Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe
Analysis ID:1431467
MD5:0cddb3e724f9bb0314bf8c50db240cf0
SHA1:8018274d23411ab33bf16168036de21e2790aa0b
SHA256:3ebacca195af8a57792fa7fa13c371bc68078d8c33f0d16220c6b65df1271d3e
Tags:exe
Infos:

Detection

AgentTesla, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.orako.co.ke", "Username": "infooo@orako.co.ke", "Password": "zVY1H)4,AgHi"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1236849879.0000000005C30000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
    00000000.00000002.1233750900.0000000004089000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      00000003.00000002.2474501053.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000003.00000002.2474501053.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000003.00000002.2479468346.0000000002B0E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.5c30000.6.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4089970.4.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4089970.4.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.5c30000.6.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    3.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                      Click to see the 16 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Suspicious Outbound SMTP Connections
                      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 34.195.165.88, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe, Initiated: true, ProcessId: 6464, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49703

                      Snort Signatures

                      Timestamp:04/25/24-08:25:09.444640
                      SID:2839723
                      Source Port:49703
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/25/24-08:25:09.444640
                      SID:2030171
                      Source Port:49703
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4d762d0.2.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.orako.co.ke", "Username": "infooo@orako.co.ke", "Password": "zVY1H)4,AgHi"}
                      Multi AV Scanner detection for submitted file
                      Source: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeReversingLabs: Detection: 13%
                      Source: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeVirustotal: Detection: 26%Perma Link
                      Machine Learning detection for sample
                      Source: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeJoe Sandbox ML: detected
                      Source: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 4x nop then jmp 0751F0ACh0_2_0751EB56

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.7:49703 -> 34.195.165.88:587
                      Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.7:49703 -> 34.195.165.88:587
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4cfa0b0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4c7de90.3.raw.unpack, type: UNPACKEDPE
                      Source: global trafficTCP traffic: 192.168.2.7:49703 -> 34.195.165.88:587
                      Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
                      Source: global trafficTCP traffic: 192.168.2.7:49703 -> 34.195.165.88:587
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficDNS traffic detected: DNS query: mail.orako.co.ke
                      Source: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe, 00000003.00000002.2479468346.0000000002B16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.orako.co.ke
                      Source: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe, 00000003.00000002.2479468346.0000000002B16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://orako.co.ke
                      Source: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe, 00000000.00000002.1233750900.0000000004A77000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe, 00000003.00000002.2474501053.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to log keystrokes (.Net Source)
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4d762d0.2.raw.unpack, 7KG.cs.Net Code: aGi4VV2gZU

