2d361c7e561270498c0c7ca99bfd404baeb38ebf8da601e95
                              • Instruction Fuzzy Hash: A441FDB5D04249DFCB10CFAAD984A9EFBF5FB49210F18806AE808B7311E335A941CF65
                              Function 056A7B6A Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                              Download Yara Rule
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 056A7C3B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2674992347.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_56a0000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 82662616a2c3ffa30cbfc3432f525b539b5f0cb06ce2fe2531afa2a0c106770d
                              • Instruction ID: f5f2364924e91bb2926f3afac88ba922795d6547bf4f0f9abc23913737f13990
                              • Opcode Fuzzy Hash: 82662616a2c3ffa30cbfc3432f525b539b5f0cb06ce2fe2531afa2a0c106770d
                              • Instruction Fuzzy Hash: A14155B9D002589FDB00CFA9D984ADEFBF5FB09310F14906AE918AB310D335AA45CF94
                              Function 056A7B70 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                              Download Yara Rule
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 056A7C3B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2674992347.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_56a0000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 52c2ff7d2d09e3206d3dd8c0bb193cbb05c846c626babe3df04ab0eac2b24dc9
                              • Instruction ID: d99e8b6a09fdd37e03933dc20241c16e8af285b97d2fb46b931fab4fae9a4b05
                              • Opcode Fuzzy Hash: 52c2ff7d2d09e3206d3dd8c0bb193cbb05c846c626babe3df04ab0eac2b24dc9
                              • Instruction Fuzzy Hash: DC4145B9D002589FDB10CFAAD984ADEBBF5BB09310F14906AE919AB310D335A945CF94
                              Function 09D98F30 Relevance: 1.6, APIs: 1, Instructions: 108windowCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,?,?,?), ref: 09D98FFB
                              Memory Dump Source
                              • Source File: 00000000.00000002.2679063451.0000000009D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9d90000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessagePost
                              • String ID:
                              • API String ID: 410705778-0
                              • Opcode ID: 81c70c040677f9c8cacb9a559738569f0f62f2be13211150d5f93912240552cc
                              • Instruction ID: 597d039dd9d4f286de2811c82ae3b73ae642a4589a913da360aacfd8b9f3823a
                              • Opcode Fuzzy Hash: 81c70c040677f9c8cacb9a559738569f0f62f2be13211150d5f93912240552cc
                              • Instruction Fuzzy Hash: 3E41BAB8C042989FCB10CFA9D984ADDFFB4AB0A310F14905AE814BB261D335A945CF65
                              Function 056A4C00 Relevance: 1.6, APIs: 1, Instructions: 107windowCOMMON
                              Download Yara Rule
                              APIs
                              • MessageBoxW.USER32(?,?,?,?), ref: 056A9E21
                              Memory Dump Source
                              • Source File: 00000000.00000002.2674992347.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_56a0000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Message
                              • String ID:
                              • API String ID: 2030045667-0
                              • Opcode ID: f3e78be8ec26224c5ddf1c4a61c771ff339cdb300d73792a3a8ed07a3c96794d
                              • Instruction ID: 02eb21eba0e92b2646b4da08c584723671d4dce3a7906fcc5f0d9719e5b4c9a8
                              • Opcode Fuzzy Hash: f3e78be8ec26224c5ddf1c4a61c771ff339cdb300d73792a3a8ed07a3c96794d
                              • Instruction Fuzzy Hash: 7A4178B5D042589FCB14CFA9D884A9EFBF5BB49310F24906AE818BB321D374A945CF94
                              Function 056A9D48 Relevance: 1.6, APIs: 1, Instructions: 104windowCOMMON
                              Download Yara Rule
                              APIs
                              • MessageBoxW.USER32(?,?,?,?), ref: 056A9E21
                              Memory Dump Source
                              • Source File: 00000000.00000002.2674992347.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_56a0000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Message
                              • String ID:
                              • API String ID: 2030045667-0
                              • Opcode ID: 45d7ef50443f3085076bc8190d1487d29336c7f4fccfb4822e0288eec457d29a
                              • Instruction ID: f4e611b19411ca5762dee2b54925da506669ec0abace23713cc2e4791e5b6f98
                              • Opcode Fuzzy Hash: 45d7ef50443f3085076bc8190d1487d29336c7f4fccfb4822e0288eec457d29a
                              • Instruction Fuzzy Hash: 074178B9D042589FCB10CFA9D984ADDFBF1BB49310F14906AE818BB325D374A946CF54
                              Function 09D9C470 Relevance: 1.6, APIs: 1, Instructions: 100windowCOMMON
                              Download Yara Rule
                              APIs
                              • PeekMessageW.USER32(?,?,?,?,?), ref: 09D9C523
                              Memory Dump Source
                              • Source File: 00000000.00000002.2679063451.0000000009D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9d90000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessagePeek
