Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe
Analysis ID:1430188
MD5:a4799079bc84bb2dd9a75c7121a0100e
SHA1:c84b87b3af74643cd6b46e701090472ea105994c
SHA256:eb5d609b1dcd6ab9c163c3640c06ff1cd80875592221e4d1208beb318c69ce89
Tags:exe
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Machine Learning detection for sample
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Detected potential crypto function
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1651039267.0000000000642000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000000.00000002.2900794099.0000000002B11000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        Process Memory Space: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe PID: 7112JoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe.640000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeAvira: detected
            Multi AV Scanner detection for submitted file
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeReversingLabs: Detection: 65%
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeVirustotal: Detection: 58%Perma Link
            Machine Learning detection for sample
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeJoe Sandbox ML: detected
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe
            Source: Binary string: costura.costura.pdb.compressed source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe
            Source: Binary string: C:\Users\xmoe\Desktop\KrkrExtract\KrkrExtract\KrkrExtract.Lite\obj\Release\KrkrExtract.Lite.pdb source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe
            Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901607674.00000000053D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com9
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeCode function: 0_2_00C1E21C0_2_00C1E21C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeCode function: 0_2_02AD84B80_2_02AD84B8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeCode function: 0_2_02AD02A00_2_02AD02A0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeCode function: 0_2_02AD02900_2_02AD0290
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeCode function: 0_2_02AD84AA0_2_02AD84AA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeCode function: 0_2_051B72570_2_051B7257
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeCode function: 0_2_051B72680_2_051B7268
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeCode function: 0_2_0766C7480_2_0766C748
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeCode function: 0_2_076647F80_2_076647F8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeCode function: 0_2_076655B00_2_076655B0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeCode function: 0_2_07668CE00_2_07668CE0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeCode function: 0_2_0766C7390_2_0766C739
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeCode function: 0_2_076605600_2_07660560
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeCode function: 0_2_076605560_2_07660556
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeCode function: 0_2_076655B00_2_076655B0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeCode function: 0_2_07668CD60_2_07668CD6
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeCode function: 0_2_07666BB80_2_07666BB8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeCode function: 0_2_076647F80_2_076647F8
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2899884302.0000000000C4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeBinary or memory string: OriginalFilenameKrkrExtract.Lite.exeB vs SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal72.evad.winEXE@1/0@0/0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeMutant created: NULL
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeReversingLabs: Detection: 65%
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeVirustotal: Detection: 58%
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeSection loaded: iconcodecservice.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeSection loaded: dataexchange.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeSection loaded: d3d11.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeSection loaded: dcomp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeSection loaded: twinapi.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeSection loaded: uiautomationcore.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe
            Source: Binary string: costura.costura.pdb.compressed source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe
            Source: Binary string: C:\Users\xmoe\Desktop\KrkrExtract\KrkrExtract\KrkrExtract.Lite\obj\Release\KrkrExtract.Lite.pdb source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe
            Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, AssemblyLoader.cs.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
            Yara detected Costura Assembly Loader
            Source: Yara matchFile source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe.640000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1651039267.0000000000642000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2900794099.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe PID: 7112, type: MEMORYSTR
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeStatic PE information: 0x92DBB46E [Wed Jan 29 00:55:10 2048 UTC]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeCode function: 0_2_00C1D5DA pushad ; ret 0_2_00C1D5E1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeCode function: 0_2_00C1D640 pushfd ; ret 0_2_00C1D641
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeCode function: 0_2_02ADD498 pushfd ; retf 0_2_02ADD499
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeCode function: 0_2_07663D61 push esp; retf 0_2_07663D6D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeCode function: 0_2_076679D8 push esp; ret 0_2_076679E5
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeStatic PE information: section name: .text entropy: 7.959425604299709
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeMemory allocated: C10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeMemory allocated: 2B10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeMemory allocated: 10E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            .NET source code references suspicious native API functions
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, LoaderHelper.csReference to suspicious API methods: GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryW")
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, LoaderHelper.csReference to suspicious API methods: GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryW")
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, LoaderHelper.csReference to suspicious API methods: VirtualAllocEx(Process.hProcess, IntPtr.Zero, 4096u, AllocationType.Commit | AllocationType.Reserve, MemoryProtection.ExecuteReadWrite)
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, LoaderHelper.csReference to suspicious API methods: WriteProcessMemory(Process.hProcess, intPtr, array, array.Length, out var lpNumberOfBytesWritten)
            Source: SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, Processes.csReference to suspicious API methods: OpenProcess(ProcessAccessFlags.QueryLimitedInformation, bInheritHandle: false, procId)
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Native API            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Virtualization/Sandbox Evasion            		OS Credential Dumping1
            Virtualization/Sandbox Evasion            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
            Disable or Modify Tools            		LSASS Memory12
            System Information Discovery            		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)12
            Software Packing            		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Timestomp            		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Obfuscated Files or Information            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe66%ReversingLabsWin32.Trojan.Tnega
            SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe58%VirustotalBrowse
            SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe100%AviraPUA/Agent.chvcd
            SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.tiro.com0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%VirustotalBrowse
            http://www.founder.com.cn/cn/bThe0%VirustotalBrowse
            http://www.founder.com.cn/cn0%VirustotalBrowse
            http://www.zhongyicts.com.cn1%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.apache.org/licenses/LICENSE-2.0SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.fontbureau.comSecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.fontbureau.com/designersGSecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.com/designers/?SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.founder.com.cn/cn/bTheSecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                    http://www.fontbureau.com/designers?SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.tiro.comSecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designersSecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.goodfont.co.krSecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.sakkal.com9SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901607674.00000000053D4000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://www.carterandcone.comlSecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sajatypeworks.comSecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.typography.netDSecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/cabarga.htmlNSecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/cTheSecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                            http://www.galapagosdesign.com/staff/dennis.htmSecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cnSecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                            http://www.fontbureau.com/designers/frere-user.htmlSecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.jiyu-kobo.co.jp/SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/DPleaseSecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers8SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fonts.comSecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.sandoll.co.krSecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.urwpp.deDPleaseSecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.zhongyicts.com.cnSecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                  http://www.sakkal.comSecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe, 00000000.00000002.2901837860.0000000006DA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  No contacted IP infos

                                  General Information

                                  Joe Sandbox version:40.0.0 Tourmaline
                                  Analysis ID:1430188
                                  Start date and time:2024-04-23 09:29:09 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 4m 36s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:6
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe
                                  Detection:MAL
                                  Classification:mal72.evad.winEXE@1/0@0/0
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 30
                                  • Number of non-executed functions: 8
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Not all processes where analyzed, report is missing behavior information

                                  Simulations

                                  Behavior and APIs

                                  No simulations

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASNs

                                  No context

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  No created / dropped files found