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4d762d0.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4d762d0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4cfa0b0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4c7de90.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 0_2_013EE3B40_2_013EE3B4
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 0_2_075108B00_2_075108B0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 0_2_0751C7910_2_0751C791
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 0_2_0751C7A00_2_0751C7A0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 0_2_0751A5920_2_0751A592
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 0_2_0751A5A00_2_0751A5A0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 0_2_075121500_2_07512150
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 0_2_075121410_2_07512141
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 0_2_0751A1680_2_0751A168
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 0_2_075121170_2_07512117
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 0_2_0751BDF00_2_0751BDF0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 0_2_0751CBD80_2_0751CBD8
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 0_2_075138100_2_07513810
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 0_2_075138000_2_07513800
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 0_2_0751089F0_2_0751089F
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 0_2_077000400_2_07700040
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 0_2_077000070_2_07700007
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 3_2_010293783_2_01029378
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 3_2_01029BF83_2_01029BF8
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 3_2_01024A983_2_01024A98
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 3_2_01023E803_2_01023E80
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 3_2_0102CE903_2_0102CE90
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 3_2_010241C83_2_010241C8
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 3_2_05F1DCF03_2_05F1DCF0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 3_2_05F1BCD03_2_05F1BCD0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 3_2_05F13F283_2_05F13F28
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 3_2_05F12EF03_2_05F12EF0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 3_2_05F156B83_2_05F156B8
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 3_2_05F100403_2_05F10040
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 3_2_05F18B783_2_05F18B78
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 3_2_05F19AC03_2_05F19AC0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 3_2_05F14FD83_2_05F14FD8
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 3_2_05F136283_2_05F13628
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 3_2_01029BF23_2_01029BF2
                      Source: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeStatic PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
                      Source: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe, 00000000.00000002.1233750900.0000000004A77000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe, 00000000.00000002.1233750900.0000000004A77000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename80beecf9-d8bb-408c-a8dd-0d1f316d4d09.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe, 00000000.00000002.1230844044.000000000124E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe, 00000000.00000002.1238231858.0000000009DB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe, 00000000.00000002.1232058646.000000000330F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename80beecf9-d8bb-408c-a8dd-0d1f316d4d09.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe, 00000003.00000002.2474501053.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename80beecf9-d8bb-408c-a8dd-0d1f316d4d09.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe, 00000003.00000002.2475121065.0000000000AF9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeBinary or memory string: OriginalFilenamewst.exe" vs SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4d762d0.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4d762d0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4cfa0b0.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4c7de90.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4d762d0.2.raw.unpack, 1UT6pzc0M.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4d762d0.2.raw.unpack, DnQOD3M.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4d762d0.2.raw.unpack, 01seU.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4d762d0.2.raw.unpack, iUDwvr7Gz.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4d762d0.2.raw.unpack, XUu2qKyuF6.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4d762d0.2.raw.unpack, aZathEIgR.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4d762d0.2.raw.unpack, l50VLEll22.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4d762d0.2.raw.unpack, l50VLEll22.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.9db0000.8.raw.unpack, dORaYORm5fJGaQ8iyt.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.9db0000.8.raw.unpack, dORaYORm5fJGaQ8iyt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.9db0000.8.raw.unpack, dORaYORm5fJGaQ8iyt.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.9db0000.8.raw.unpack, IDRN8MVUIJrA0SyCMB.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4cfa0b0.5.raw.unpack, IDRN8MVUIJrA0SyCMB.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4c7de90.3.raw.unpack, IDRN8MVUIJrA0SyCMB.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4c7de90.3.raw.unpack, dORaYORm5fJGaQ8iyt.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4c7de90.3.raw.unpack, dORaYORm5fJGaQ8iyt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4c7de90.3.raw.unpack, dORaYORm5fJGaQ8iyt.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4cfa0b0.5.raw.unpack, dORaYORm5fJGaQ8iyt.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4cfa0b0.5.raw.unpack, dORaYORm5fJGaQ8iyt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4cfa0b0.5.raw.unpack, dORaYORm5fJGaQ8iyt.csSecurity API names: _0020.AddAccessRule
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.logJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeMutant created: NULL
                      Source: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeReversingLabs: Detection: 13%
                      Source: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeVirustotal: Detection: 26%
                      Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe"
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe"
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4089970.4.raw.unpack, V4uC3Iifq56IKQcfry.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.5c30000.6.raw.unpack, V4uC3Iifq56IKQcfry.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                      .NET source code contains potential unpacker
                      Source: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe, SpreadsheetName.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4c7de90.3.raw.unpack, dORaYORm5fJGaQ8iyt.cs.Net Code: CB7hSpfH9l System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.9db0000.8.raw.unpack, dORaYORm5fJGaQ8iyt.cs.Net Code: CB7hSpfH9l System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4cfa0b0.5.raw.unpack, dORaYORm5fJGaQ8iyt.cs.Net Code: CB7hSpfH9l System.Reflection.Assembly.Load(byte[])
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 0_2_05608E78 push eax; mov dword ptr [esp], ecx0_2_05608E7C
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeCode function: 0_2_05609951 push eax; ret 0_2_05609983
                      Source: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeStatic PE information: section name: .text entropy: 7.967039469679906
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4089970.4.raw.unpack, V4uC3Iifq56IKQcfry.csHigh entropy of concatenated method names: 'JcqLcnHE8kRk7VHJhl', 'baAwnpSkPWAs4YMGxr', 'wTgrto4LNQ', 'imnL6GCB6AIFRqkhxN', 'RgtTUJcyZL', 'dHYrbjNADO', 'xiCr8b7Qs6', 'PT2rZj37UR', 'P1WruDgOtu', 'd71eKLY6YVFQv'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4089970.4.raw.unpack, vpednoN8EZgsJ4TDwx.csHigh entropy of concatenated method names: 'SvRTLtpnA', 'uJwWpedno', 'REZpgsJ4T', 'uwxys3A5Q', 'Tl3iTkB7U', 'EqRFtDP16', 'TW5lfqidm', 'wSKAUGlNW', 'LkrevaXpK', 'cwu0Op5AT'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4c7de90.3.raw.unpack, y55w4XYrT05NJ8fEt8.csHigh entropy of concatenated method names: 'RL8dO2KAsa', 'hqjdYrSvnu', 'fGKdlANn9Q', 'tC0dcki6fh', 'zvHdIBvs2j', 'OmQdaceDfq', 'nW2dfkyTCM', 'uEVdpZYsqT', 'sFTdylimSh', 'LOXdRv8Tak'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4c7de90.3.raw.unpack, liy52BcVgrK9D3eV2g.csHigh entropy of concatenated method names: 'Mu9SpT8Tl', 'nskZuXp78', 'g5KvGtMOF', 'tZwxbhy1i', 'jIwuqqSM0', 'guV7aL1uB', 'gOdjroqGqSc8vI08ey', 'kr58qEDYQfLhiPv1ZP', 'XmYdLggqO', 'I0EQTTT6j'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4c7de90.3.raw.unpack, NqRetdwKyEQANgksvaT.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VDeQWeo6YI', 'VDbQGAQb2C', 'OFpQDJcCm2', 'NjcQkCGH5Y', 'PkVQ03vo4P', 'VVVQwfreE7', 'eGAQo4laaL'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4c7de90.3.raw.unpack, v3p5tPww9U711rXVmOR.csHigh entropy of concatenated method names: 'ToString', 'U0vQefYDLX', 'QGaQh4OOkG', 'dH3QmihnYZ', 'b42QOtZZXv', 'u2gQY45ZQ3', 'nndQlG3FA2', 'rP6QckeSuc', 'oYcVmF9uO9EpDONMlCN', 'RfZVls9W2trhJ9yZERD'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4c7de90.3.raw.unpack, ucmfMisTFcsKjD2M54.csHigh entropy of concatenated method names: 'Dispose', 'hF24EddVEj', 'clVKss0oRi', 'KjoJJcs83Y', 'ihv48S7Hqp', 'Hij4zkZMmU', 'ProcessDialogKey', 'C5TKXwU8oA', 'qOOK4ZfogR', 'mFdKKvsF8F'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4c7de90.3.raw.unpack, IDRN8MVUIJrA0SyCMB.csHigh entropy of concatenated method names: 'UxYYWjZRIp', 't7nYGmOXsj', 'XJ3YD8MxWs', 'fc9YkvyZxd', 'k6HY0LnP2p', 'hgPYw2vyau', 'cNXYoSABXM', 'IsbYBncv6G', 'biKYECKVTu', 'zlmY8yuFhY'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4c7de90.3.raw.unpack, WqdwxofqOpLZq10lrf.csHigh entropy of concatenated method names: 'nYAi4tXolT', 'lXfiehmp5L', 'ak8ihkkZ61', 'VM2iOpbJjb', 'JRxiYv0crR', 'IqHiceYVJ2', 'so9iIYSutY', 'CdDdoDeXME', 'GhhdBjYqcm', 'UiYdEQEqLy'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4c7de90.3.raw.unpack, dORaYORm5fJGaQ8iyt.csHigh entropy of concatenated method names: 'FvMemUbnfe', 'Wd9eONEj2M', 'Aa3eYTBdpC', 'HJyeldAeIZ', 'NDZecdWFVQ', 'vT7eIufrsE', 'SQkeaHC47N', 'glgefPsb5a', 'iXaepWK2th', 'Ygfeyb4tRG'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4c7de90.3.raw.unpack, M0EuCRCCG3XyHGWKdZ.csHigh entropy of concatenated method names: 'D23a3JtAAR', 'sOcaL4Arlo', 'ytZaSxNUp8', 'u7naZd0N7w', 'FJIa2n7Fq7', 'pnTavQh62l', 'JNtaxerryV', 'UtBa1duKSG', 'eVjau8FKDI', 'Lgta7aGFUH'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4c7de90.3.raw.unpack, zcrvAxZuxmnBJA23bK.csHigh entropy of concatenated method names: 'etiFBdPOr0', 'g5IF8eibvv', 'l3xdXeA7Df', 'IuXd4lwSVO', 'kASFAMhnPN', 'ubGFnkk47v', 'AdJFjtOg3d', 'b8ZFWTh1oO', 'dqdFG6mytc', 'zdTFD9NMnb'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4c7de90.3.raw.unpack, JpbNvUPlp312cYnUNG.csHigh entropy of concatenated method names: 'b275HO8k2N', 'lf55nRJKJt', 'lpY5Wb61H9', 'u1Y5Gkeq7p', 'kdC5sXBDvU', 'O3X5rxlTVU', 'nCO5PYjO6X', 'Rjl5MiXZBJ', 'I2u5TMaRww', 'oTw5gQA7ZM'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4c7de90.3.raw.unpack, CGpJ6owtIVw5ePQCG6T.csHigh entropy of concatenated method names: 't4Ti3qSMNa', 'j18iL199El', 'vM8iSkMy4I', 'NgwiZ7eC2Q', 'NwGi2kPKlL', 'luRivThSdp', 'HWhixbvVvc', 's2Di1SfAqd', 'x0tiuNr187', 'aaJi75reEU'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4c7de90.3.raw.unpack, wFx1lvEKdkq6Xo2d2e.csHigh entropy of concatenated method names: 'D5q4aNqNZf', 'CUK4figavu', 'FIk4yFurs7', 'ET14RpDSCw', 'hIB45n5QE2', 'L8h4bVQY5y', 'v42I1dtCmvJJ5VXLfi', 'vPFYhTsBGcFfSASE8j', 'oK144fZE9y', 'Oo04eibZID'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4c7de90.3.raw.unpack, k8hVAwlW9m71gDlmPe.csHigh entropy of concatenated method names: 'lJ6aOJivFq', 'yK4al1jkBD', 'oHraIKQtFE', 'KrXI8c1TvD', 'unvIzid621', 'Eh7aX6fP0C', 'C44a4QonJG', 'eQPaKAmf8i', 'y7oaeVaYpA', 'LkaahLjSEG'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4c7de90.3.raw.unpack, YF266j00O1igmilr8K.csHigh entropy of concatenated method names: 'wXRC1T244F', 'XWECuMZULj', 'xHjCUY8xKB', 'd1YCsMejOs', 'MBlCPq40QD', 'VolCM3SpTJ', 'V0oCgfNCbS', 'lIdCtnBZ82', 'en8CH7BnNI', 'TErCAFU2hn'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4c7de90.3.raw.unpack, OhFXwUIhh9W5wbocTw.