                              • String ID:
                              • API String ID: 2222842502-0
                              • Opcode ID: 0cc267e116780498bc0aa8dd27e10f18d939f18c9e70b1c30c9f4ee358ad0af4
                              • Instruction ID: 08bf459e911174557e452b81d11834d25a030b08e8c5ba0e2f6e8447d4fe9b2a
                              • Opcode Fuzzy Hash: 0cc267e116780498bc0aa8dd27e10f18d939f18c9e70b1c30c9f4ee358ad0af4
                              • Instruction Fuzzy Hash: 854188B9D04258DFCF10CFAAE584ADEFBF1AB59310F14906AE819BB220D335A945CF54
                              Function 09D9B4E8 Relevance: 1.6, APIs: 1, Instructions: 99windowCOMMON
                              Download Yara Rule
                              APIs
                              • PeekMessageW.USER32(?,?,?,?,?), ref: 09D9C523
                              Memory Dump Source
                              • Source File: 00000000.00000002.2679063451.0000000009D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9d90000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessagePeek
                              • String ID:
                              • API String ID: 2222842502-0
                              • Opcode ID: 5ec7e60c1606e9ec67f6cd6567932f73252a4d0724b94f667c074e7715a22bb1
                              • Instruction ID: b148a60b778faae834cd1a992e2b835f49d2120e668def1479e57c7fe37022a7
                              • Opcode Fuzzy Hash: 5ec7e60c1606e9ec67f6cd6567932f73252a4d0724b94f667c074e7715a22bb1
                              • Instruction Fuzzy Hash: BD3199B9D04258DFCF10DFAAD484A9EFBF5AB19310F14902AE858BB310D335A945CF64
                              Function 02FBDE48 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 02FBDEEC
                              Memory Dump Source
                              • Source File: 00000000.00000002.2669792235.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2fb0000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID:
                              • API String ID: 544645111-0
                              • Opcode ID: 4749b49a2c3dfb73e3c573206b5633a4b00d570cb9538e360940d26dfc41cf39
                              • Instruction ID: 4b3a7f806fb8a186e21955779a8201b8cfcfa2a4733ccb9d28d95e80af860e13
                              • Opcode Fuzzy Hash: 4749b49a2c3dfb73e3c573206b5633a4b00d570cb9538e360940d26dfc41cf39
                              • Instruction Fuzzy Hash: 8F31A7B8D042489FCB10CFAAD984ADEFBF5BF49320F24942AE814B7210D775A945CF58
                              Function 09D9B500 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                              Download Yara Rule
                              APIs
                              • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 09D9C878
                              Memory Dump Source
                              • Source File: 00000000.00000002.2679063451.0000000009D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9d90000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: CallbackDispatcherUser
                              • String ID:
                              • API String ID: 2492992576-0
                              • Opcode ID: 57e8f0c96427e0845c7290290217e81ce8958d5b2b684241fdb2bdae186cc82d
                              • Instruction ID: c5994493a690b4848ea56d47510a8dd281f56d9536eefbd7ab838fed9c8e7006
                              • Opcode Fuzzy Hash: 57e8f0c96427e0845c7290290217e81ce8958d5b2b684241fdb2bdae186cc82d
                              • Instruction Fuzzy Hash: EA31A8B9D142589FCF10CFAAD484ADEFBF5AB09320F14902AE858B7310D335A944CFA4
                              Function 09D9C7D4 Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                              Download Yara Rule
                              APIs
                              • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 09D9C878
                              Memory Dump Source
                              • Source File: 00000000.00000002.2679063451.0000000009D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9d90000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: CallbackDispatcherUser
                              • String ID:
                              • API String ID: 2492992576-0
                              • Opcode ID: 457366dac410f5eca217dbf0df45597ef5b11edb4a4f942dc8e41d8d7586cb03
                              • Instruction ID: 06e4b9f56116e055f31786463a9e04adf3691876e3f657271742c4938acc87d1
                              • Opcode Fuzzy Hash: 457366dac410f5eca217dbf0df45597ef5b11edb4a4f942dc8e41d8d7586cb03
                              • Instruction Fuzzy Hash: B8319AB9D042589FCF10CFA9D484ADEFBF5AB09320F14906AE858B7310D375A945CFA4
                              Function 09D98F60 Relevance: 1.6, APIs: 1, Instructions: 87windowCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,?,?,?), ref: 09D98FFB
                              Memory Dump Source
                              • Source File: 00000000.00000002.2679063451.0000000009D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9d90000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessagePost
                              • String ID:
                              • API String ID: 410705778-0