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):7.951180953803567
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                  • Windows Screen Saver (13104/52) 0.07%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  File name:SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe
                                  File size:534'016 bytes
                                  MD5:a4799079bc84bb2dd9a75c7121a0100e
                                  SHA1:c84b87b3af74643cd6b46e701090472ea105994c
                                  SHA256:eb5d609b1dcd6ab9c163c3640c06ff1cd80875592221e4d1208beb318c69ce89
                                  SHA512:270c34e16e9e87ebee9d24004f2b501aac43e2e7026b187a95508a30b62dd7ece32ec01e8cdaffa48003ad7915239a4a062f3c7f60f89b3aa57458ff006b5942
                                  SSDEEP:12288:MCYoBipKZdfrXg+JwuKt/S/60pFx8nRbxMhkjo5Bda7EeVJvrhh:MCYoBipKfw+Jwz/S/688nVW6k5BkAeV9
                                  TLSH:7CB4234133989021EB6E3FB848F60A199571E31BC457F7DE89152A2E67273CB4D30B7A
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n.................0......J........... ........@.. ....................................`................................

                                  File Icon

                                  Icon Hash:e6f0e8d0d0cea0e3

                                  Static PE Info

                                  General

                                  Entrypoint:0x47f8be
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x92DBB46E [Wed Jan 29 00:55:10 2048 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                  Entrypoint Preview

                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x7f8700x4b.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x800000x4730.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x7f7c00x38.text
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000x7d8c40x7da00efd8f7f16d0dcea24a7e3c0b760ca426False0.9498076026119403data7.959425604299709IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rsrc0x800000x47300x4800f1adc448dbd240f35fae09a943347190False0.9215494791666666data7.779092187080841IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x860000xc0x200ce98923bea123d2abc03d1e88d6afb01False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_ICON0x801000x409dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9779940753279729
                                  RT_GROUP_ICON0x841b00x14data1.05
                                  RT_VERSION0x841d40x35cdata0.40581395348837207
                                  RT_MANIFEST0x845400x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorExeMain

                                  Network Behavior

                                  No network behavior found

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:09:29:57
                                  Start date:23/04/2024
                                  Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.31945.28890.exe"
                                  Imagebase:0x640000
                                  File size:534'016 bytes
                                  MD5 hash:A4799079BC84BB2DD9A75C7121A0100E
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.1651039267.0000000000642000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2900794099.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:false