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'SmNKE66Bdr', 'wqcK8R9hNm', 'V5gKzORk0r', 'EOCeXISrJC', 'M49e4G8JQZ', 'H72eKGNT7W', 'p0NeefX7bC', 'JTGWUZISbS8LojYioXF'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4c7de90.3.raw.unpack, xyCo7ZMN4Vd6lXUDIO.csHigh entropy of concatenated method names: 'uv8ImLtXYx', 'K54IYBqEEb', 'ytHIcJLWWF', 'MkyIa5Fdx4', 'zwwIf1XNUv', 'cZQc0MxVES', 'nPdcwJ5UBd', 'Abuco3HPI5', 'D0VcBo9KT3', 'H96cESLMBm'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4c7de90.3.raw.unpack, KRc7epz1PCU6q1v26X.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MwZiCrBY0G', 'QYIi58Ko8j', 'aTSibLRNgZ', 'upliFcHlO2', 'fNaid4T4bI', 'a4jiiYZ4LI', 'm1BiQewPK2'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4c7de90.3.raw.unpack, M9vABfOXDxbor8pHPm.csHigh entropy of concatenated method names: 'ToString', 'aWbbA5QReq', 'LAIbsL5Qa2', 'mGjbrG5MHr', 'krRbPjWRNk', 'y66bMnbPx3', 'hstbTRPcUi', 'kFVbgEbFXr', 'dKobtMRFBX', 'quEb9HMXWA'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4c7de90.3.raw.unpack, WlSBKFHkk2rC9q8gdm.csHigh entropy of concatenated method names: 'l6AdUVZ4lR', 'HWfdsN6iy6', 'BZZdrDdZMc', 'UWwdPAaStG', 'R6udWHVTsd', 'bGZdM97mMq', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4c7de90.3.raw.unpack, rDYk704Y4EKOqrDw6I.csHigh entropy of concatenated method names: 'FJdlZpw9gJ', 'LALlvCRsV4', 'zUBl1Tl7Wm', 'DJFluX5Fti', 'vyrl51491V', 'oIllbHwRx0', 'DPulFrNEoK', 'dRnldP8w0q', 'x7wli9TT9y', 'pDxlQJQpW1'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.9db0000.8.raw.unpack, y55w4XYrT05NJ8fEt8.csHigh entropy of concatenated method names: 'RL8dO2KAsa', 'hqjdYrSvnu', 'fGKdlANn9Q', 'tC0dcki6fh', 'zvHdIBvs2j', 'OmQdaceDfq', 'nW2dfkyTCM', 'uEVdpZYsqT', 'sFTdylimSh', 'LOXdRv8Tak'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.9db0000.8.raw.unpack, liy52BcVgrK9D3eV2g.csHigh entropy of concatenated method names: 'Mu9SpT8Tl', 'nskZuXp78', 'g5KvGtMOF', 'tZwxbhy1i', 'jIwuqqSM0', 'guV7aL1uB', 'gOdjroqGqSc8vI08ey', 'kr58qEDYQfLhiPv1ZP', 'XmYdLggqO', 'I0EQTTT6j'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.9db0000.8.raw.unpack, NqRetdwKyEQANgksvaT.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VDeQWeo6YI', 'VDbQGAQb2C', 'OFpQDJcCm2', 'NjcQkCGH5Y', 'PkVQ03vo4P', 'VVVQwfreE7', 'eGAQo4laaL'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.9db0000.8.raw.unpack, v3p5tPww9U711rXVmOR.csHigh entropy of concatenated method names: 'ToString', 'U0vQefYDLX', 'QGaQh4OOkG', 'dH3QmihnYZ', 'b42QOtZZXv', 'u2gQY45ZQ3', 'nndQlG3FA2', 'rP6QckeSuc', 'oYcVmF9uO9EpDONMlCN', 'RfZVls9W2trhJ9yZERD'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.9db0000.8.raw.unpack, ucmfMisTFcsKjD2M54.csHigh entropy of concatenated method names: 'Dispose', 'hF24EddVEj', 'clVKss0oRi', 'KjoJJcs83Y', 'ihv48S7Hqp', 'Hij4zkZMmU', 'ProcessDialogKey', 'C5TKXwU8oA', 'qOOK4ZfogR', 'mFdKKvsF8F'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.9db0000.8.raw.unpack, IDRN8MVUIJrA0SyCMB.csHigh entropy of concatenated method names: 'UxYYWjZRIp', 't7nYGmOXsj', 'XJ3YD8MxWs', 'fc9YkvyZxd', 'k6HY0LnP2p', 'hgPYw2vyau', 'cNXYoSABXM', 'IsbYBncv6G', 'biKYECKVTu', 'zlmY8yuFhY'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.9db0000.8.raw.unpack, WqdwxofqOpLZq10lrf.csHigh entropy of concatenated method names: 'nYAi4tXolT', 'lXfiehmp5L', 'ak8ihkkZ61', 'VM2iOpbJjb', 'JRxiYv0crR', 'IqHiceYVJ2', 'so9iIYSutY', 'CdDdoDeXME', 'GhhdBjYqcm', 'UiYdEQEqLy'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.9db0000.8.raw.unpack, dORaYORm5fJGaQ8iyt.csHigh entropy of concatenated method names: 'FvMemUbnfe', 'Wd9eONEj2M', 'Aa3eYTBdpC', 'HJyeldAeIZ', 'NDZecdWFVQ', 'vT7eIufrsE', 'SQkeaHC47N', 'glgefPsb5a', 'iXaepWK2th', 'Ygfeyb4tRG'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.9db0000.8.raw.unpack, M0EuCRCCG3XyHGWKdZ.csHigh entropy of concatenated method names: 'D23a3JtAAR', 'sOcaL4Arlo', 'ytZaSxNUp8', 'u7naZd0N7w', 'FJIa2n7Fq7', 'pnTavQh62l', 'JNtaxerryV', 'UtBa1duKSG', 'eVjau8FKDI', 'Lgta7aGFUH'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.9db0000.8.raw.unpack, zcrvAxZuxmnBJA23bK.csHigh entropy of concatenated method names: 'etiFBdPOr0', 'g5IF8eibvv', 'l3xdXeA7Df', 'IuXd4lwSVO', 'kASFAMhnPN', 'ubGFnkk47v', 'AdJFjtOg3d', 'b8ZFWTh1oO', 'dqdFG6mytc', 'zdTFD9NMnb'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.9db0000.8.raw.unpack, JpbNvUPlp312cYnUNG.csHigh entropy of concatenated method names: 'b275HO8k2N', 'lf55nRJKJt', 'lpY5Wb61H9', 'u1Y5Gkeq7p', 'kdC5sXBDvU', 'O3X5rxlTVU', 'nCO5PYjO6X', 'Rjl5MiXZBJ', 'I2u5TMaRww', 'oTw5gQA7ZM'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.9db0000.8.raw.unpack, CGpJ6owtIVw5ePQCG6T.csHigh entropy of concatenated method names: 't4Ti3qSMNa', 'j18iL199El', 'vM8iSkMy4I', 'NgwiZ7eC2Q', 'NwGi2kPKlL', 'luRivThSdp', 'HWhixbvVvc', 's2Di1SfAqd', 'x0tiuNr187', 'aaJi75reEU'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.9db0000.8.raw.unpack, wFx1lvEKdkq6Xo2d2e.csHigh entropy of concatenated method names: 'D5q4aNqNZf', 'CUK4figavu', 'FIk4yFurs7', 'ET14RpDSCw', 'hIB45n5QE2', 'L8h4bVQY5y', 'v42I1dtCmvJJ5VXLfi', 'vPFYhTsBGcFfSASE8j', 'oK144fZE9y', 'Oo04eibZID'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.9db0000.8.raw.unpack, k8hVAwlW9m71gDlmPe.csHigh entropy of concatenated method names: 'lJ6aOJivFq', 'yK4al1jkBD', 'oHraIKQtFE', 'KrXI8c1TvD', 'unvIzid621', 'Eh7aX6fP0C', 'C44a4QonJG', 'eQPaKAmf8i', 'y7oaeVaYpA', 'LkaahLjSEG'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.9db0000.8.raw.unpack, YF266j00O1igmilr8K.csHigh entropy of concatenated method names: 'wXRC1T244F', 'XWECuMZULj', 'xHjCUY8xKB', 'd1YCsMejOs', 'MBlCPq40QD', 'VolCM3SpTJ', 'V0oCgfNCbS', 'lIdCtnBZ82', 'en8CH7BnNI', 'TErCAFU2hn'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.9db0000.8.raw.unpack, OhFXwUIhh9W5wbocTw.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'SmNKE66Bdr', 'wqcK8R9hNm', 'V5gKzORk0r', 'EOCeXISrJC', 'M49e4G8JQZ', 'H72eKGNT7W', 'p0NeefX7bC', 'JTGWUZISbS8LojYioXF'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.9db0000.8.raw.unpack, xyCo7ZMN4Vd6lXUDIO.csHigh entropy of concatenated method names: 'uv8ImLtXYx', 'K54IYBqEEb', 'ytHIcJLWWF', 'MkyIa5Fdx4', 'zwwIf1XNUv', 'cZQc0MxVES', 'nPdcwJ5UBd', 'Abuco3HPI5', 'D0VcBo9KT3', 'H96cESLMBm'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.9db0000.8.raw.unpack, KRc7epz1PCU6q1v26X.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MwZiCrBY0G', 'QYIi58Ko8j', 'aTSibLRNgZ', 'upliFcHlO2', 'fNaid4T4bI', 'a4jiiYZ4LI', 'm1BiQewPK2'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.9db0000.8.raw.unpack, M9vABfOXDxbor8pHPm.csHigh entropy of concatenated method names: 'ToString', 'aWbbA5QReq', 'LAIbsL5Qa2', 'mGjbrG5MHr', 'krRbPjWRNk', 'y66bMnbPx3', 'hstbTRPcUi', 'kFVbgEbFXr', 'dKobtMRFBX', 'quEb9HMXWA'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.9db0000.8.raw.unpack, WlSBKFHkk2rC9q8gdm.csHigh entropy of concatenated method names: 'l6AdUVZ4lR', 'HWfdsN6iy6', 'BZZdrDdZMc', 'UWwdPAaStG', 'R6udWHVTsd', 'bGZdM97mMq', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.9db0000.8.raw.unpack, rDYk704Y4EKOqrDw6I.csHigh entropy of concatenated method names: 'FJdlZpw9gJ', 'LALlvCRsV4', 'zUBl1Tl7Wm', 'DJFluX5Fti', 'vyrl51491V', 'oIllbHwRx0', 'DPulFrNEoK', 'dRnldP8w0q', 'x7wli9TT9y', 'pDxlQJQpW1'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4cfa0b0.5.raw.unpack, y55w4XYrT05NJ8fEt8.csHigh entropy of concatenated method names: 'RL8dO2KAsa', 'hqjdYrSvnu', 'fGKdlANn9Q', 'tC0dcki6fh', 'zvHdIBvs2j', 'OmQdaceDfq', 'nW2dfkyTCM', 'uEVdpZYsqT', 'sFTdylimSh', 'LOXdRv8Tak'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4cfa0b0.5.raw.unpack, liy52BcVgrK9D3eV2g.csHigh entropy of concatenated method names: 'Mu9SpT8Tl', 'nskZuXp78', 'g5KvGtMOF', 'tZwxbhy1i', 'jIwuqqSM0', 'guV7aL1uB', 'gOdjroqGqSc8vI08ey', 'kr58qEDYQfLhiPv1ZP', 'XmYdLggqO', 'I0EQTTT6j'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4cfa0b0.5.raw.unpack, NqRetdwKyEQANgksvaT.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VDeQWeo6YI', 'VDbQGAQb2C', 'OFpQDJcCm2', 'NjcQkCGH5Y', 'PkVQ03vo4P', 'VVVQwfreE7', 'eGAQo4laaL'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4cfa0b0.5.raw.unpack, v3p5tPww9U711rXVmOR.csHigh entropy of concatenated method names: 'ToString', 'U0vQefYDLX', 'QGaQh4OOkG', 'dH3QmihnYZ', 'b42QOtZZXv', 'u2gQY45ZQ3', 'nndQlG3FA2', 'rP6QckeSuc', 'oYcVmF9uO9EpDONMlCN', 'RfZVls9W2trhJ9yZERD'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4cfa0b0.5.raw.unpack, ucmfMisTFcsKjD2M54.csHigh entropy of concatenated method names: 'Dispose', 'hF24EddVEj', 'clVKss0oRi', 'KjoJJcs83Y', 'ihv48S7Hqp', 'Hij4zkZMmU', 'ProcessDialogKey', 'C5TKXwU8oA', 'qOOK4ZfogR', 'mFdKKvsF8F'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4cfa0b0.5.raw.unpack, IDRN8MVUIJrA0SyCMB.csHigh entropy of concatenated method names: 'UxYYWjZRIp', 't7nYGmOXsj', 'XJ3YD8MxWs', 'fc9YkvyZxd', 'k6HY0LnP2p', 'hgPYw2vyau', 'cNXYoSABXM', 'IsbYBncv6G', 'biKYECKVTu', 'zlmY8yuFhY'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4cfa0b0.5.raw.unpack, WqdwxofqOpLZq10lrf.csHigh entropy of concatenated method names: 'nYAi4tXolT', 'lXfiehmp5L', 'ak8ihkkZ61', 'VM2iOpbJjb', 'JRxiYv0crR', 'IqHiceYVJ2', 'so9iIYSutY', 'CdDdoDeXME', 'GhhdBjYqcm', 'UiYdEQEqLy'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4cfa0b0.5.raw.unpack, dORaYORm5fJGaQ8iyt.csHigh entropy of concatenated method names: 'FvMemUbnfe', 'Wd9eONEj2M', 'Aa3eYTBdpC', 'HJyeldAeIZ', 'NDZecdWFVQ', 'vT7eIufrsE', 'SQkeaHC47N', 'glgefPsb5a', 'iXaepWK2th', 'Ygfeyb4tRG'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4cfa0b0.5.raw.unpack, M0EuCRCCG3XyHGWKdZ.csHigh entropy of concatenated method names: 'D23a3JtAAR', 'sOcaL4Arlo', 'ytZaSxNUp8', 'u7naZd0N7w', 'FJIa2n7Fq7', 'pnTavQh62l', 'JNtaxerryV', 'UtBa1duKSG', 'eVjau8FKDI', 'Lgta7aGFUH'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4cfa0b0.5.raw.unpack, zcrvAxZuxmnBJA23bK.csHigh entropy of concatenated method names: 'etiFBdPOr0', 'g5IF8eibvv', 'l3xdXeA7Df', 'IuXd4lwSVO', 'kASFAMhnPN', 'ubGFnkk47v', 'AdJFjtOg3d', 'b8ZFWTh1oO', 'dqdFG6mytc', 'zdTFD9NMnb'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4cfa0b0.5.raw.unpack, JpbNvUPlp312cYnUNG.csHigh entropy of concatenated method names: 'b275HO8k2N', 'lf55nRJKJt', 'lpY5Wb61H9', 'u1Y5Gkeq7p', 'kdC5sXBDvU', 'O3X5rxlTVU', 'nCO5PYjO6X', 'Rjl5MiXZBJ', 'I2u5TMaRww', 'oTw5gQA7ZM'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4cfa0b0.5.raw.unpack, CGpJ6owtIVw5ePQCG6T.csHigh entropy of concatenated method names: 't4Ti3qSMNa', 'j18iL199El', 'vM8iSkMy4I', 'NgwiZ7eC2Q', 'NwGi2kPKlL', 'luRivThSdp', 'HWhixbvVvc', 's2Di1SfAqd', 'x0tiuNr187', 'aaJi75reEU'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4cfa0b0.5.raw.unpack, wFx1lvEKdkq6Xo2d2e.csHigh entropy of concatenated method names: 'D5q4aNqNZf', 'CUK4figavu', 'FIk4yFurs7', 'ET14RpDSCw', 'hIB45n5QE2', 'L8h4bVQY5y', 'v42I1dtCmvJJ5VXLfi', 'vPFYhTsBGcFfSASE8j', 'oK144fZE9y', 'Oo04eibZID'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4cfa0b0.5.raw.unpack, k8hVAwlW9m71gDlmPe.csHigh entropy of concatenated method names: 'lJ6aOJivFq', 'yK4al1jkBD', 'oHraIKQtFE', 'KrXI8c1TvD', 'unvIzid621', 'Eh7aX6fP0C', 'C44a4QonJG', 'eQPaKAmf8i', 'y7oaeVaYpA', 'LkaahLjSEG'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4cfa0b0.5.raw.unpack, YF266j00O1igmilr8K.csHigh entropy of concatenated method names: 'wXRC1T244F', 'XWECuMZULj', 'xHjCUY8xKB', 'd1YCsMejOs', 'MBlCPq40QD', 'VolCM3SpTJ', 'V0oCgfNCbS', 'lIdCtnBZ82', 'en8CH7BnNI', 'TErCAFU2hn'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4cfa0b0.5.raw.unpack, OhFXwUIhh9W5wbocTw.