                              • Opcode ID: 0019236b7cb8cd2778c4ac8779d75505d95ce3beb74b139dd48223b0f4e0599d
                              • Instruction ID: 9367fe26de0aa3caf795358bce4925d3882e3159030b5907aad8896945ba9863
                              • Opcode Fuzzy Hash: 0019236b7cb8cd2778c4ac8779d75505d95ce3beb74b139dd48223b0f4e0599d
                              • Instruction Fuzzy Hash: EE3188B9D042589FCB10CFAAD584ADEFBF5AB09310F14902AE818B7310D335A945CF64
                              Function 056AA2A1 Relevance: 1.6, APIs: 1, Instructions: 86windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,?,?,?), ref: 056AA343
                              Memory Dump Source
                              • Source File: 00000000.00000002.2674992347.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_56a0000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID:
                              • API String ID: 3850602802-0
                              • Opcode ID: f25a2a66b5ade492af1fc86a0e256af1ce784e7a2d85dde8c59ec818bf0d4da0
                              • Instruction ID: ca7fb42e092865b0f8a9c0efe331431b64303d302c0e75f86b80e4c94f36c486
                              • Opcode Fuzzy Hash: f25a2a66b5ade492af1fc86a0e256af1ce784e7a2d85dde8c59ec818bf0d4da0
                              • Instruction Fuzzy Hash: D33186B9D05258DFCB10CFA9E580A9EFBF5BB49310F24901AE818BB320D335A945CF54
                              Function 056AA2A8 Relevance: 1.6, APIs: 1, Instructions: 85windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,?,?,?), ref: 056AA343
                              Memory Dump Source
                              • Source File: 00000000.00000002.2674992347.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_56a0000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID:
                              • API String ID: 3850602802-0
                              • Opcode ID: aef8d1cec612d44b859d1e92f3f7b70a0b6245c84b7b1134f5cef9701db7417d
                              • Instruction ID: 0a1b82f0f164add0812dd12df4b5b8e41fa47130206f2b6a6b2add093c201f2f
                              • Opcode Fuzzy Hash: aef8d1cec612d44b859d1e92f3f7b70a0b6245c84b7b1134f5cef9701db7417d
                              • Instruction Fuzzy Hash: 833167B9D05258DFCB10CFA9E584A9EFBF5AB49310F24901AE818B7310D335A945CF64
                              Function 09D945C8 Relevance: 1.6, APIs: 1, Instructions: 85windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,?,?,?), ref: 09D94663
                              Memory Dump Source
                              • Source File: 00000000.00000002.2679063451.0000000009D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9d90000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID:
                              • API String ID: 3850602802-0
                              • Opcode ID: 0221e8576c8abe09563aaf4d82b90dd96d2c6688aa39ccd017671c377e057d8c
                              • Instruction ID: 4330480e7713ba0dcececdddba1a454a3b5a5ce2ff2831f810fcfb0ad8054fd3
                              • Opcode Fuzzy Hash: 0221e8576c8abe09563aaf4d82b90dd96d2c6688aa39ccd017671c377e057d8c
                              • Instruction Fuzzy Hash: 143168B9D002589FCF10CFA9E584ADEFBF5AB49310F14901AE814B7310D375A945CF54
                              Function 09D938E1 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                              Download Yara Rule
                              APIs
                              • SetWindowTextW.USER32(?,?), ref: 09D93986
                              Memory Dump Source
                              • Source File: 00000000.00000002.2679063451.0000000009D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9d90000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: TextWindow
                              • String ID:
                              • API String ID: 530164218-0
                              • Opcode ID: 7e6b13c06d43ef7728e7c2b7aa2906a9d964df4208f95c9a36c536155e70111a
                              • Instruction ID: 7365e73a01ee9d099e8ed5c001a57ab780e685ebdba1e1ddcf5797bd88a9b079
                              • Opcode Fuzzy Hash: 7e6b13c06d43ef7728e7c2b7aa2906a9d964df4208f95c9a36c536155e70111a
                              • Instruction Fuzzy Hash: FB31A9B5D01259EFCB14CFAAD884AEEFBF5BB49310F14906AE448B7310D334AA45CB64
                              Function 09D938E8 Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                              Download Yara Rule
                              APIs
                              • SetWindowTextW.USER32(?,?), ref: 09D93986
                              Memory Dump Source
                              • Source File: 00000000.00000002.2679063451.0000000009D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9d90000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: TextWindow
                              • String ID:
                              • API String ID: 530164218-0
                              • Opcode ID: e869a364adb47b7374f20097f4a95ebb7be3795334c301b5ae6b1e394c7473fe
                              • Instruction ID: abe81b607526d72b6039b832170b3102041641a78d4747e2b81cf648f104cfc9
                              • Opcode Fuzzy Hash: e869a364adb47b7374f20097f4a95ebb7be3795334c301b5ae6b1e394c7473fe
                              • Instruction Fuzzy Hash: F531B9B4C01258DFCB10CFAAD884ADEFBF5BB49310F14906AE848B7310D334AA45CB64