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:12.7%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:3.9%
                                    Total number of Nodes:204
                                    Total number of Limit Nodes:15
                                    execution_graph 47803 bcd01c 47804 bcd034 47803->47804 47805 bcd08e 47804->47805 47810 2ad2e58 47804->47810 47819 2ad2108 47804->47819 47823 2ad20f8 47804->47823 47827 2ad1364 47804->47827 47812 2ad2e68 47810->47812 47811 2ad2ec9 47852 2ad148c 47811->47852 47812->47811 47814 2ad2eb9 47812->47814 47836 2ad30bc 47814->47836 47842 2ad2fe2 47814->47842 47847 2ad2ff0 47814->47847 47815 2ad2ec7 47815->47815 47820 2ad212e 47819->47820 47821 2ad1364 CallWindowProcW 47820->47821 47822 2ad214f 47821->47822 47822->47805 47824 2ad2108 47823->47824 47825 2ad1364 CallWindowProcW 47824->47825 47826 2ad214f 47825->47826 47826->47805 47828 2ad136f 47827->47828 47829 2ad2ec9 47828->47829 47831 2ad2eb9 47828->47831 47830 2ad148c CallWindowProcW 47829->47830 47832 2ad2ec7 47830->47832 47833 2ad30bc CallWindowProcW 47831->47833 47834 2ad2ff0 CallWindowProcW 47831->47834 47835 2ad2fe2 CallWindowProcW 47831->47835 47832->47832 47833->47832 47834->47832 47835->47832 47837 2ad307a 47836->47837 47838 2ad30ca 47836->47838 47856 2ad30a8 47837->47856 47859 2ad309a 47837->47859 47839 2ad3090 47839->47815 47844 2ad3004 47842->47844 47843 2ad3090 47843->47815 47845 2ad30a8 CallWindowProcW 47844->47845 47846 2ad309a CallWindowProcW 47844->47846 47845->47843 47846->47843 47848 2ad3004 47847->47848 47850 2ad30a8 CallWindowProcW 47848->47850 47851 2ad309a CallWindowProcW 47848->47851 47849 2ad3090 47849->47815 47850->47849 47851->47849 47853 2ad1497 47852->47853 47854 2ad45aa CallWindowProcW 47853->47854 47855 2ad4559 47853->47855 47854->47855 47855->47815 47857 2ad30b9 47856->47857 47863 2ad44e0 47856->47863 47857->47839 47860 2ad30a8 47859->47860 47861 2ad30b9 47860->47861 47862 2ad44e0 CallWindowProcW 47860->47862 47861->47839 47862->47861 47864 2ad148c CallWindowProcW 47863->47864 47865 2ad44fa 47864->47865 47865->47857 47866 c1b370 47869 c1b459 47866->47869 47867 c1b37f 47870 c1b479 47869->47870 47871 c1b49c 47869->47871 47870->47871 47877 c1b6f0 47870->47877 47881 c1b700 47870->47881 47871->47867 47872 c1b6a0 GetModuleHandleW 47874 c1b6cd 47872->47874 47873 c1b494 47873->47871 47873->47872 47874->47867 47878 c1b700 47877->47878 47880 c1b739 47878->47880 47885 c1b138 47878->47885 47880->47873 47882 c1b714 47881->47882 47883 c1b138 LoadLibraryExW 47882->47883 47884 c1b739 47882->47884 47883->47884 47884->47873 47886 c1b8e0 LoadLibraryExW 47885->47886 47888 c1b959 47886->47888 47888->47880 47891 c1d700 47892 c1d746 GetCurrentProcess 47891->47892 47894 c1d791 47892->47894 47895 c1d798 GetCurrentThread 47892->47895 47894->47895 47896 c1d7d5 GetCurrentProcess 47895->47896 47897 c1d7ce 47895->47897 47898 c1d80b 47896->47898 47897->47896 47899 c1d833 GetCurrentThreadId 47898->47899 47900 c1d864 47899->47900 47670 51b0f08 47673 51b02ec 47670->47673 47672 51b0f33 47674 51b02f7 47673->47674 47685 c18975 47674->47685 47689 c18965 47674->47689 47693 c189c2 47674->47693 47697 c18971 47674->47697 47701 c18961 47674->47701 47705 c1896d 47674->47705 47709 c18979 47674->47709 47713 c18969 47674->47713 47717 c17684 47674->47717 47675 51b0c9c 47675->47672 47687 c1895d 47685->47687 47686 c18cc1 47686->47675 47687->47686 47721 c1d020 47687->47721 47691 c1895d 47689->47691 47690 c18cc1 47690->47675 47691->47690 47692 c1d020 2 API calls 47691->47692 47692->47690 47695 c1895d 47693->47695 47694 c18cc1 47694->47675 47695->47693 47695->47694 47696 c1d020 2 API calls 47695->47696 47696->47694 47698 c1895d 47697->47698 47699 c18cc1 47698->47699 47700 c1d020 2 API calls 47698->47700 47699->47675 47700->47699 47702 c1895d 47701->47702 47703 c18cc1 47702->47703 47704 c1d020 2 API calls 47702->47704 47703->47675 47704->47703 47707 c1895d 47705->47707 47706 c18cc1 47706->47675 47707->47706 47708 c1d020 2 API calls 47707->47708 47708->47706 47710 c1895d 47709->47710 47711 c18cc1 47710->47711 47712 c1d020 2 API calls 47710->47712 47711->47675 47712->47711 47714 c1895d 47713->47714 47715 c18cc1 47714->47715 47716 c1d020 2 API calls 47714->47716 47715->47675 47716->47715 47719 c1768f 47717->47719 47718 c18cc1 47718->47675 47719->47718 47720 c1d020 2 API calls 47719->47720 47720->47718 47722 c1d051 47721->47722 47723 c1d075 47722->47723 47726 c1d5e2 47722->47726 47730 c1d5e8 47722->47730 47723->47686 47728 c1d5e8 47726->47728 47727 c1d62f 47727->47723 47728->47727 47734 c1d3d0 47728->47734 47732 c1d5f5 47730->47732 47731 c1d62f 47731->47723 47732->47731 47733 c1d3d0 2 API calls 47732->47733 47733->47731 47735 c1d3d5 47734->47735 47737 c1df40 47735->47737 47738 c1d4ec 47735->47738 47737->47737 47739 c1d4f7 47738->47739 47740 c17684 2 API calls 47739->47740 47741 c1dfaf 47740->47741 47744 c1e430 47741->47744 47742 c1dfbe 47742->47737 47745 c1e45e 47744->47745 47747 c1e487 47745->47747 47749 c1e52f 47745->47749 47750 c1d588 GetFocus 47745->47750 47748 c1e52a KiUserCallbackDispatcher 47747->47748 47747->47749 47748->47749 47750->47747 47901 51b0bf8 47902 51b02ec 2 API calls 47901->47902 47903 51b0c17 47902->47903 47751 2ad84b8 47752 2ad84d8 47751->47752 47764 2ad7c68 47752->47764 47754 2ad8503 47776 51b8098 47754->47776 47783 51b8087 47754->47783 47755 2ad8b32 47789 51bc360 47755->47789 47794 51bc350 47755->47794 47756 2ad917e 47762 51bc350 GetCurrentThreadId 47756->47762 47763 51bc360 GetCurrentThreadId 47756->47763 47757 2ad9195 47762->47757 47763->47757 47765 2ad7c73 47764->47765 47766 2ad9303 47765->47766 47767 c18961 2 API calls 47765->47767 47768 c18971 2 API calls 47765->47768 47769 c189c2 2 API calls 47765->47769 47770 c18965 2 API calls 47765->47770 47771 c18975 2 API calls 47765->47771 47772 c17684 2 API calls 47765->47772 47773 c18969 2 API calls 47765->47773 47774 c18979 2 API calls 47765->47774 47775 c1896d 2 API calls 47765->47775 47766->47754 47767->47766 47768->47766 47769->47766 47770->47766 47771->47766 47772->47766 47773->47766 47774->47766 47775->47766 47777 51b80bc 47776->47777 47778 51b80c3 47776->47778 47777->47755 47782 51b80ea 47778->47782 47799 51b64ac 47778->47799 47781 51b64ac GetCurrentThreadId 47781->47782 47782->47755 47784 51b8098 47783->47784 47785 51b64ac GetCurrentThreadId 47784->47785 47788 51b80bc 47784->47788 47786 51b80e0 47785->47786 47787 51b64ac GetCurrentThreadId 47786->47787 47787->47788 47788->47755 47791 51bc375 47789->47791 47790 51b8098 GetCurrentThreadId 47792 51bc404 47790->47792 47791->47790 47793 51bc42f 47791->47793 47792->47756 47793->47756 47796 51bc375 47794->47796 47795 51b8098 GetCurrentThreadId 47797 51bc404 47795->47797 47796->47795 47798 51bc42f 47796->47798 47797->47756 47798->47756 47800 51b64b7 47799->47800 47801 51b83ff GetCurrentThreadId 47800->47801 47802 51b80e0 47800->47802 47801->47802 47802->47781 47889 2ad2198 SetWindowLongW 47890 2ad2204 47889->47890 47904 2ad38d8 47905 2ad3924 47904->47905 47906 2ad4204 GetKeyState 47905->47906 47911 2ad3975 47905->47911 47907 2ad4230 GetKeyState 47906->47907 47909 2ad4283 GetFocus 47907->47909 47909->47911 47668 c1d948 DuplicateHandle 47669 c1d9de 47668->47669 47912 2ad1f50 47913 2ad1fb8 CreateWindowExW 47912->47913 47915 2ad2074 47913->47915