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'SmNKE66Bdr', 'wqcK8R9hNm', 'V5gKzORk0r', 'EOCeXISrJC', 'M49e4G8JQZ', 'H72eKGNT7W', 'p0NeefX7bC', 'JTGWUZISbS8LojYioXF'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4cfa0b0.5.raw.unpack, xyCo7ZMN4Vd6lXUDIO.csHigh entropy of concatenated method names: 'uv8ImLtXYx', 'K54IYBqEEb', 'ytHIcJLWWF', 'MkyIa5Fdx4', 'zwwIf1XNUv', 'cZQc0MxVES', 'nPdcwJ5UBd', 'Abuco3HPI5', 'D0VcBo9KT3', 'H96cESLMBm'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4cfa0b0.5.raw.unpack, KRc7epz1PCU6q1v26X.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MwZiCrBY0G', 'QYIi58Ko8j', 'aTSibLRNgZ', 'upliFcHlO2', 'fNaid4T4bI', 'a4jiiYZ4LI', 'm1BiQewPK2'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4cfa0b0.5.raw.unpack, M9vABfOXDxbor8pHPm.csHigh entropy of concatenated method names: 'ToString', 'aWbbA5QReq', 'LAIbsL5Qa2', 'mGjbrG5MHr', 'krRbPjWRNk', 'y66bMnbPx3', 'hstbTRPcUi', 'kFVbgEbFXr', 'dKobtMRFBX', 'quEb9HMXWA'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4cfa0b0.5.raw.unpack, WlSBKFHkk2rC9q8gdm.csHigh entropy of concatenated method names: 'l6AdUVZ4lR', 'HWfdsN6iy6', 'BZZdrDdZMc', 'UWwdPAaStG', 'R6udWHVTsd', 'bGZdM97mMq', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4cfa0b0.5.raw.unpack, rDYk704Y4EKOqrDw6I.csHigh entropy of concatenated method names: 'FJdlZpw9gJ', 'LALlvCRsV4', 'zUBl1Tl7Wm', 'DJFluX5Fti', 'vyrl51491V', 'oIllbHwRx0', 'DPulFrNEoK', 'dRnldP8w0q', 'x7wli9TT9y', 'pDxlQJQpW1'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.5c30000.6.raw.unpack, V4uC3Iifq56IKQcfry.csHigh entropy of concatenated method names: 'JcqLcnHE8kRk7VHJhl', 'baAwnpSkPWAs4YMGxr', 'wTgrto4LNQ', 'imnL6GCB6AIFRqkhxN', 'RgtTUJcyZL', 'dHYrbjNADO', 'xiCr8b7Qs6', 'PT2rZj37UR', 'P1WruDgOtu', 'd71eKLY6YVFQv'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.5c30000.6.raw.unpack, vpednoN8EZgsJ4TDwx.csHigh entropy of concatenated method names: 'SvRTLtpnA', 'uJwWpedno', 'REZpgsJ4T', 'uwxys3A5Q', 'Tl3iTkB7U', 'EqRFtDP16', 'TW5lfqidm', 'wSKAUGlNW', 'LkrevaXpK', 'cwu0Op5AT'
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeMemory allocated: 13E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeMemory allocated: 3080000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeMemory allocated: 2E80000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeMemory allocated: 7910000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeMemory allocated: 7370000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeMemory allocated: 8910000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeMemory allocated: 9910000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeMemory allocated: 9E30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeMemory allocated: AE30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeMemory allocated: BE30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeMemory allocated: 1020000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeMemory allocated: 2AC0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeMemory allocated: 2830000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeWindow / User API: threadDelayed 3307Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe TID: 7084Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe TID: 5196Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe TID: 5196Thread sleep time: -100000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe TID: 6908Thread sleep count: 267 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe TID: 5196Thread sleep time: -99875s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe TID: 6908Thread sleep count: 3307 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe TID: 5196Thread sleep time: -99765s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe TID: 5196Thread sleep time: -99656s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe TID: 5196Thread sleep time: -99547s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe TID: 5196Thread sleep time: -99434s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe TID: 5196Thread sleep time: -99312s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe TID: 5196Thread sleep time: -99202s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe TID: 5196Thread sleep time: -99093s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe TID: 5196Thread sleep time: -98984s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe TID: 5196Thread sleep time: -98875s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe TID: 5196Thread sleep time: -98765s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe TID: 5196Thread sleep time: -98656s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe TID: 5196Thread sleep time: -98547s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe TID: 5196Thread sleep time: -98431s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe TID: 5196Thread sleep time: -98312s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe TID: 5196Thread sleep time: -98203s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe TID: 5196Thread sleep time: -98094s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe TID: 5196Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeThread delayed: delay time: 99875Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeThread delayed: delay time: 99765Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeThread delayed: delay time: 99656Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeThread delayed: delay time: 99547Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeThread delayed: delay time: 99434Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeThread delayed: delay time: 99312Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeThread delayed: delay time: 99202Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeThread delayed: delay time: 99093Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeThread delayed: delay time: 98984Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeThread delayed: delay time: 98875Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeThread delayed: delay time: 98765Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeThread delayed: delay time: 98656Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeThread delayed: delay time: 98547Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeThread delayed: delay time: 98431Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeThread delayed: delay time: 98312Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeThread delayed: delay time: 98203Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeThread delayed: delay time: 98094Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe, 00000003.00000002.2476005214.0000000000C48000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4d762d0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4d762d0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4cfa0b0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4c7de90.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.2474501053.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2479468346.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2479468346.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2479468346.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1233750900.0000000004A77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe PID: 6292, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe PID: 6464, type: MEMORYSTR
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.5c30000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4089970.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4089970.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.5c30000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1236849879.0000000005C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1233750900.0000000004089000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: Yara matchFile source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4d762d0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4d762d0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4cfa0b0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4c7de90.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.2474501053.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2479468346.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1233750900.0000000004A77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe PID: 6292, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe PID: 6464, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4d762d0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4d762d0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4cfa0b0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4c7de90.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.2474501053.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2479468346.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2479468346.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2479468346.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1233750900.0000000004A77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe PID: 6292, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe PID: 6464, type: MEMORYSTR
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.5c30000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4089970.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.4089970.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.5c30000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1236849879.0000000005C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1233750900.0000000004089000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		111
                      Process Injection                      		1
                      Masquerading                      		2
                      OS Credential Dumping                      		111
                      Security Software Discovery                      		Remote Services1
                      Email Collection                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		1
                      Input Capture                      		1
                      Process Discovery                      		Remote Desktop Protocol1
                      Input Capture                      		1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)141
                      Virtualization/Sandbox Evasion                      		1
                      Credentials in Registry                      		141
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin Shares11
                      Archive Collected Data                      		1
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object Model2
                      Data from Local System                      		11
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets1
                      File and Directory Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                      Obfuscated Files or Information                      		Cached Domain Credentials24
                      System Information Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                      Software Packing                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe13%ReversingLabsWin32.Trojan.Generic
                      SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe26%VirustotalBrowse
                      SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      SourceDetectionScannerLabelLink
                      orako.co.ke1%VirustotalBrowse
                      mail.orako.co.ke1%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://mail.orako.co.ke0%Avira URL Cloudsafe
                      http://orako.co.ke0%Avira URL Cloudsafe
                      http://mail.orako.co.ke1%VirustotalBrowse
                      http://orako.co.ke1%VirustotalBrowse