                              Function 056A4BF4 Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 056A6E32
                              Memory Dump Source
                              • Source File: 00000000.00000002.2674992347.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_56a0000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 0831273dbee8333809a5a46111c8b8d89988a56ffda78e794f25c9d8365a4cec
                              • Instruction ID: b3d75ab029060a7160f5660847557882df09b5134bd448f5668b6547de2411ba
                              • Opcode Fuzzy Hash: 0831273dbee8333809a5a46111c8b8d89988a56ffda78e794f25c9d8365a4cec
                              • Instruction Fuzzy Hash: 1131B8B5D04259DFCB14CFAAD584A9EFBF5BB48310F18906AE818B7321D335A941CFA4
                              Function 056A8288 Relevance: 1.6, APIs: 1, Instructions: 72comCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2674992347.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_56a0000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Initialize
                              • String ID:
                              • API String ID: 2538663250-0
                              • Opcode ID: 6fc3098b7d10011ef669fae8f2cea8a6df98d32a7660e626c254dc5abc1d153c
                              • Instruction ID: 47264767f211747a41dbb75eb1116be10c969dca8336f1465fd18642e231130b
                              • Opcode Fuzzy Hash: 6fc3098b7d10011ef669fae8f2cea8a6df98d32a7660e626c254dc5abc1d153c
                              • Instruction Fuzzy Hash: 1C31AAB5D052589FCB10CFAAD884A9EFBF4FB09320F14941AE914B7310D775A801CFA8
                              Function 056A8A08 Relevance: 1.6, APIs: 1, Instructions: 72comCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2674992347.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_56a0000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Initialize
                              • String ID:
                              • API String ID: 2538663250-0
                              • Opcode ID: a5957208dc7a2a05fbdba79845902284214ba31efe1e2d3c7903a15e08c9a42d
                              • Instruction ID: 193529ff7e7cd5ed8ffbc9addf61aacd2c5a917fcf366760dd618af67ce9a186
                              • Opcode Fuzzy Hash: a5957208dc7a2a05fbdba79845902284214ba31efe1e2d3c7903a15e08c9a42d
                              • Instruction Fuzzy Hash: 2031A9B5D002589FCB10CFAAD884A9EFBF5FB08320F14941AE918B7310D775A901CFA8
                              Function 09D9B534 Relevance: 1.6, APIs: 1, Instructions: 71windowCOMMON
                              Download Yara Rule
                              APIs
                              • DispatchMessageW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,-00000018,?), ref: 09D9CDB3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2679063451.0000000009D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9d90000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: DispatchMessage
                              • String ID:
                              • API String ID: 2061451462-0
                              • Opcode ID: e5b185655b2a6aedadc08a934505923f4b17bef90ddbe65b914f5c72d211fb2c
                              • Instruction ID: 36718c608568addb7d614c39d37af7de4e744347fff66aa582c8976df597ff5f
                              • Opcode Fuzzy Hash: e5b185655b2a6aedadc08a934505923f4b17bef90ddbe65b914f5c72d211fb2c
                              • Instruction Fuzzy Hash: BE31A7B4D102489FCB10DFAAD484ADEFBF5AB49320F24902AE808B7310D335A941CFA5
                              Function 09D9CD30 Relevance: 1.6, APIs: 1, Instructions: 70windowCOMMON
                              Download Yara Rule
                              APIs
                              • DispatchMessageW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,-00000018,?), ref: 09D9CDB3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2679063451.0000000009D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9d90000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: DispatchMessage
                              • String ID:
                              • API String ID: 2061451462-0
                              • Opcode ID: b8c06899298f9087dba64e7ad6cd4ace80f66375fcc11c5d516be7e9524bf24d
                              • Instruction ID: 1617e6f833829d6b51cf13d8e1574f4c951bac4c368f257ee1a484b000257cb3
                              • Opcode Fuzzy Hash: b8c06899298f9087dba64e7ad6cd4ace80f66375fcc11c5d516be7e9524bf24d
                              • Instruction Fuzzy Hash: 803189B5D102499FCB14CFA9D584ADEFBF5AB49320F24902AE818B7310D375A941CF65
                              Function 09581CBA Relevance: 1.6, APIs: 1, Instructions: 69windowCOMMON
                              Download Yara Rule
                              APIs
                              • DispatchMessageA.USER32(?), ref: 09581D3B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2678664117.0000000009580000.00000040.00000800.00020000.00000000.sdmp, Offset: 09580000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9580000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: DispatchMessage
                              • String ID:
                              • API String ID: 2061451462-0
                              • Opcode ID: c3a269b821be6f4cc5a917b870f71b4c1cb5a506e87d314b65e819b3fcfeaa66