                                    Executed Functions

                                    Function 02AD84B8 Relevance: 4.6, Strings: 3, Instructions: 881COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 789 2ad84b8-2ad8941 call 2ad7c68 call 2ad7c78 call 2ad7c88 * 2 call 2ad7f5c call 2ad7f6c call 2ad7f7c * 5 call 2ad7f8c call 2ad7f9c call 2ad7fac call 2ad7fbc call 2ad7fcc call 2ad7fdc call 2ad7fec call 2ad7ffc call 2ad7fbc call 2ad7fcc call 2ad800c call 2ad7fdc call 2ad7fec call 2ad801c 887 2ad8959-2ad8a1d call 2ad802c call 2ad803c call 2ad804c call 2ad805c 789->887 888 2ad8943-2ad8949 789->888 904 2ad8a1f-2ad8a25 887->904 905 2ad8a35-2ad8b2c call 2ad802c call 2ad803c call 2ad804c call 2ad805c call 2ad806c * 3 887->905 889 2ad894d-2ad894f 888->889 890 2ad894b 888->890 889->887 890->887 906 2ad8a29-2ad8a2b 904->906 907 2ad8a27 904->907 1073 2ad8b2f call 51b8098 905->1073 1074 2ad8b2f call 51b8087 905->1074 906->905 907->905 928 2ad8b32-2ad8c66 call 2ad7fbc call 2ad7fcc call 2ad7fdc call 2ad7fec call 2ad807c call 2ad808c 1069 2ad8c69 call 51b9168 928->1069 1070 2ad8c69 call 51b9157 928->1070 948 2ad8c6c-2ad9178 call 2ad80a8 call 2ad80b8 call 2ad7fbc call 2ad7fcc call 2ad80c8 call 2ad7fdc call 2ad7fec call 2ad80d8 call 2ad80e8 call 2ad80f8 call 2ad8108 call 2ad80f8 call 2ad8108 call 2ad80f8 * 2 call 2ad8108 call 2ad80f8 call 2ad8108 call 2ad7fbc call 2ad7fcc call 2ad7fdc call 2ad7fec call 2ad8118 call 2ad7fbc call 2ad7fcc call 2ad7fdc call 2ad7fec call 2ad8118 call 2ad7fbc call 2ad7fcc call 2ad7fdc call 2ad7fec call 2ad8128 call 2ad8138 call 2ad8148 call 2ad806c * 3 1071 2ad917b call 51bc350 948->1071 1072 2ad917b call 51bc360 948->1072 1034 2ad917e-2ad918f call 2ad806c 1075 2ad9192 call 51bc350 1034->1075 1076 2ad9192 call 51bc360 1034->1076 1037 2ad9195-2ad92a4 call 2ad8158 call 2ad8168 call 2ad8178 call 2ad8188 call 2ad7fcc call 2ad5928 * 2 1077 2ad92a6 call 2add178 1037->1077 1078 2ad92a6 call 2add180 1037->1078 1062 2ad92ab-2ad92c9 call 2ad8198 1079 2ad92cb call 2add178 1062->1079 1080 2ad92cb call 2add180 1062->1080 1066 2ad92d0-2ad92d2 call 2ad8198 1068 2ad92d7-2ad92de 1066->1068 1069->948 1070->948 1071->1034 1072->1034 1073->928 1074->928 1075->1037 1076->1037 1077->1062 1078->1062 1079->1066 1080->1066
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2900698494.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2ad0000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: "$"$P
                                    • API String ID: 0-4080636364
                                    • Opcode ID: 0c695520aa828f66d525319aece18c63528c0a3348fb4d263a711ac9c336245a
                                    • Instruction ID: 2873bc720dfe5abc23e098a8cf9da017c43854fd50f88d4042d02b4b9d7e95dc
                                    • Opcode Fuzzy Hash: 0c695520aa828f66d525319aece18c63528c0a3348fb4d263a711ac9c336245a
                                    • Instruction Fuzzy Hash: 44823930A40705CFC729EB74C954A9AB7B3BF89304F504AADD01A6B364DF75A986CF81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 02AD84AA Relevance: 4.6, Strings: 3, Instructions: 880COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1081 2ad84aa-2ad84f0 1085 2ad84fa-2ad84fe call 2ad7c68 1081->1085 1087 2ad8503-2ad850e 1085->1087 1089 2ad8518-2ad851c call 2ad7c78 1087->1089 1091 2ad8521-2ad852c 1089->1091 1093 2ad8536-2ad853a call 2ad7c88 1091->1093 1095 2ad853f-2ad8586 call 2ad7c88 call 2ad7f5c 1093->1095 1105 2ad8590-2ad8594 call 2ad7f6c 1095->1105 1107 2ad8599-2ad863a call 2ad7f7c * 5 1105->1107 1129 2ad8644-2ad8648 call 2ad7f8c 1107->1129 1131 2ad864d-2ad8658 1129->1131 1133 2ad8662-2ad8666 call 2ad7f9c 1131->1133 1135 2ad866b-2ad86c2 call 2ad7fac 1133->1135 1144 2ad86c8-2ad86f7 call 2ad7fbc 1135->1144 1146 2ad86fc-2ad8941 call 2ad7fcc call 2ad7fdc call 2ad7fec call 2ad7ffc call 2ad7fbc call 2ad7fcc call 2ad800c call 2ad7fdc call 2ad7fec call 2ad801c 1144->1146 1179 2ad8959-2ad895f 1146->1179 1180 2ad8943-2ad8949 1146->1180 1183 2ad8965-2ad8a1d call 2ad802c call 2ad803c call 2ad804c call 2ad805c 1179->1183 1181 2ad894d-2ad894f 1180->1181 1182 2ad894b 1180->1182 1181->1179 1182->1179 1196 2ad8a1f-2ad8a25 1183->1196 1197 2ad8a35-2ad8ad6 call 2ad802c call 2ad803c call 2ad804c call 2ad805c 1183->1197 1198 2ad8a29-2ad8a2b 1196->1198 1199 2ad8a27 1196->1199 1211 2ad8adb-2ad8ae3 call 2ad806c 1197->1211 1198->1197 1199->1197 1213 2ad8ae8-2ad8b1d call 2ad806c * 2 1211->1213 1219 2ad8b22-2ad8b2c 1213->1219 1365 2ad8b2f call 51b8098 1219->1365 1366 2ad8b2f call 51b8087 1219->1366 1220 2ad8b32-2ad8c52 call 2ad7fbc call 2ad7fcc call 2ad7fdc call 2ad7fec call 2ad807c call 2ad808c 1239 2ad8c5c-2ad8c66 1220->1239 1361 2ad8c69 call 51b9168 1239->1361 1362 2ad8c69 call 51b9157 1239->1362 1240 2ad8c6c-2ad90ce call 2ad80a8 call 2ad80b8 call 2ad7fbc call 2ad7fcc call 2ad80c8 call 2ad7fdc call 2ad7fec call 2ad80d8 call 2ad80e8 call 2ad80f8 call 2ad8108 call 2ad80f8 call 2ad8108 call 2ad80f8 * 2 call 2ad8108 call 2ad80f8 call 2ad8108 call 2ad7fbc call 2ad7fcc call 2ad7fdc call 2ad7fec call 2ad8118 call 2ad7fbc call 2ad7fcc call 2ad7fdc call 2ad7fec call 2ad8118 call 2ad7fbc call 2ad7fcc call 2ad7fdc call 2ad7fec 1311 2ad90da-2ad90ee call 2ad8128 1240->1311 1313 2ad90f3-2ad913b call 2ad8138 call 2ad8148 call 2ad806c 1311->1313 1319 2ad9140-2ad914a 1313->1319 1320 2ad9150-2ad9169 call 2ad806c * 2 1319->1320 1325 2ad916e-2ad9178 1320->1325 1363 2ad917b call 51bc350 1325->1363 1364 2ad917b call 51bc360 1325->1364 1326 2ad917e-2ad9180 call 2ad806c 1328 2ad9185-2ad918f 1326->1328 1367 2ad9192 call 51bc350 1328->1367 1368 2ad9192 call 51bc360 1328->1368 1329 2ad9195-2ad9295 call 2ad8158 call 2ad8168 call 2ad8178 call 2ad8188 call 2ad7fcc call 2ad5928 * 2 1353 2ad929c-2ad92a4 1329->1353 1369 2ad92a6 call 2add178 1353->1369 1370 2ad92a6 call 2add180 1353->1370 1354 2ad92ab-2ad92c0 call 2ad8198 1357 2ad92c7-2ad92c9 1354->1357 1371 2ad92cb call 2add178 1357->1371 1372 2ad92cb call 2add180 1357->1372 1358 2ad92d0-2ad92d2 call 2ad8198 1360 2ad92d7-2ad92de 1358->1360 1361->1240 1362->1240 1363->1326 1364->1326 1365->1220 1366->1220 1367->1329 1368->1329 1369->1354 1370->1354 1371->1358 1372->1358
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2900698494.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2ad0000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: "$"$P
                                    • API String ID: 0-4080636364
                                    • Opcode ID: 6728202747e7423d6818017f232e01c8223b888c81921fa36f8f895146831e76
                                    • Instruction ID: 3f91b3c8efa4f7850021cef825ba63e53f57e6d6e148a86608c62a70bb690d64
                                    • Opcode Fuzzy Hash: 6728202747e7423d6818017f232e01c8223b888c81921fa36f8f895146831e76
                                    • Instruction Fuzzy Hash: DD824930A40705CFC729EB74C954A9AB7B3BF89304F504AADD05A6B364DF35A986CF81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 076647F8 Relevance: .6, Instructions: 635COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2902255466.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7660000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7d36a27f158d8d024fe0d9da0152d71bc6eda686a5c8739bac6e648a3b68f0ec