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      orako.co.ke
                      		34.195.165.88
                      		truetrueunknown
                      mail.orako.co.ke
                      		unknown
                      		unknowntrueunknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://mail.orako.co.keSecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe, 00000003.00000002.2479468346.0000000002B16000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://account.dyn.com/SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe, 00000000.00000002.1233750900.0000000004A77000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe, 00000003.00000002.2474501053.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        		high
                        http://orako.co.keSecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe, 00000003.00000002.2479468346.0000000002B16000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 1%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        34.195.165.88
                        		orako.co.keUnited States
                        		14618AMAZON-AESUStrue

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1431467
                        Start date and time:2024-04-25 08:24:10 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 6m 27s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:19
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@3/1@1/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 99%
                        • Number of executed functions: 89
                        • Number of non-executed functions: 15
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        08:25:04API Interceptor19x Sleep call for process: SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        34.195.165.88msaeteGWA0.exeGet hashmaliciousAgentTeslaBrowse
                          Dec-Mar24 SOA PAYMENT.batGet hashmaliciousUnknownBrowse
                            Purchase Order.exeGet hashmaliciousAgentTeslaBrowse

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              AMAZON-AESUShttps://app.milanote.com/1RZbnl1zfBXuaf?p=r2B66sphbV4Get hashmaliciousUnknownBrowse
                              • 44.209.253.226
                              http://decktop.us/gORiyfGet hashmaliciousHTMLPhisherBrowse
                              • 3.216.69.202
                              https://shining-melodic-magnesium.glitch.me/rvicendDev.htmlGet hashmaliciousUnknownBrowse
                              • 44.214.198.122
                              http://confirmartucuentamsnaquimx.hstn.me/login.live.com_login_verify_credentials_outlook.htmlGet hashmaliciousHTMLPhisherBrowse
                              • 3.91.136.197
                              http://electricalsworksflorida.com/j6uGet hashmaliciousHTMLPhisherBrowse
                              • 52.72.49.79
                              https://gamma.app/docs/Shared-Document-9j9g6z8iqo1w0uuGet hashmaliciousHTMLPhisherBrowse
                              • 44.217.183.210
                              https://in.xero.com/VmFUGq2DR0w0RroiyvWAWXw083jyp1tZyI3WNgUe?utm_source=invoiceEmailViewInvoiceButtonSecondary&utm_campaign=invoicesEmailStandardV2Get hashmaliciousUnknownBrowse
                              • 52.200.154.95
                              https://runrun.it/share/form/0SRuaDvcQOCgwT9FGet hashmaliciousHTMLPhisherBrowse
                              • 34.196.171.164
                              https://app.frame.io/presentations/da0e116a-d15f-430f-8c37-0aa7d783720f?component_clicked=digest_call_to_action&email_id=8abc710c-c18f-47f5-a884-e927cb8dcfaa&email_type=pending-reviewer-inviteGet hashmaliciousHTMLPhisherBrowse
                              • 18.235.222.209
                              https://btcpike.topGet hashmaliciousUnknownBrowse
                              • 3.225.233.10

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe.log

                              Download File
                              Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1216
                              Entropy (8bit):5.34331486778365
                              Encrypted:false
                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):7.941846608125575
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                              • Win32 Executable (generic) a (10002005/4) 49.75%
                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                              • Windows Screen Saver (13104/52) 0.07%
                              • Win16/32 Executable Delphi generic (2074/23) 0.01%
                              File name:SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe
                              File size:720'896 bytes
                              MD5:0cddb3e724f9bb0314bf8c50db240cf0
                              SHA1:8018274d23411ab33bf16168036de21e2790aa0b
                              SHA256:3ebacca195af8a57792fa7fa13c371bc68078d8c33f0d16220c6b65df1271d3e
                              SHA512:e3a5d004c7f55ee037ff375d235e6cb1d69b5b6733b253068ac2486d7c5c66352d842dd730f2b5ff80bd1e533c2eb6e8e7ffa87b9d65c1367d3e965618fde0a7
                              SSDEEP:12288:7WYIPXjxannnHg2cOriFgRtHKOtnk9ViDE48k91yOcYG3aHcyvNm:7WYIPFannnHg2JPtKOai0GZlGqHcyvk
                              TLSH:DEE4231223DD835BEE9D47B408B94180977A9E27AC61F34DAE8070EC4B1BBC51766B73
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....)f..............0...... ........... ........@.. .......................@............`................................

                              File Icon

                              Icon Hash:c14e4c4c4c4c4f41

                              Static PE Info

                              General

                              Entrypoint:0x4af5ea
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Time Stamp:0x6629D7D7 [Thu Apr 25 04:11:03 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                              Entrypoint Preview

                              Instruction
                              jmp dword ptr [00402000h]
                              xor eax, 35455354h
                              xor dword ptr [edi+eax*2], esi
                              dec eax
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [ebx+4Ah], dl
                              push ebx
                              cmp byte ptr [eax+edi+34h], al
                              inc ebx
                              inc ebx
                              xor al, 37h
                              xor eax, 00000035h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0xaf5980x4f.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xb00000x1008.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xb20000xc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000xad6100xad800296b0d0dceed446095095e5ba8349ba8False0.9531995789805475data7.967039469679906IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rsrc0xb00000x10080x1800c6124af9cedb0416bd1621da29575d13False0.5413411458333334data5.082622182520175IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0xb20000xc0x80016f6e49a2d60ceca0c947c0e7bd23915False0.01611328125data0.03037337037012526IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_ICON0xb00c80xc08PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9308441558441558
                              RT_GROUP_ICON0xb0ce00x14data1.05
                              RT_VERSION0xb0d040x300MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"0.4427083333333333

                              Imports

                              DLLImport
                              mscoree.dll_CorExeMain

                              Network Behavior

                              Snort IDS Alerts

                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                              04/25/24-08:25:09.444640TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49703587192.168.2.734.195.165.88
                              04/25/24-08:25:09.444640TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49703587192.168.2.734.195.165.88

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Apr 25, 2024 08:25:08.004762888 CEST49703587192.168.2.734.195.165.88
                              Apr 25, 2024 08:25:08.127593040 CEST5874970334.195.165.88192.168.2.7
                              Apr 25, 2024 08:25:08.127759933 CEST49703587192.168.2.734.195.165.88
                              Apr 25, 2024 08:25:08.655249119 CEST5874970334.195.165.88192.168.2.7
                              Apr 25, 2024 08:25:08.655975103 CEST49703587192.168.2.734.195.165.88
                              Apr 25, 2024 08:25:08.779047966 CEST5874970334.195.165.88192.168.2.7
                              Apr 25, 2024 08:25:08.780311108 CEST49703587192.168.2.734.195.165.88
                              Apr 25, 2024 08:25:08.904372931 CEST5874970334.195.165.88192.168.2.7
                              Apr 25, 2024 08:25:08.908298969 CEST49703587192.168.2.734.195.165.88
                              Apr 25, 2024 08:25:09.046411991 CEST5874970334.195.165.88192.168.2.7
                              Apr 25, 2024 08:25:09.046777010 CEST49703587192.168.2.734.195.165.88
                              Apr 25, 2024 08:25:09.170039892 CEST5874970334.195.165.88192.168.2.7
                              Apr 25, 2024 08:25:09.170322895 CEST49703587192.168.2.734.195.165.88
                              Apr 25, 2024 08:25:09.320750952 CEST5874970334.195.165.88192.168.2.7
                              Apr 25, 2024 08:25:09.321007013 CEST49703587192.168.2.734.195.165.88
                              Apr 25, 2024 08:25:09.443864107 CEST5874970334.195.165.88192.168.2.7
                              Apr 25, 2024 08:25:09.443969011 CEST5874970334.195.165.88192.168.2.7
                              Apr 25, 2024 08:25:09.444639921 CEST49703587192.168.2.734.195.165.88
                              Apr 25, 2024 08:25:09.444639921 CEST49703587192.168.2.734.195.165.88
                              Apr 25, 2024 08:25:09.444694996 CEST49703587192.168.2.734.195.165.88
                              Apr 25, 2024 08:25:09.444694996 CEST49703587192.168.2.734.195.165.88
                              Apr 25, 2024 08:25:09.567881107 CEST5874970334.195.165.88192.168.2.7
                              Apr 25, 2024 08:25:09.567900896 CEST5874970334.195.165.88192.168.2.7
                              Apr 25, 2024 08:25:09.589384079 CEST5874970334.195.165.88192.168.2.7
                              Apr 25, 2024 08:25:09.635912895 CEST49703587192.168.2.734.195.165.88
                              Apr 25, 2024 08:26:47.621303082 CEST49703587192.168.2.734.195.165.88
                              Apr 25, 2024 08:26:47.787044048 CEST5874970334.195.165.88192.168.2.7
                              Apr 25, 2024 08:26:47.945379019 CEST5874970334.195.165.88192.168.2.7
                              Apr 25, 2024 08:26:47.945522070 CEST49703587192.168.2.734.195.165.88
                              Apr 25, 2024 08:26:47.945626020 CEST49703587192.168.2.734.195.165.88
                              Apr 25, 2024 08:26:48.068459988 CEST5874970334.195.165.88192.168.2.7

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Apr 25, 2024 08:25:07.602786064 CEST5438453192.168.2.71.1.1.1
                              Apr 25, 2024 08:25:07.996891022 CEST53543841.1.1.1192.168.2.7

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Apr 25, 2024 08:25:07.602786064 CEST192.168.2.71.1.1.10xce65Standard query (0)mail.orako.co.keA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Apr 25, 2024 08:25:07.996891022 CEST1.1.1.1192.168.2.70xce65No error (0)mail.orako.co.keorako.co.keCNAME (Canonical name)IN (0x0001)false
                              Apr 25, 2024 08:25:07.996891022 CEST1.1.1.1192.168.2.70xce65No error (0)orako.co.ke34.195.165.88A (IP address)IN (0x0001)false

                              SMTP Packets

                              TimestampSource PortDest PortSource IPDest IPCommands
                              Apr 25, 2024 08:25:08.655249119 CEST5874970334.195.165.88192.168.2.7220-ccaws1.coatedcloud.com ESMTP Exim 4.96.2 #2 Thu, 25 Apr 2024 06:25:08 +0000
                              220-We do not authorize the use of this system to transport unsolicited,
                              220 and/or bulk e-mail.
                              Apr 25, 2024 08:25:08.655975103 CEST49703587192.168.2.734.195.165.88EHLO 675052
                              Apr 25, 2024 08:25:08.779047966 CEST5874970334.195.165.88192.168.2.7250-ccaws1.coatedcloud.com Hello 675052 [185.152.66.230]
                              250-SIZE 52428800
                              250-8BITMIME
                              250-PIPELINING
                              250-PIPECONNECT
                              250-AUTH PLAIN LOGIN
                              250-STARTTLS
                              250 HELP
                              Apr 25, 2024 08:25:08.780311108 CEST49703587192.168.2.734.195.165.88AUTH login aW5mb29vQG9yYWtvLmNvLmtl
                              Apr 25, 2024 08:25:08.904372931 CEST5874970334.195.165.88192.168.2.7334 UGFzc3dvcmQ6
                              Apr 25, 2024 08:25:09.046411991 CEST5874970334.195.165.88192.168.2.7235 Authentication succeeded
                              Apr 25, 2024 08:25:09.046777010 CEST49703587192.168.2.734.195.165.88MAIL FROM:<infooo@orako.co.ke>
                              Apr 25, 2024 08:25:09.170039892 CEST5874970334.195.165.88192.168.2.7250 OK
                              Apr 25, 2024 08:25:09.170322895 CEST49703587192.168.2.734.195.165.88RCPT TO:<me@orako.co.ke>
                              Apr 25, 2024 08:25:09.320750952 CEST5874970334.195.165.88192.168.2.7250 Accepted
                              Apr 25, 2024 08:25:09.321007013 CEST49703587192.168.2.734.195.165.88DATA
                              Apr 25, 2024 08:25:09.443969011 CEST5874970334.195.165.88192.168.2.7354 Enter message, ending with "." on a line by itself
                              Apr 25, 2024 08:25:09.444694996 CEST49703587192.168.2.734.195.165.88.
                              Apr 25, 2024 08:25:09.589384079 CEST5874970334.195.165.88192.168.2.7250 OK id=1rzsTE-00791q-1u
                              Apr 25, 2024 08:26:47.621303082 CEST49703587192.168.2.734.195.165.88QUIT
                              Apr 25, 2024 08:26:47.945379019 CEST5874970334.195.165.88192.168.2.7221 ccaws1.coatedcloud.com closing connection