                              • Instruction ID: 22ea66fac4a31d215ca486ca889f71289925a662370c38435d70b0522ec7ef82
                              • Opcode Fuzzy Hash: c3a269b821be6f4cc5a917b870f71b4c1cb5a506e87d314b65e819b3fcfeaa66
                              • Instruction Fuzzy Hash: 5C2199B4D046489FCB14CFAAD584ADEFBF5BB49320F24906AE818B7310D335A941CFA5
                              Function 09581CC0 Relevance: 1.6, APIs: 1, Instructions: 68windowCOMMON
                              Download Yara Rule
                              APIs
                              • DispatchMessageA.USER32(?), ref: 09581D3B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2678664117.0000000009580000.00000040.00000800.00020000.00000000.sdmp, Offset: 09580000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9580000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: DispatchMessage
                              • String ID:
                              • API String ID: 2061451462-0
                              • Opcode ID: 359664902e00de900bb65df2b691c1ef9aef3237a9fe104a53b8e70edd355e3f
                              • Instruction ID: 7bd73cd08e696681384a00e45ad1f1cfcea05f4f8ff8c18017ae132af1f33f05
                              • Opcode Fuzzy Hash: 359664902e00de900bb65df2b691c1ef9aef3237a9fe104a53b8e70edd355e3f
                              • Instruction Fuzzy Hash: EB21AAB4D046489FCB10CFAAD584ADEFBF5BB49320F24901AE818B7310D335A941CFA5
                              Function 056A9848 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThreadId.KERNEL32 ref: 056A98DA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2674992347.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_56a0000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: CurrentThread
                              • String ID:
                              • API String ID: 2882836952-0
                              • Opcode ID: 776b2a4e45bac63608ba6fc54c9607bfba9bf4d1680cbfffcb2a93bc21bba40b
                              • Instruction ID: 95d989cb282df283d5e5b4213b4df6244fa0bd8df90497e84a2c50a842368f49
                              • Opcode Fuzzy Hash: 776b2a4e45bac63608ba6fc54c9607bfba9bf4d1680cbfffcb2a93bc21bba40b
                              • Instruction Fuzzy Hash: FF2157B590424A8FCB10DFA9C984A9EFBF0FF48314F14C55AD415AB311D734A944CFA5
                              Function 056A9858 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThreadId.KERNEL32 ref: 056A98DA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2674992347.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_56a0000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: CurrentThread
                              • String ID:
                              • API String ID: 2882836952-0
                              • Opcode ID: 77e74c1094c8d2dc16c51127d08ffbcf68194a6875ccd323badca054d82e9210
                              • Instruction ID: bad96412d64fbb921b2278f8edc0e70eceae0beedc0da7504602c1feed810c8c
                              • Opcode Fuzzy Hash: 77e74c1094c8d2dc16c51127d08ffbcf68194a6875ccd323badca054d82e9210
                              • Instruction Fuzzy Hash: 6E2155B590024A8FCB10DFAAD884A9EFBF5FF48314F14CA59D419AB311D734A944CFA5
                              Function 02FBF028 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 02FBF0C7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2669792235.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2fb0000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: 618565c43ee63755e772bdd8d007835cb47fb23406e083877b56b127b5a1fcbb
                              • Instruction ID: c8efb7123e4e0222362360f1f802e3e7a16a4d1efa1edcd2571c4d526a29534d
                              • Opcode Fuzzy Hash: 618565c43ee63755e772bdd8d007835cb47fb23406e083877b56b127b5a1fcbb
                              • Instruction Fuzzy Hash: 0D3197B4D002589FCB10CFAAE980AEEFBB5EF59320F14942AE815B7210D735A945CF94
                              Function 0150D450 Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2669441867.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150d000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bc032b86e79f39af59d05c4f3f5b62fceb52eae028ad8cfc5761f171aef363d2
                              • Instruction ID: 89679c44dcde7940b752c567e6a4ecb31d3bd83735199f64c532ee7d6c8d2216
                              • Opcode Fuzzy Hash: bc032b86e79f39af59d05c4f3f5b62fceb52eae028ad8cfc5761f171aef363d2
                              • Instruction Fuzzy Hash: 9621F1B1504240DFDB16DFD8D9C0B2ABFB5FB88314F24C569E9090F296C376E416CAA1
                              Function 0150D53C Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2669441867.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150d000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2b630c6093ebcec905193f9e9e6b79b086082ec9a1055187517546dfb499cd1b
                              • Instruction ID: ff2327b6a27d076338ea6c6ca82a0ad0576eebf30fcbf144497a4f38faa17fa8
                              • Opcode Fuzzy Hash: 2b630c6093ebcec905193f9e9e6b79b086082ec9a1055187517546dfb499cd1b
                              • Instruction Fuzzy Hash: E921F1B1504244DFDB16DFD8D980B2ABFB5FB98318F248969ED094F286C336D416CAA1