                                    • Instruction ID: 94e78c0ad3d2982005d2f72684a5644d2ec08cc34b0d8591d5116296f6f5a8db
                                    • Opcode Fuzzy Hash: 7d36a27f158d8d024fe0d9da0152d71bc6eda686a5c8739bac6e648a3b68f0ec
                                    • Instruction Fuzzy Hash: E6525D75A10659CFCB25DF74C844AE9BBB1FF49304F5485D9E40AAB261EB31EA82CF40
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 076655B0 Relevance: .5, Instructions: 514COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2902255466.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7660000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f124dd77adad67cabf62c9910c1d8eacef43b764c4cba51e9cbd785ae3a3fe73
                                    • Instruction ID: a11c50b6835dca2555f13f20edfaa0c9402f0f038d138159e4c1f97b106fdafc
                                    • Opcode Fuzzy Hash: f124dd77adad67cabf62c9910c1d8eacef43b764c4cba51e9cbd785ae3a3fe73
                                    • Instruction Fuzzy Hash: 32323B71A10619CFDB25DF64C949BD9B7B2FF49300F5085A9E40AAB221EB71EA85CF40
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0766C748 Relevance: .4, Instructions: 391COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2902255466.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7660000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a0d7e11b2d3f3d70ddf595a8ccd81381c3010db5f466ccf37d1d817873f7be97
                                    • Instruction ID: a6946edf69f44a7cd822e32af4175abdbd9841c94fe89a05f202797e8a080ec3
                                    • Opcode Fuzzy Hash: a0d7e11b2d3f3d70ddf595a8ccd81381c3010db5f466ccf37d1d817873f7be97
                                    • Instruction Fuzzy Hash: 8A22E635910A69DFDB21CF51C844BDAF7B2FF89300F1185DAE948AB220E771AA95CF41
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0766C739 Relevance: .3, Instructions: 299COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2902255466.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7660000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 06213e4fc45a074091f81294dd3220cd75bfe98fd07aeaf247a723b4d77d03ce
                                    • Instruction ID: 3e97797c420aa5618cd4fb80fa3901c3257a65d85d6a7cafb8805d91864e1ed8
                                    • Opcode Fuzzy Hash: 06213e4fc45a074091f81294dd3220cd75bfe98fd07aeaf247a723b4d77d03ce
                                    • Instruction Fuzzy Hash: B3E1F735910669DFDB22CF90CC44BDABBB2FF49300F1185DAE5086B260E771AA95DF81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 07668CD6 Relevance: .3, Instructions: 267COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2902255466.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7660000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6684cf9c921158226c93cae137ef5aa80daf7cea0cdb43cf62dc591a5d289921
                                    • Instruction ID: d9982c145e243653226f63b3f810c9e80ead7975f462de39c16b1fb2b5739eeb
                                    • Opcode Fuzzy Hash: 6684cf9c921158226c93cae137ef5aa80daf7cea0cdb43cf62dc591a5d289921
                                    • Instruction Fuzzy Hash: 06C16AB4D0021ACFDB28CF68D898B9DBBF1EF48714F548059E81AA7351D774A941CF92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 07668CE0 Relevance: .3, Instructions: 265COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2902255466.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7660000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0ad7d3226cb4d5354cb51efc150d61ab0a64fdfee07281330db5fb62e9724fb0
                                    • Instruction ID: a1bf8b8e88129d9f3b633969354b4460ec4455ac413eca296099461d802529f6
                                    • Opcode Fuzzy Hash: 0ad7d3226cb4d5354cb51efc150d61ab0a64fdfee07281330db5fb62e9724fb0
                                    • Instruction Fuzzy Hash: 77B16AB4D0021ACFDB28CF68D888B9DBBF1EF48714F548059E81AA7351DB74A941CF92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C1D6F2 Relevance: 6.1, APIs: 4, Instructions: 134threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 526 c1d6f2-c1d78f GetCurrentProcess 530 c1d791-c1d797 526->530 531 c1d798-c1d7cc GetCurrentThread 526->531 530->531 532 c1d7d5-c1d809 GetCurrentProcess 531->532 533 c1d7ce-c1d7d4 531->533 535 c1d812-c1d82d call c1d8d2 532->535 536 c1d80b-c1d811 532->536 533->532 539 c1d833-c1d862 GetCurrentThreadId 535->539 536->535 540 c1d864-c1d86a 539->540 541 c1d86b-c1d8cd 539->541 540->541
                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 00C1D77E
                                    • GetCurrentThread.KERNEL32 ref: 00C1D7BB
                                    • GetCurrentProcess.KERNEL32 ref: 00C1D7F8
                                    • GetCurrentThreadId.KERNEL32 ref: 00C1D851
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2899817663.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c10000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID:
                                    • API String ID: 2063062207-0
                                    • Opcode ID: d988187a6f69630c403318699d9937e657e05e931ae514edb743d753a017c6fe
                                    • Instruction ID: ceaeb1ceb4603d1346923beea1d1a4a1fd62efe7a8411d7da0e81427a710f89a
                                    • Opcode Fuzzy Hash: d988187a6f69630c403318699d9937e657e05e931ae514edb743d753a017c6fe
                                    • Instruction Fuzzy Hash: 485187B09002498FDB18DFA9D588BDEBFF1AF49308F24C4A9E059A72A0C7745985CF65
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C1D700 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 548 c1d700-c1d78f GetCurrentProcess 552 c1d791-c1d797 548->552 553 c1d798-c1d7cc GetCurrentThread 548->553 552->553 554 c1d7d5-c1d809 GetCurrentProcess 553->554 555 c1d7ce-c1d7d4 553->555 557 c1d812-c1d82d call c1d8d2 554->557 558 c1d80b-c1d811 554->558 555->554 561 c1d833-c1d862 GetCurrentThreadId 557->561 558->557 562 c1d864-c1d86a 561->562 563 c1d86b-c1d8cd 561->563 562->563
                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 00C1D77E
                                    • GetCurrentThread.KERNEL32 ref: 00C1D7BB
                                    • GetCurrentProcess.KERNEL32 ref: 00C1D7F8
                                    • GetCurrentThreadId.KERNEL32 ref: 00C1D851
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2899817663.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c10000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID:
                                    • API String ID: 2063062207-0
                                    • Opcode ID: ee702251e1ee18bc295d486fb0d100a153fe63b64a85dc70d46d78b4d3f24a24
                                    • Instruction ID: 5ba5dbaa5a208ee9ab4436033e1ccea4f35e339268cc16c1fa910bbedf5dcc37
                                    • Opcode Fuzzy Hash: ee702251e1ee18bc295d486fb0d100a153fe63b64a85dc70d46d78b4d3f24a24
                                    • Instruction Fuzzy Hash: 505179B09006498FDB18DFA9D588BDEBBF1EF49318F20C469E019A73A0D7749984CF65
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 02AD38D8 Relevance: 5.0, APIs: 3, Instructions: 508COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2900698494.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2ad0000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9685b66bc6c577c10b9ec6e4d2cda9dfb9ee725af2e894da9c17f5e950c788a7