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:08:25:03
                              Start date:25/04/2024
                              Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe"
                              Imagebase:0xc20000
                              File size:720'896 bytes
                              MD5 hash:0CDDB3E724F9BB0314BF8C50DB240CF0
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1236849879.0000000005C30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1233750900.0000000004089000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1233750900.0000000004A77000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1233750900.0000000004A77000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:3
                              Start time:08:25:04
                              Start date:25/04/2024
                              Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.12561.19906.exe"
                              Imagebase:0x650000
                              File size:720'896 bytes
                              MD5 hash:0CDDB3E724F9BB0314BF8C50DB240CF0
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2474501053.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2474501053.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2479468346.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2479468346.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2479468346.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2479468346.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:false

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:10.9%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:192
                                Total number of Limit Nodes:10
                                execution_graph 38663 751f310 38664 751f49b 38663->38664 38666 751f336 38663->38666 38666->38664 38667 751b480 38666->38667 38668 751f590 PostMessageW 38667->38668 38669 751f5fc 38668->38669 38669->38666 38703 751f280 38704 751f295 38703->38704 38708 751c6c6 38704->38708 38712 751c6c8 38704->38712 38705 751f2ab 38709 751c6c8 Wow64SetThreadContext 38708->38709 38711 751c753 38709->38711 38711->38705 38713 751c70d Wow64SetThreadContext 38712->38713 38715 751c753 38713->38715 38715->38705 38670 13ed7f8 38671 13ed83e GetCurrentProcess 38670->38671 38673 13ed889 38671->38673 38674 13ed890 GetCurrentThread 38671->38674 38673->38674 38675 13ed8cd GetCurrentProcess 38674->38675 38676 13ed8c6 38674->38676 38677 13ed903 GetCurrentThreadId 38675->38677 38676->38675 38679 13ed95c 38677->38679 38680 13eb478 38683 13eb55f 38680->38683 38681 13eb487 38684 13eb581 38683->38684 38685 13eb5a4 38683->38685 38684->38685 38691 13eb7f8 38684->38691 38695 13eb808 38684->38695 38685->38681 38686 13eb59c 38686->38685 38687 13eb7a8 GetModuleHandleW 38686->38687 38688 13eb7d5 38687->38688 38688->38681 38692 13eb81c 38691->38692 38694 13eb841 38692->38694 38699 13eafb0 38692->38699 38694->38686 38696 13eb81c 38695->38696 38697 13eafb0 LoadLibraryExW 38696->38697 38698 13eb841 38696->38698 38697->38698 38698->38686 38700 13eb9e8 LoadLibraryExW 38699->38700 38702 13eba61 38700->38702 38702->38694 38716 13e4668 38717 13e467a 38716->38717 38719 13e4686 38717->38719 38720 13e4778 38717->38720 38721 13e479d 38720->38721 38725 13e4888 38721->38725 38729 13e4879 38721->38729 38727 13e48af 38725->38727 38726 13e498c 38726->38726 38727->38726 38733 13e44e4 38727->38733 38730 13e48af 38729->38730 38731 13e498c 38730->38731 38732 13e44e4 CreateActCtxA 38730->38732 38732->38731 38734 13e5918 CreateActCtxA 38733->38734 38736 13e59db 38734->38736 38737 7701928 FindCloseChangeNotification 38738 770198f 38737->38738 38739 751d94d 38740 751d953 38739->38740 38741 751d95e 38740->38741 38745 751e0f9 38740->38745 38761 751e16e 38740->38761 38778 751e108 38740->38778 38746 751e108 38745->38746 38747 751e12a 38746->38747 38794 751ed1d 38746->38794 38798 751eafb 38746->38798 38803 751e8b8 38746->38803 38808 751ea14 38746->38808 38813 751e771 38746->38813 38818 751ea6f 38746->38818 38823 751e7c8 38746->38823 38828 751e569 38746->38828 38833 751ee46 38746->38833 38837 751e545 38746->38837 38842 751e75e 38746->38842 38851 751eddf 38746->38851 38855 751e6dd 38746->38855 38747->38741 38762 751e0fc 38761->38762 38764 751e171 38761->38764 38763 751e12a 38762->38763 38765 751e771 2 API calls 38762->38765 38766 751ea14 2 API calls 38762->38766 38767 751e8b8 2 API calls 38762->38767 38768 751eafb 2 API calls 38762->38768 38769 751ed1d 2 API calls 38762->38769 38770 751e6dd 2 API calls 38762->38770 38771 751eddf 2 API calls 38762->38771 38772 751e75e 4 API calls 38762->38772 38773 751e545 2 API calls 38762->38773 38774 751ee46 2 API calls 38762->38774 38775 751e569 2 API calls 38762->38775 38776 751e7c8 2 API calls 38762->38776 38777 751ea6f 2 API calls 38762->38777 38763->38741 38765->38763 38766->38763 38767->38763 38768->38763 38769->38763 38770->38763 38771->38763 38772->38763 38773->38763 38774->38763 38775->38763 38776->38763 38777->38763 38779 751e122 38778->38779 38780 751e12a 38779->38780 38781 751e771 2 API calls 38779->38781 38782 751ea14 2 API calls 38779->38782 38783 751e8b8 2 API calls 38779->38783 38784 751eafb 2 API calls 38779->38784 38785 751ed1d 2 API calls 38779->38785 38786 751e6dd 2 API calls 38779->38786 38787 751eddf 2 API calls 38779->38787 38788 751e75e 4 API calls 38779->38788 38789 751e545 2 API calls 38779->38789 38790 751ee46 2 API calls 38779->38790 38791 751e569 2 API calls 38779->38791 38792 751e7c8 2 API calls 38779->38792 38793 751ea6f 2 API calls 38779->38793 38780->38741 38781->38780 38782->38780 38783->38780 38784->38780 38785->38780 38786->38780 38787->38780 38788->38780 38789->38780 38790->38780 38791->38780 38792->38780 38793->38780 38860 751d0d0 38794->38860 38864 751d0c9 38794->38864 38795 751ed4b 38799 751e6f8 38798->38799 38868 751d1c0 38799->38868 38872 751d1b8 38799->38872 38800 751ee6d 38804 751e8c2 38803->38804 38876 751f2c8 38804->38876 38881 751f2b8 38804->38881 38805 751e8e6 38805->38747 38809 751e788 38808->38809 38810 751e7a9 38809->38810 38811 751d0d0 WriteProcessMemory 38809->38811 38812 751d0c9 WriteProcessMemory 38809->38812 38811->38810 38812->38810 38814 751e777 38813->38814 38816 751d0d0 WriteProcessMemory 38814->38816 38817 751d0c9 WriteProcessMemory 38814->38817 38815 751e7a9 38816->38815 38817->38815 38819 751e8d3 38818->38819 38820 751e8e6 38818->38820 38821 751f2c8 2 API calls 38819->38821 38822 751f2b8 2 API calls 38819->38822 38820->38747 38821->38820 38822->38820 38824 751e7d1 38823->38824 38826 751d0d0 WriteProcessMemory 38824->38826 38827 751d0c9 WriteProcessMemory 38824->38827 38825 751ecb1 38826->38825 38827->38825 38829 751e549 38828->38829 38894 751d358 38829->38894 38898 751d356 38829->38898 38834 751ee6d 38833->38834 38835 751d1c0 ReadProcessMemory 38833->38835 38836 751d1b8 ReadProcessMemory 38833->38836 38834->38834 38835->38834 38836->38834 38838 751e549 38837->38838 38840 751d356 CreateProcessA 38838->38840 38841 751d358 CreateProcessA 38838->38841 38839 751e65e 38839->38747 38840->38839 38841->38839 38843 751e76b 38842->38843 38845 751e6f7 38842->38845 38849 751c6c6 Wow64SetThreadContext 38843->38849 38850 751c6c8 Wow64SetThreadContext 38843->38850 38844 751ec61 38844->38747 38845->38844 38847 751d1c0 ReadProcessMemory 38845->38847 38848 751d1b8 ReadProcessMemory 38845->38848 38846 751ee6d 38847->38846 38848->38846 38849->38845 38850->38845 38902 751d010 38851->38902 38906 751d009 38851->38906 38852 751edfd 38856 751e6e6 38855->38856 38858 751d1c0 ReadProcessMemory 38856->38858 38859 751d1b8 ReadProcessMemory 38856->38859 38857 751ee6d 38858->38857 38859->38857 38861 751d118 WriteProcessMemory 38860->38861 38863 751d16f 38861->38863 38863->38795 38865 751d0d0 WriteProcessMemory 38864->38865 38867 751d16f 38865->38867 38867->38795 38869 751d20b ReadProcessMemory 38868->38869 38871 751d24f 38869->38871 38871->38800 38873 751d1c0 ReadProcessMemory 38872->38873 38875 751d24f 38873->38875 38875->38800 38877 751f2dd 38876->38877 38886 751c618 38877->38886 38890 751c610 38877->38890 38878 751f2f0 38878->38805 38882 751f2c8 38881->38882 38884 751c610 ResumeThread 38882->38884 38885 751c618 ResumeThread 38882->38885 38883 751f2f0 38883->38805 38884->38883 38885->38883 38887 751c658 ResumeThread 38886->38887 38889 751c689 38887->38889 38889->38878 38891 751c618 ResumeThread 38890->38891 38893 751c689 38891->38893 38893->38878 38895 751d3e1 CreateProcessA 38894->38895 38897 751d5a3 38895->38897 38897->38897 38899 751d358 CreateProcessA 38898->38899 38901 751d5a3 38899->38901 38903 751d050 VirtualAllocEx 38902->38903 38905 751d08d 38903->38905 38905->38852 38907 751d050 VirtualAllocEx 38906->38907 38909 751d08d 38907->38909 38909->38852 38910 13eda40 DuplicateHandle 38911 13edad6 38910->38911