                              Function 0151D01C Relevance: .1, Instructions: 74COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2669484223.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_151d000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: aa180c64b6b4721646c96b47bb10f99e3f1b8d08ee834227c6ca86922aa5af22
                              • Instruction ID: dfd1e8f1f681c324b3af4d4de0b9baf780ff212f12717b5bd3890ad45d4fba9d
                              • Opcode Fuzzy Hash: aa180c64b6b4721646c96b47bb10f99e3f1b8d08ee834227c6ca86922aa5af22
                              • Instruction Fuzzy Hash: 43212875504244DFEB12DF58D9C8B2ABFB5FB88354F24C969E9090F24AD33AD406C6A2
                              Function 0151D390 Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2669484223.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_151d000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3d53abf8b90ac780bc5a1a32c96c30bceb4ee17842b8daa45cc1a8af34642eb5
                              • Instruction ID: 36ae5fa6a69a803a47bde03c9288dcaf7ad3e291ecc70879175d7cc484573f54
                              • Opcode Fuzzy Hash: 3d53abf8b90ac780bc5a1a32c96c30bceb4ee17842b8daa45cc1a8af34642eb5
                              • Instruction Fuzzy Hash: 67213771644200DFEB12DF98D4C8B26BBB5FB88314F24C96DD9094F24AC3B6E846CA61
                              Function 0151D1D8 Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2669484223.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_151d000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dff09c6f023ad5a367c0b4b9be48ee2a67e01b219aea9b7f0546b49c4c562707
                              • Instruction ID: 7e54f96b3b51834f84d6285cff623e9cbaa7fe1fcbefa9f0e212446e5126e9a2
                              • Opcode Fuzzy Hash: dff09c6f023ad5a367c0b4b9be48ee2a67e01b219aea9b7f0546b49c4c562707
                              • Instruction Fuzzy Hash: AE214971504200DFEB06DF98D5C8F66BBB5FB88324F24CA6DE9194F24AC33AD446CA61
                              Function 0151D006 Relevance: .1, Instructions: 64COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2669484223.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_151d000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a0a449ea7f931de1dd12f057cdbcd1573aec2fa80d67c5513cbf1da7e598ae3e
                              • Instruction ID: c2ae5de1c64a9c72ca80957770385cb90c52ddcdd63845c842cdf10543692724
                              • Opcode Fuzzy Hash: a0a449ea7f931de1dd12f057cdbcd1573aec2fa80d67c5513cbf1da7e598ae3e
                              • Instruction Fuzzy Hash: E321AF760093808FDB13CF24D994B16BF71FB86214F2981DAD8448F657C33A980ACB62
                              Function 0150D44B Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2669441867.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150d000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                              • Instruction ID: 3efc50295a8d10b6ce71b718e5836ddbaa0050c53928eb08f1d308ad1150873a
                              • Opcode Fuzzy Hash: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                              • Instruction Fuzzy Hash: 2E11AF76504280CFDB16CF94D5C4B1ABF71FB84314F2486A9DD094B257C33AD45ACBA1
                              Function 0150D537 Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2669441867.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_150d000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                              • Instruction ID: 273a5e9046c55ec6da4e6471129694af9f916807b2b56a116316482aa78f2adb
                              • Opcode Fuzzy Hash: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                              • Instruction Fuzzy Hash: 8011AF76504280CFDB16CF94D9C4B1ABF72FB84314F2886A9D9094F256C33AD45ACBA1
                              Function 0151D1D3 Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2669484223.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_151d000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
                              • Instruction ID: ec5f52c39261b12d97639693c6186d2e72f4cf6a30ccece9cece7327a1ba8c2a
                              • Opcode Fuzzy Hash: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
                              • Instruction Fuzzy Hash: F911DD76504280CFEB12CF94D5C8B19BFB1FB84324F24C6AAD9094F65AC33AD44ACB61
                              Function 0151D38B Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2669484223.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_151d000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
                              • Instruction ID: 1de71259e4aa18cf3ceb84ccb90a9b0abd95cefe7873e3514e51bbfa57ad097f
                              • Opcode Fuzzy Hash: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
                              • Instruction Fuzzy Hash: 8A11EE75544280DFEB12CF58D5C4B19BB71FB84314F24C6A9D8494F256C3BAE40ACB51

                              Non-executed Functions

                              Function 09582618 Relevance: 7.6, APIs: 5, Instructions: 117keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • GetKeyState.USER32(00000001), ref: 09582675
                              • GetKeyState.USER32(00000002), ref: 095826BA
                              • GetKeyState.USER32(00000004), ref: 095826FF
                              • GetKeyState.USER32(00000005), ref: 09582744
                              • GetKeyState.USER32(00000006), ref: 09582789