                                    • Instruction ID: 770d4b9e10097895a1b852a9cde7bef2cac49803f8394bd8bf062a46ca2d44d4
                                    • Opcode Fuzzy Hash: 9685b66bc6c577c10b9ec6e4d2cda9dfb9ee725af2e894da9c17f5e950c788a7
                                    • Instruction Fuzzy Hash: 5C221D74A04205CFDF14DF98D5C9AAEB7B2EB88314F248196D913A7365CF349885CF92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C1B459 Relevance: 1.7, APIs: 1, Instructions: 205COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00C1B6BE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2899817663.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c10000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: 161d910055ec45434c4de32ce5c2e86ba0b50836e34a57eaded0092a89986e08
                                    • Instruction ID: cd5b84d2a0fd3f310cd14aca300ad02f2a85857a75b68b8265af90b8022989cb
                                    • Opcode Fuzzy Hash: 161d910055ec45434c4de32ce5c2e86ba0b50836e34a57eaded0092a89986e08
                                    • Instruction Fuzzy Hash: A98135B0A00B058FD724DF29D45179ABBF2BF89300F108A2DE496D7A50E775E989DF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C15CEC Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateActCtxA.KERNEL32(?), ref: 00C15DA9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2899817663.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c10000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: 44fa3e6f3ce4226001edd64411dbdad782e11dae136258fe6b152f6376bea1ef
                                    • Instruction ID: d99b5f11bd02895d9f57b75f9d9ad5225ca958b38aec4d17fc5ddfaacf451271
                                    • Opcode Fuzzy Hash: 44fa3e6f3ce4226001edd64411dbdad782e11dae136258fe6b152f6376bea1ef
                                    • Instruction Fuzzy Hash: C45103B1C00719CEDB24DFA9C8447DDBBF5AF89304F2480AAD458AB291D7756A86CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 02AD1F46 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02AD2062
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2900698494.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2ad0000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID: CreateWindow
                                    • String ID:
                                    • API String ID: 716092398-0
                                    • Opcode ID: 50ea95ab34f1c12055c39ae7cd151c77e85d1387df529e4fbbbfe5278b0a81cb
                                    • Instruction ID: 2e10da3343c710da621a64b66dd08511fc6a05a831ff2330e7920c55fa970f14
                                    • Opcode Fuzzy Hash: 50ea95ab34f1c12055c39ae7cd151c77e85d1387df529e4fbbbfe5278b0a81cb
                                    • Instruction Fuzzy Hash: 3A51DDB1D00348DFDB14CFA9C884ADEBFB1BF88304F64812AE819AB215D7719885CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 02AD1F50 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02AD2062
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2900698494.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2ad0000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID: CreateWindow
                                    • String ID:
                                    • API String ID: 716092398-0
                                    • Opcode ID: c531ae681e13fc5e45a512bd36ac0894700645298fb08c106f5f6a34b4fb7763
                                    • Instruction ID: 5177fd3baccd9c91417bbbd0fbc785a74c7e109858748a76cf5e3031940e98d0
                                    • Opcode Fuzzy Hash: c531ae681e13fc5e45a512bd36ac0894700645298fb08c106f5f6a34b4fb7763
                                    • Instruction Fuzzy Hash: 8A41C0B1D00349DFDB14CFA9C884ADEBFB5BF88314F64812AE819AB214D7759845CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 02AD148C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                    Download Yara Rule
                                    APIs
                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 02AD45D1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2900698494.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2ad0000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID: CallProcWindow
                                    • String ID:
                                    • API String ID: 2714655100-0
                                    • Opcode ID: 2017adbedb112cc97b5e44a6ac9b80848363f9fc824672ee3e702c49c0253a9a
                                    • Instruction ID: f10fb3fd5a1f76d879b5ecec19a6cf5e908bb04fc9efee168b4dd10fe6e2a9de
                                    • Opcode Fuzzy Hash: 2017adbedb112cc97b5e44a6ac9b80848363f9fc824672ee3e702c49c0253a9a
                                    • Instruction Fuzzy Hash: D641F9B4900305DFCB54CF99C488AAABBF5FB88314F24C459D51AAB321D775A941CFA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C14808 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateActCtxA.KERNEL32(?), ref: 00C15DA9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2899817663.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c10000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: 53b7dd65f9c1bde18ecfc6c367b219affdc5cd6ed23b3ad847e4d635e55dd4e1
                                    • Instruction ID: 0a6c1511f101eb00cfadfa3d8d4d4c4127765e8473589b1d42b9ab64684b55d4
                                    • Opcode Fuzzy Hash: 53b7dd65f9c1bde18ecfc6c367b219affdc5cd6ed23b3ad847e4d635e55dd4e1
                                    • Instruction Fuzzy Hash: 6241E5B0D00719CFDB24DF99C9447DDBBB5BF89304F20806AD418AB255DB756985CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C1D940 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                    Download Yara Rule
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C1D9CF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2899817663.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c10000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: e1717971044b7b79664a45662fb91eb6346999716dfd5f925804e49ceb2d936c
                                    • Instruction ID: 8d68f844f172086b606291f91e1199fe39cb1c35afb8918355ceb5969a3832eb
                                    • Opcode Fuzzy Hash: e1717971044b7b79664a45662fb91eb6346999716dfd5f925804e49ceb2d936c
                                    • Instruction Fuzzy Hash: 0D2116B59002499FDB10CFA9D584AEEFFF4EF49310F14805AE854A7350D375A945CF60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C1D948 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                    Download Yara Rule
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C1D9CF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2899817663.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c10000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: a950958f4fc34a16ed68a93cd86d7dad9e3827a8a0f6aa8c22e76dc4a1b3df9f
                                    • Instruction ID: aae082360dcb0bbe90c8ecd02d7571edb71ffaa3a6f22d237ecbef6703400632
                                    • Opcode Fuzzy Hash: a950958f4fc34a16ed68a93cd86d7dad9e3827a8a0f6aa8c22e76dc4a1b3df9f