                                Executed Functions

                                Function 07700040 Relevance: .6, Instructions: 621COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1237630934.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7700000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 461ecf5b2d10cf629e56479d36a3796887c42f9f4cfc5d66338b8fbdb02ff0d7
                                • Instruction ID: 5282ce904a09144f469cc7e9be2d091af4c80aea2f7ae979b77697ac1c923e47
                                • Opcode Fuzzy Hash: 461ecf5b2d10cf629e56479d36a3796887c42f9f4cfc5d66338b8fbdb02ff0d7
                                • Instruction Fuzzy Hash: FD32ABB0B01206CFDB19DBA9C554BAEB7F6AF89654F144869E506DB3E0CB30DD02CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0751089F Relevance: .1, Instructions: 146COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1237306867.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7510000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 925020b1ce1638d18269f0485aa7111cbd999576b7c7df2887c516af69ac23af
                                • Instruction ID: f3c7cd16c5a2a02a3dd6ceda23960fb6befb6bce4c4d5112c35a182adba8c7f0
                                • Opcode Fuzzy Hash: 925020b1ce1638d18269f0485aa7111cbd999576b7c7df2887c516af69ac23af
                                • Instruction Fuzzy Hash: E05159B0E1520A9FEB04CFA6D4555EEFBF2FF89201F14942AE405A7394D7349A42CF94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 075108B0 Relevance: .1, Instructions: 142COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1237306867.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7510000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1684708535862441539c7acc241f388e698079e75c3eccb111d8d0cf77fc2571
                                • Instruction ID: 9778b70a8329832e2de6829b16ac43f84812ef80402326af8f948edaefc04f66
                                • Opcode Fuzzy Hash: 1684708535862441539c7acc241f388e698079e75c3eccb111d8d0cf77fc2571
                                • Instruction Fuzzy Hash: 405168B0E1520A9FEB04CFA6D4515EEFBF2FF89301F14942AE409A3394D7349A418F94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 013ED7F8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 296 13ed7f8-13ed887 GetCurrentProcess 300 13ed889-13ed88f 296->300 301 13ed890-13ed8c4 GetCurrentThread 296->301 300->301 302 13ed8cd-13ed901 GetCurrentProcess 301->302 303 13ed8c6-13ed8cc 301->303 304 13ed90a-13ed922 302->304 305 13ed903-13ed909 302->305 303->302 309 13ed92b-13ed95a GetCurrentThreadId 304->309 305->304 310 13ed95c-13ed962 309->310 311 13ed963-13ed9c5 309->311 310->311
                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 013ED876
                                • GetCurrentThread.KERNEL32 ref: 013ED8B3
                                • GetCurrentProcess.KERNEL32 ref: 013ED8F0
                                • GetCurrentThreadId.KERNEL32 ref: 013ED949
                                Memory Dump Source
                                • Source File: 00000000.00000002.1231385747.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_13e0000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: d57cd483100ef8a684b5524e0fd3a3f7e808e2a1a5cebb15f5629fcd76f3cf64
                                • Instruction ID: 80d65d956c8688789298f880117ce8db9458328920df3b2c7c27640d8fa39d1a
                                • Opcode Fuzzy Hash: d57cd483100ef8a684b5524e0fd3a3f7e808e2a1a5cebb15f5629fcd76f3cf64
                                • Instruction Fuzzy Hash: CB5145B0D003098FDB14DFAAD548BAEBBF1EB88314F24845DE419A7390DB74A945CF65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0751C610 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 401 751c610-751c687 ResumeThread 405 751c690-751c6b5 401->405 406 751c689-751c68f 401->406 406->405
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1237306867.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7510000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: ResumeThread
                                • String ID: U
                                • API String ID: 947044025-3372436214
                                • Opcode ID: 5b564b65b0c492a19b595e1aab6d80c3f8992a9cd198bfa7b351136b7e8e7119
                                • Instruction ID: 47d6437814284e3c87254691dffee6909080d3aa7c43141986cd41e3210c3c6d
                                • Opcode Fuzzy Hash: 5b564b65b0c492a19b595e1aab6d80c3f8992a9cd198bfa7b351136b7e8e7119
                                • Instruction Fuzzy Hash: 941146B1D003498FDB20DFAAD8457DFFBF5AB88320F14881AD419A7640CA79A945CBA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0751D356 Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 590 751d356-751d3ed 593 751d426-751d446 590->593 594 751d3ef-751d3f9 590->594 599 751d448-751d452 593->599 600 751d47f-751d4ae 593->600 594->593 595 751d3fb-751d3fd 594->595 597 751d420-751d423 595->597 598 751d3ff-751d409 595->598 597->593 601 751d40b 598->601 602 751d40d-751d41c 598->602 599->600 603 751d454-751d456 599->603 610 751d4b0-751d4ba 600->610 611 751d4e7-751d5a1 CreateProcessA 600->611 601->602 602->602 604 751d41e 602->604 605 751d479-751d47c 603->605 606 751d458-751d462 603->606 604->597 605->600 608 751d464 606->608 609 751d466-751d475 606->609 608->609 609->609 612 751d477 609->612 610->611 613 751d4bc-751d4be 610->613 622 751d5a3-751d5a9 611->622 623 751d5aa-751d630 611->623 612->605 615 751d4e1-751d4e4 613->615 616 751d4c0-751d4ca 613->616 615->611 617 751d4cc 616->617 618 751d4ce-751d4dd 616->618 617->618 618->618 619 751d4df 618->619 619->615 622->623 633 751d640-751d644 623->633 634 751d632-751d636 623->634 636 751d654-751d658 633->636 637 751d646-751d64a 633->637 634->633 635 751d638 634->635 635->633 639 751d668-751d66c 636->639 640 751d65a-751d65e 636->640 637->636 638 751d64c 637->638 638->636 642 751d67e-751d685 639->642 643 751d66e-751d674 639->643 640->639 641 751d660 640->641 641->639 644 751d687-751d696 642->644 645 751d69c 642->645 643->642 644->645 647 751d69d 645->647 647->647
                                APIs
                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0751D58E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1237306867.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7510000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: f4602788328841c4efafc3ca9487852eb735f1d94ee7fb69529e2da4417243fc
                                • Instruction ID: e8fbbf4ac7df4a339e4fd99445eb5e65b820f27c475ef8ed083bd69072e10f2f
                                • Opcode Fuzzy Hash: f4602788328841c4efafc3ca9487852eb735f1d94ee7fb69529e2da4417243fc
                                • Instruction Fuzzy Hash: 8B9150B1E00759DFEB24DF68C840BDDBBB2BF44315F0485AAD809A7280DB759985CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0751D358 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 648 751d358-751d3ed 650 751d426-751d446 648->650 651 751d3ef-751d3f9 648->651 656 751d448-751d452 650->656 657 751d47f-751d4ae 650->657 651->650 652 751d3fb-751d3fd 651->652 654 751d420-751d423 652->654 655 751d3ff-751d409 652->655 654->650 658 751d40b 655->658 659 751d40d-751d41c 655->659 656->657 660 751d454-751d456 656->660 667 751d4b0-751d4ba 657->667 668 751d4e7-751d5a1 CreateProcessA 657->668 658->659 659->659 661 751d41e 659->661 662 751d479-751d47c 660->662 663 751d458-751d462 660->663 661->654 662->657 665 751d464 663->665 666 751d466-751d475 663->666 665->666 666->666 669 751d477 666->669 667->668 670 751d4bc-751d4be 667->670 679 751d5a3-751d5a9 668->679 680 751d5aa-751d630 668->680 669->662 672 751d4e1-751d4e4 670->672 673 751d4c0-751d4ca 670->673 672->668 674 751d4cc 673->674 675 751d4ce-751d4dd 673->675 674->675 675->675 676 751d4df 675->676 676->672 679->680 690 751d640-751d644 680->690 691 751d632-751d636 680->691 693 751d654-751d658 690->693 694 751d646-751d64a 690->694 691->690 692 751d638 691->692 692->690 696 751d668-751d66c 693->696 697 751d65a-751d65e 693->697 694->693 695 751d64c 694->695 695->693 699 751d67e-751d685 696->699 700 751d66e-751d674 696->700 697->696 698 751d660 697->698 698->696 701 751d687-751d696 699->701 702 751d69c 699->702 700->699 701->702 704 751d69d 702->704 704->704
                                APIs
                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0751D58E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1237306867.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7510000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: bb2d712d7fde294fc37c9a05aae91df8b12d3007ccfaeffb1d43c108a1f51f33
                                • Instruction ID: 1cb739dae8fe56c6cc6d2a72018f93cc59b944414c482c3432ba2a113b972c4e
                                • Opcode Fuzzy Hash: bb2d712d7fde294fc37c9a05aae91df8b12d3007ccfaeffb1d43c108a1f51f33
                                • Instruction Fuzzy Hash: BE9150B1E00759CFEB24DF68C840BDDBBB2BF44315F0485AAD809A7280D7759985CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 013EB55F Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 705 13eb55f-13eb57f 706 13eb5ab-13eb5af 705->706 707 13eb581-13eb58e call 13e8ac0 705->707 709 13eb5c3-13eb604 706->709 710 13eb5b1-13eb5bb 706->710 713 13eb5a4 707->713 714 13eb590 707->714 716 13eb606-13eb60e 709->716 717 13eb611-13eb61f 709->717 710->709 713->706 760 13eb596 call 13eb7f8 714->760 761 13eb596 call 13eb808 714->761 716->717 718 13eb643-13eb645 717->718 719 13eb621-13eb626 717->719 724 13eb648-13eb64f 718->724 721 13eb628-13eb62f call 13eaf54 719->721 722 13eb631 719->722 720 13eb59c-13eb59e 720->713 723 13eb6e0-13eb7a0 720->723 726 13eb633-13eb641 721->726 722->726 755 13eb7a8-13eb7d3 GetModuleHandleW 723->755 756 13eb7a2-13eb7a5 723->756 727 13eb65c-13eb663 724->727 728 13eb651-13eb659 724->728 726->724 731 13eb665-13eb66d 727->731 732 13eb670-13eb679 call 13eaf64 727->732 728->727 731->732 736 13eb67b-13eb683 732->736 737 13eb686-13eb68b 732->737 736->737 738 13eb68d-13eb694 737->738 739 13eb6a9-13eb6b6 737->739 738->739 741 13eb696-13eb6a6 call 13eaf74 call 13eaf84 738->741 746 13eb6b8-13eb6d6 739->746 747 13eb6d9-13eb6df 739->747 741->739 746->747 757 13eb7dc-13eb7f0 755->757 758 13eb7d5-13eb7db 755->758 756->755 758->757 760->720 761->720
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 013EB7C6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1231385747.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_13e0000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 04d4e78b20974271bb5e45a4a2417b9ab2623b59c6285ad8eea3c4f35c319eae
                                • Instruction ID: a4d2e9c60a2e9926e06faf2b30d3a6b86987d51cee5c5cc0805977b9d7eb29a6
                                • Opcode Fuzzy Hash: 04d4e78b20974271bb5e45a4a2417b9ab2623b59c6285ad8eea3c4f35c319eae
                                • Instruction Fuzzy Hash: A5815770A00B158FDB25DF29D55875ABBF1FF88214F00892ED08ADBA94D734E90ACF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 013E590C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                Download Yara Rule
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 013E59C9
                                Memory Dump Source