                              Memory Dump Source
                              • Source File: 00000000.00000002.2678664117.0000000009580000.00000040.00000800.00020000.00000000.sdmp, Offset: 09580000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9580000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: State
                              • String ID:
                              • API String ID: 1649606143-0
                              • Opcode ID: 94a8029bb4496febfa6dd7d4707a8c0a4e5640af971a3e6b2ab86784115d66cd
                              • Instruction ID: 4a8a0bb3162758ea16d023d390c9d7c48fa3f56207b5e8c28bf837e0526f8d24
                              • Opcode Fuzzy Hash: 94a8029bb4496febfa6dd7d4707a8c0a4e5640af971a3e6b2ab86784115d66cd
                              • Instruction Fuzzy Hash: CF41A27080178ACEDB10DFABD8497AFBFF8AB41358F20800AE059F7280C7785545CBA5
                              Function 056A8AF0 Relevance: .3, Instructions: 315COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2674992347.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_56a0000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 90d75d492deebee7a19fdd2d693a30ec32e5c681cc848af4691b3abd877b8b73
                              • Instruction ID: 28564de7fee3e79d1424dcffe32b215620106d4f568915cfcfae9f46dc024da7
                              • Opcode Fuzzy Hash: 90d75d492deebee7a19fdd2d693a30ec32e5c681cc848af4691b3abd877b8b73
                              • Instruction Fuzzy Hash: F512B2F07027468BE710EF65EA4818A7BF1F789B28B515209D2A11F2E8D7BC118BDF54
                              Function 0944BA70 Relevance: .2, Instructions: 211COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2678576184.0000000009440000.00000040.00000800.00020000.00000000.sdmp, Offset: 09440000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9440000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0d7ec3c9d928afbaccca090b5d66c894f841650a5b6978683a0540c4cc25b662
                              • Instruction ID: 04ec711b210a43cf0fb15321bc0852de9845420c9f03a17465f4015f0b63c81b
                              • Opcode Fuzzy Hash: 0d7ec3c9d928afbaccca090b5d66c894f841650a5b6978683a0540c4cc25b662
                              • Instruction Fuzzy Hash: 4C81F276E00A09CBCB10DFA5D8842EEFBB2FF84340F15C13AD415A7698EB399556DB40
                              Function 0944BFC8 Relevance: .2, Instructions: 211COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2678576184.0000000009440000.00000040.00000800.00020000.00000000.sdmp, Offset: 09440000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9440000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 600516520201e3cc35955a209c54747ea9f8af019a5bd10cd1351c093686eeb1
                              • Instruction ID: 282083df4994bb1c86b9b159edbd3e6658d3e906ff8a89d0af271a8c610076ee
                              • Opcode Fuzzy Hash: 600516520201e3cc35955a209c54747ea9f8af019a5bd10cd1351c093686eeb1
                              • Instruction Fuzzy Hash: FF811672E00A098FCB10DFA5D8802EEF7B2FF80340F14C13AD455A7698EB389A56DB40
                              Function 02FB0FBA Relevance: .1, Instructions: 130COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2669792235.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2fb0000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2f71b4bb89a60dcaf2bb256c96fe8184a0c4087ca4d71a4d68e239aa2a39f976
                              • Instruction ID: a6407e4271443afe6bdb603e24da6f9cfa19cbca66181a16443e87c940afc16c
                              • Opcode Fuzzy Hash: 2f71b4bb89a60dcaf2bb256c96fe8184a0c4087ca4d71a4d68e239aa2a39f976
                              • Instruction Fuzzy Hash: 7B516DB1D016589BEB69CF6B8D446CAFAF7AFC9340F14C1FAD54CA6224DB740AC58E40
                              Function 02FB1018 Relevance: .1, Instructions: 120COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2669792235.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2fb0000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6d49276d299b559382fa26de43545b77a7b803958360098c5c9e91a34e1b7c35
                              • Instruction ID: aa856928636d3d45904ca6b1329efba4343c3222b5455252f327f6f97f9f6a9e
                              • Opcode Fuzzy Hash: 6d49276d299b559382fa26de43545b77a7b803958360098c5c9e91a34e1b7c35
                              • Instruction Fuzzy Hash: 00512AB1D016588BEB68CF2B8D447CAFAF7AFC8340F14C1FA994CA6254DB740AC58E50
                              Function 09D9E158 Relevance: .1, Instructions: 120COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2679063451.0000000009D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9d90000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c51cc9129f101a2dfd949cdbbd4c2467588695290ccf78d285bd00026f65bc2d
                              • Instruction ID: f552c0c95cf438e3f4834ff2cf5685cea34185ef99e3df0766ba1c7a0827a727
                              • Opcode Fuzzy Hash: c51cc9129f101a2dfd949cdbbd4c2467588695290ccf78d285bd00026f65bc2d
                              • Instruction Fuzzy Hash: 364197B5D002599FCB10DFA9D984AAEFBF1FB49310F14902AE418BB250D375A945CFA4
                              Function 02FB0910 Relevance: .1, Instructions: 117COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2669792235.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2fb0000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f892777c25dc134c72f9271da779019881a0e2e9421f7754608523e20514134c