                                    • Instruction Fuzzy Hash: 3921D5B59002599FDB10CF9AD584ADEFFF4FB48310F14841AE954A7350D374A944CFA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C1B138 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00C1B739,00000800,00000000,00000000), ref: 00C1B94A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2899817663.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c10000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 8b889b6a362cc9c27f33d837efba373646c73f4ec588a2cfb27de19351012822
                                    • Instruction ID: bbaed9c05dd15dedfb384cccc06422db25e03370389c6741ef9fe629c800d738
                                    • Opcode Fuzzy Hash: 8b889b6a362cc9c27f33d837efba373646c73f4ec588a2cfb27de19351012822
                                    • Instruction Fuzzy Hash: 5D1126B6D003499FDB10CF9AD484ADEFBF4EB89320F10842AE559B7210C375A945CFA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C1B8D9 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00C1B739,00000800,00000000,00000000), ref: 00C1B94A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2899817663.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c10000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 796836de61810ab0a652dbffdbf5ffc78887fc5f25b2ab58d0eaaf22c3801ca3
                                    • Instruction ID: 2aa0b03e33b907db07b92784210075078eb8530ef2531403c32a6e0ca9fa607b
                                    • Opcode Fuzzy Hash: 796836de61810ab0a652dbffdbf5ffc78887fc5f25b2ab58d0eaaf22c3801ca3
                                    • Instruction Fuzzy Hash: 031126B6D003498FCB14CF9AD484ADEFBF4EF88320F10842AE559A7210C379A945CFA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C1B658 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00C1B6BE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2899817663.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c10000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: acdfa97386bde21815d5f9c05aece7c8dfed0bcd7dc5dea8990fbed451e1ca45
                                    • Instruction ID: c8c99829dd4f6b75cfe6f574cdd0dec4a13f4483761fbf9bec2a7b85be279ea1
                                    • Opcode Fuzzy Hash: acdfa97386bde21815d5f9c05aece7c8dfed0bcd7dc5dea8990fbed451e1ca45
                                    • Instruction Fuzzy Hash: 5711F5B5C003498FCB14CF9AD444ADEFBF4EF89314F10841AD469A7610D375A945CFA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 02AD2190 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowLongW.USER32(?,?,?), ref: 02AD21F5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2900698494.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2ad0000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID: LongWindow
                                    • String ID:
                                    • API String ID: 1378638983-0
                                    • Opcode ID: ee86fd4a635d7f374b60885a05b84363e03b115b934d1e4e171146c692472e0d
                                    • Instruction ID: 9d2b04e163de7848a58d36cd46aaab661eddf9ef6649b6deec01bd4f93f093e3
                                    • Opcode Fuzzy Hash: ee86fd4a635d7f374b60885a05b84363e03b115b934d1e4e171146c692472e0d
                                    • Instruction Fuzzy Hash: BE1133B58002498FDB20CF9AC985BDEFFF8EB48324F10845AE958B3200C374A944CFA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 02AD2198 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowLongW.USER32(?,?,?), ref: 02AD21F5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2900698494.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2ad0000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID: LongWindow
                                    • String ID:
                                    • API String ID: 1378638983-0
                                    • Opcode ID: 0cb6ecfeb7a4ac38db75d1248b1b23337f9087ff7d1b13b77ebbca31e900d5b9
                                    • Instruction ID: 8772f1d64c169009fc560cf9fa7e2b719a45e31490e85ae38b1e87b59843ddf3
                                    • Opcode Fuzzy Hash: 0cb6ecfeb7a4ac38db75d1248b1b23337f9087ff7d1b13b77ebbca31e900d5b9
                                    • Instruction Fuzzy Hash: D21103B58002488FDB10CF9AD584BDEFBF8EB48324F10841AE959A7240C374A944CFA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00BCD01C Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2899654294.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bcd000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 990a1ba393b91218712f7148d4fef7fd2f9ea5782b5a9bddd88db0955236f7c0
                                    • Instruction ID: 02cb5319191c1c038df7259befb28442ade10ab4f91d250430d2502668f0afc4
                                    • Opcode Fuzzy Hash: 990a1ba393b91218712f7148d4fef7fd2f9ea5782b5a9bddd88db0955236f7c0
                                    • Instruction Fuzzy Hash: C721F279604200DFCB14DF18D9D4F26BBA5FB84314F20C5BDD84A4B296C33AD847CA61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00BCD1D4 Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2899654294.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bcd000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b0baefa7402dbaee4c89539907320a2fdfddeff2f67c511239176aac8f519a7a
                                    • Instruction ID: fc2583180a1f075e6b90a27914f65df16cedfcf8e4a0d146080a6ef3ea8297c8
                                    • Opcode Fuzzy Hash: b0baefa7402dbaee4c89539907320a2fdfddeff2f67c511239176aac8f519a7a
                                    • Instruction Fuzzy Hash: 6021C279604204EFDB05DF14D9C4F26BBA5FB84314F24C6BDE9494F296C336D846CA61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00BCD2D4 Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2899654294.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bcd000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 10033704870f7c1dcef04ffaf169b93776eca173bd96e9aa455b018bb5157c3a
                                    • Instruction ID: 5c3a03c0a77014b413fdd107e2ce4368180636ed9f27aa28b5560a9048b22515
                                    • Opcode Fuzzy Hash: 10033704870f7c1dcef04ffaf169b93776eca173bd96e9aa455b018bb5157c3a
                                    • Instruction Fuzzy Hash: B621F2B9604280DFDB019F14D9C0F2ABBA5FBC4314F24C6BDD8094B256C33AD846C6A2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00BCD006 Relevance: .1, Instructions: 60COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2899654294.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bcd000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8e517950672f950348ed78f34663b5b562a896c884bfa74ab9d2204fd5b54191
                                    • Instruction ID: 0a70eb481d9c5fede5a408c845d429afad0ed33c3c546964da2aad299f2548a9
                                    • Opcode Fuzzy Hash: 8e517950672f950348ed78f34663b5b562a896c884bfa74ab9d2204fd5b54191
                                    • Instruction Fuzzy Hash: 6521A4795093808FCB12CF24D594B15BFB1EB45314F28C5EED8498B697C33A980ACB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00BCD1CF Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2899654294.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bcd000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                    • Instruction ID: 97db473e314b700b86696e84024d815658e6e16cdaee8845987cd93f5fe340d2