                              • Instruction ID: 4f8e0dd3ce05e2d38580f7f3f7cb68fc9c086b740122ecc9aecf6ccc0940bcea
                              • Opcode Fuzzy Hash: f892777c25dc134c72f9271da779019881a0e2e9421f7754608523e20514134c
                              • Instruction Fuzzy Hash: 804110B0D002488FDB11DFAAD884ADEBBF1BF0A340F209129E455AB254D7749885CF86
                              Function 09D9D880 Relevance: .1, Instructions: 117COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2679063451.0000000009D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9d90000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6bc668e90aea5c3d44401a3f2279940c58c8c76dd2b01767ba517980f877ab8e
                              • Instruction ID: baf25cf88d58c0f380654c73fd7f4892bf14bd643d2baf4ca8c768eeb7aedc94
                              • Opcode Fuzzy Hash: 6bc668e90aea5c3d44401a3f2279940c58c8c76dd2b01767ba517980f877ab8e
                              • Instruction Fuzzy Hash: DF4198B4D00258DFCB10DFA9D884AEEFBF1BB49310F14942AE818BB250D334A945CF94
                              Function 02FB100C Relevance: .1, Instructions: 111COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2669792235.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2fb0000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 94e81f16df489543a78203c95780c43c7d6086f9196773968be9507edd199701
                              • Instruction ID: d684cc68032741b30a04263b38c97a5a3052d8f69e6692b2dae51210d10bb310
                              • Opcode Fuzzy Hash: 94e81f16df489543a78203c95780c43c7d6086f9196773968be9507edd199701
                              • Instruction Fuzzy Hash: 8A5133B1D016589BEB6CCF2B8D456CAFAF7AFC8340F14C1FA954CA6214DB740AC58E50
                              Function 09D9D88C Relevance: .1, Instructions: 111COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2679063451.0000000009D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09D90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9d90000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ec1075c8d10cc709c5e8ecc50278d73b8ffa071e9e6592352f9e1f112171b16e
                              • Instruction ID: f1da0eec2f1699bf4677b2eff1a9d0261b269eb0a59eff16b97c4682bf84d868
                              • Opcode Fuzzy Hash: ec1075c8d10cc709c5e8ecc50278d73b8ffa071e9e6592352f9e1f112171b16e
                              • Instruction Fuzzy Hash: 924188B4D00258DFCB10DFA9D984AAEFBF5BB49310F14942AE818BB250D374A945CF94
                              Function 09582CEA Relevance: .1, Instructions: 67COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2678664117.0000000009580000.00000040.00000800.00020000.00000000.sdmp, Offset: 09580000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9580000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 510eed2ef1e0926c993b37cf6b55671ec314d57e60ec0ae7ff0c0d64e4f3e1e4
                              • Instruction ID: b4daac349a016cd0e75a4de55a6a6cd538a117fab8c4483479d79d9e9ec80cc8
                              • Opcode Fuzzy Hash: 510eed2ef1e0926c993b37cf6b55671ec314d57e60ec0ae7ff0c0d64e4f3e1e4
                              • Instruction Fuzzy Hash: 89213930C152498FCB01EFB8D8546EDBFB0BF06301F0496A9E465BB261EB345589DF55
                              Function 056A9A4D Relevance: .1, Instructions: 64COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2674992347.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_56a0000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a907c969dfd6181204209f413e0c4f43f209548ccda45b67538d79976777eefc
                              • Instruction ID: d4e4454d462914bb7eb8eaf90eeedb2160d7c76c604359da77637366fabf3a48
                              • Opcode Fuzzy Hash: a907c969dfd6181204209f413e0c4f43f209548ccda45b67538d79976777eefc
                              • Instruction Fuzzy Hash: E5219BB9E04219DFCB04CFA9D8849AEFBF1BB49310F10A16AE825B7361D7349941CF58
                              Function 09582CF8 Relevance: .1, Instructions: 62COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2678664117.0000000009580000.00000040.00000800.00020000.00000000.sdmp, Offset: 09580000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_9580000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7ef95cf7f5c6424d33ce4870c2626bb0a6f0b57ed786a9805a3f0b0596a2da0d
                              • Instruction ID: 93480de958d54046498196eecf2908f6edfb9d85c2e0d691ab5d27f93e5cefcd
                              • Opcode Fuzzy Hash: 7ef95cf7f5c6424d33ce4870c2626bb0a6f0b57ed786a9805a3f0b0596a2da0d
                              • Instruction Fuzzy Hash: F321F330D116088FCB00FFB8D4546EDBBB4BF0A301F00A669E425B7250EB349A89CF55
                              Function 056A9A58 Relevance: .1, Instructions: 61COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2674992347.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_56a0000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c0f2e35eeb6506bc3e6872195b474ffa300f2f0145bd9fa54a6800f585ff4f16
                              • Instruction ID: 25cced00f468c44cdf01f3b29048e54e493e53d1ccbae9cd9c7e01760cd4270c
                              • Opcode Fuzzy Hash: c0f2e35eeb6506bc3e6872195b474ffa300f2f0145bd9fa54a6800f585ff4f16
                              • Instruction Fuzzy Hash: 57215DB9D04219DFCB14CFA9D8849AEFBF1BB49310F14A16AE815B7360D7349941CF58