                                    • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                    • Instruction Fuzzy Hash: E0118B7A604280DFDB16CF14D9C4B15BBA1FB84314F24C6AED8494F696C33AD84ACB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00BCD2CF Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2899654294.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_bcd000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
                                    • Instruction ID: cb523e5094a50ae4ca0d8731180d403fd2703ef1312f94dc0e5e554939ba31ba
                                    • Opcode Fuzzy Hash: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
                                    • Instruction Fuzzy Hash: D9119079504280DFDB12CF14D5C4B19BBA1FB84324F24C6AED8494B656C33AD80ACBA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Function 07666BB8 Relevance: 3.3, Strings: 2, Instructions: 803COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2902255466.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7660000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: $G
                                    • API String ID: 0-3730614887
                                    • Opcode ID: 080d0135a1bd9a6f5cb26117d663425e2aa074ea8c9879f19c0b98ac72930aef
                                    • Instruction ID: 1c97c1e6820c86c25ee2e7d9e3ce239e7c2e8b395c8c278711a890a10a8331b2
                                    • Opcode Fuzzy Hash: 080d0135a1bd9a6f5cb26117d663425e2aa074ea8c9879f19c0b98ac72930aef
                                    • Instruction Fuzzy Hash: 92822975A10219CFCB25DF64C858B99B7B2FF89304F5581A9E40AAB361DB31AE85CF40
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 07660560 Relevance: 1.9, Strings: 1, Instructions: 693COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2902255466.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7660000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: fff?
                                    • API String ID: 0-4136771917
                                    • Opcode ID: ec8307ae516faa2c46bfdc15397a6002ff058e745ede4f3b6c7fab8d4666c8d4
                                    • Instruction ID: d3280d62badea7fa422ff5e7b4fc168d004487bd4ed5da7a575ad923e9d528e0
                                    • Opcode Fuzzy Hash: ec8307ae516faa2c46bfdc15397a6002ff058e745ede4f3b6c7fab8d4666c8d4
                                    • Instruction Fuzzy Hash: 9A626A36810A1ADFCF11DF50C888AD9B7B2FF99300F1586D5E9096B121EB71AAD5CF80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 07660556 Relevance: 1.7, Strings: 1, Instructions: 449COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2902255466.0000000007660000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7660000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: fff?
                                    • API String ID: 0-4136771917
                                    • Opcode ID: e650e04e33594418f48ed7f7f6249b11e217edc8af94f100ec0857bfd0f3f928
                                    • Instruction ID: 6807a36d5f848bcdf6dda23385f03f7b8febdc1d156097403302b28fc2184d30
                                    • Opcode Fuzzy Hash: e650e04e33594418f48ed7f7f6249b11e217edc8af94f100ec0857bfd0f3f928
                                    • Instruction Fuzzy Hash: 8A125C76900619DFCF11DF50C888AD9BBB2FF49300F1585E5E8096B266EB719E96CF80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 02AD02A0 Relevance: .3, Instructions: 315COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2900698494.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2ad0000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4504e836392f50b7e722ae595a2071f00d07b76c7e6615d6c7f1e58854ad9e4e
                                    • Instruction ID: b774784f00d7be950a547f3b86411181071ed5b4ab2a05fba5856fa765f4d08e
                                    • Opcode Fuzzy Hash: 4504e836392f50b7e722ae595a2071f00d07b76c7e6615d6c7f1e58854ad9e4e
                                    • Instruction Fuzzy Hash: C51293B44017458AD3B8CF65E94C18D7BB6FB41328B90C329DA752A2E9DBB815CBCF44
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 051B7257 Relevance: .3, Instructions: 268COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2901344426.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_51b0000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e64ffc7af6b2197634be015e265f6d09af1ead8ab0729e25bda761a307956dc8
                                    • Instruction ID: 410417a9da7ee01f4e1ea0b32d1900d1d70102f86aa94fe808d5631fba1c47db
                                    • Opcode Fuzzy Hash: e64ffc7af6b2197634be015e265f6d09af1ead8ab0729e25bda761a307956dc8
                                    • Instruction Fuzzy Hash: 06D1FA31D2075ACACB10EBA4D990A9DB7B1FF95300F50C79AD4093B615EB70AAC5CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00C1E21C Relevance: .3, Instructions: 264COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2899817663.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_c10000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f0b4731699bf7fe121f41e2eafef89c843ebd5afe94b3474f0bff2167e58497e
                                    • Instruction ID: d22ba40b4d2ad72be07a5590a6fed05c313783a785ecf4e30582d48466de4129
                                    • Opcode Fuzzy Hash: f0b4731699bf7fe121f41e2eafef89c843ebd5afe94b3474f0bff2167e58497e
                                    • Instruction Fuzzy Hash: 62A18C32E002158FCF09DFB5C8505DEB7B2FF86300B15857AE815AB265DB71E996EB40
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 051B7268 Relevance: .3, Instructions: 264COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2901344426.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_51b0000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6ab0fadc6c729ce505ead8aa819414ac8fc1070af99df1a3c2fc5c87603edebc
                                    • Instruction ID: 8bd4a0d72206fe9895b568ca77be3d99f779247538208c2742c95a4d8ab7a86f
                                    • Opcode Fuzzy Hash: 6ab0fadc6c729ce505ead8aa819414ac8fc1070af99df1a3c2fc5c87603edebc
                                    • Instruction Fuzzy Hash: 06D1E931D2075ACACB10EBA4D990A9DB7B1FF95300F50C79AD4093B615EB70AAC5CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 02AD0290 Relevance: .2, Instructions: 223COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2900698494.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2ad0000_SecuriteInfo.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 352612aeed92394e79ee079acd17c730ab07e7ceaabd73b9eb7740479ef9c31a
                                    • Instruction ID: 3c5b9c55523ac3d520cb5052ed54b1d2ec4178f7ad84fd740f3b76c490ea4743
                                    • Opcode Fuzzy Hash: 352612aeed92394e79ee079acd17c730ab07e7ceaabd73b9eb7740479ef9c31a
                                    • Instruction Fuzzy Hash: 7FC1F5B08007468AD7A8CF65E84818D7BB6FB85328F50C329D9716B6E9DBB415CBCF44
                                    Uniqueness

                                    Uniqueness Score: -1.00%