                                • Source File: 00000000.00000002.1231385747.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_13e0000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: 272e193a7ee0fed4b78519dedd54185a5c814d48e86a32e102f576b588b4ebd3
                                • Instruction ID: 112bbfe3dc7176fa72419c3751ee22248c42e25117c5faa08bfc5bf953c5ba53
                                • Opcode Fuzzy Hash: 272e193a7ee0fed4b78519dedd54185a5c814d48e86a32e102f576b588b4ebd3
                                • Instruction Fuzzy Hash: B841E475C00729CBEB25DFA9C88479DBBF5BF49308F20815AD408AB291DB756946CF90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 013E44E4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                Download Yara Rule
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 013E59C9
                                Memory Dump Source
                                • Source File: 00000000.00000002.1231385747.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_13e0000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: a6057f854737d77e43d1f58e3b6e8ce40ea529abe82729ca4a5096ecef5ef07a
                                • Instruction ID: 1c2af9819af6d59541840ad3ed45999116fb433b9ed32c1efe85761a3c216d96
                                • Opcode Fuzzy Hash: a6057f854737d77e43d1f58e3b6e8ce40ea529abe82729ca4a5096ecef5ef07a
                                • Instruction Fuzzy Hash: 5041F475C0072DCBEB24DFA9C84879DBBF5BF49308F20806AD509AB251DB756946CF90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 013E5A84 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1231385747.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_13e0000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0ab483d5d26cb4c56b83dcd0d3e339e8080dfe1e0cac5a711988e57fa0a0b21a
                                • Instruction ID: cb5b2630cacf58248471d020d3f3821f6f22d53253029dc0b0ab3c567f0c712a
                                • Opcode Fuzzy Hash: 0ab483d5d26cb4c56b83dcd0d3e339e8080dfe1e0cac5a711988e57fa0a0b21a
                                • Instruction Fuzzy Hash: F531DF75C04769CFEB22CFA8C8487DDBBF0AF46328F104289D405AB291C7755946CB41
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0751D0C9 Relevance: 1.6, APIs: 1, Instructions: 75injectionCOMMON
                                Download Yara Rule
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0751D160
                                Memory Dump Source
                                • Source File: 00000000.00000002.1237306867.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7510000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: 529178cd406810ccf387bfe6dada3565a3efd1c9c367c72a2ed3cff876676c96
                                • Instruction ID: 6c6d2e592f65e55524e2b170e2a9fd9a0a30f95e18c5619f4286d1810c08f0cf
                                • Opcode Fuzzy Hash: 529178cd406810ccf387bfe6dada3565a3efd1c9c367c72a2ed3cff876676c96
                                • Instruction Fuzzy Hash: 362126B5D003199FDB10DFA9D881BEEBBF5FF48310F50842AE919A7240CB799944CBA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0751D1B8 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                Download Yara Rule
                                APIs
                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0751D240
                                Memory Dump Source
                                • Source File: 00000000.00000002.1237306867.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7510000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: b6c23067e1b684d10a4438e6af2f693352fb785278649f120267d6936edd9b96
                                • Instruction ID: 925f8cf8374773f2099a584f70c0209ba1242883fc2d13fb718341621e2303ac
                                • Opcode Fuzzy Hash: b6c23067e1b684d10a4438e6af2f693352fb785278649f120267d6936edd9b96
                                • Instruction Fuzzy Hash: 3F2139B1D003499FDB10DFAAD841BEEBBF5FF48310F50842AE929A7240CB359940CBA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0751D0D0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                Download Yara Rule
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0751D160
                                Memory Dump Source
                                • Source File: 00000000.00000002.1237306867.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7510000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: 2e11ef8d6e9d0469f75dd1f2b88eea986ea58e4c8db3b4a8321b683a0b1c6bf7
                                • Instruction ID: 561f4966d5987f028593ccd1307cb51c9a4477859b3b5c270f7d45247ac251b5
                                • Opcode Fuzzy Hash: 2e11ef8d6e9d0469f75dd1f2b88eea986ea58e4c8db3b4a8321b683a0b1c6bf7
                                • Instruction Fuzzy Hash: B12124B5D003099FDB10DFAAC881BDEBBF5FF48310F50882AE919A7240C7799944CBA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0751C6C6 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                Download Yara Rule
                                APIs
                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0751C746
                                Memory Dump Source
                                • Source File: 00000000.00000002.1237306867.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7510000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: 78eceed863eb1c69a197bdd30ae6082c1c2a485b3fac184a42423de36cdbdf91
                                • Instruction ID: c93e12d82cf9f0c5536f84a80f13a052fb1adba5ed84430c10fb5d4a422699d0
                                • Opcode Fuzzy Hash: 78eceed863eb1c69a197bdd30ae6082c1c2a485b3fac184a42423de36cdbdf91
                                • Instruction Fuzzy Hash: A82157B1D003098FDB10DFAAC481BEEBBF4EB48320F50842ED419A7240CB79A945CFA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0751C6C8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                Download Yara Rule
                                APIs
                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0751C746
                                Memory Dump Source
                                • Source File: 00000000.00000002.1237306867.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7510000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: 745829fa49415cf3ca15414756140e22135f4414cb9497812f0145926d16ba64
                                • Instruction ID: a67d51fa917e950aabff8349986cbce8d852244638dfc4392c52685e05bcecdd
                                • Opcode Fuzzy Hash: 745829fa49415cf3ca15414756140e22135f4414cb9497812f0145926d16ba64
                                • Instruction Fuzzy Hash: 502137B1D003098FDB10DFAAC4857EEBBF4AB48310F54842ED559A7240CB799945CFA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0751D1C0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                Download Yara Rule
                                APIs
                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0751D240
                                Memory Dump Source
                                • Source File: 00000000.00000002.1237306867.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7510000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: 3c627addfb9bd31005e96c23acaad88dc001dd0f74fbeef03f01616bd3687b6c
                                • Instruction ID: 51bffc72fc220f8060769c281dc9c23e93c041df7320bd4a37ada8423ed54c12
                                • Opcode Fuzzy Hash: 3c627addfb9bd31005e96c23acaad88dc001dd0f74fbeef03f01616bd3687b6c
                                • Instruction Fuzzy Hash: 63212AB1D003499FDB10DF9AC841BDEBBF5FF48310F50842AE919A7240C7359901CB64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 013EDA40 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013EDAC7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1231385747.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_13e0000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 6fe70dd480fc6f92aa3670ceed01586724ab1205fdb1e26397f742d3af7e29ad
                                • Instruction ID: 24daea6bf54038335cf7857122aa162bd3373d6acd230af5672419123c2bcc69
                                • Opcode Fuzzy Hash: 6fe70dd480fc6f92aa3670ceed01586724ab1205fdb1e26397f742d3af7e29ad
                                • Instruction Fuzzy Hash: 4021E4B5D003089FDB10CF9AD884ADEBBF5EB48320F14841AE914A3350C375A944CF61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0751D009 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0751D07E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1237306867.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7510000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: bb70049c536e54f5706249b95a42ac4c2eb734b84269a1b2d84069b419bf8a1f
                                • Instruction ID: 143316149d0ff882b4010ba334dd6a78bf944483a0accf220b10dcdda8da2f85
                                • Opcode Fuzzy Hash: bb70049c536e54f5706249b95a42ac4c2eb734b84269a1b2d84069b419bf8a1f
                                • Instruction Fuzzy Hash: 3E114771D003099FDB24DFA9D845BDFBBF5AB48320F10881AE959A7250C7769941CFA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 013EAFB0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,013EB841,00000800,00000000,00000000), ref: 013EBA52
                                Memory Dump Source
                                • Source File: 00000000.00000002.1231385747.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_13e0000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: 50f0f692c14168c7c7ccf55f5c1098501bb5d08152916756703b1a60a40bc34f
                                • Instruction ID: be8699fd1c88f9f9de535f66247133730b8583d7f1e8c1a391dacfbeaa911d5b
                                • Opcode Fuzzy Hash: 50f0f692c14168c7c7ccf55f5c1098501bb5d08152916756703b1a60a40bc34f
                                • Instruction Fuzzy Hash: 611114B6C003098FDB21DF9AD448B9EFBF4EB48315F10842EE919A7240C775A945CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0751D010 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0751D07E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1237306867.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7510000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: c61ba8649807449765ce019defc642e713c303996ab12e41b048a3993efc7cea
                                • Instruction ID: b41b940f65e630de01078701b7c0a0e4301e0aad86e09f5797c58caf5b0fff8a
                                • Opcode Fuzzy Hash: c61ba8649807449765ce019defc642e713c303996ab12e41b048a3993efc7cea
                                • Instruction Fuzzy Hash: 04112971D003499FDB24DFAAC845BDEBBF5EB48310F148419E519A7250C7759541CFA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07701920 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                Download Yara Rule
                                APIs
                                • FindCloseChangeNotification.KERNELBASE(?), ref: 07701980
                                Memory Dump Source
                                • Source File: 00000000.00000002.1237630934.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7700000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: ChangeCloseFindNotification
                                • String ID:
                                • API String ID: 2591292051-0
                                • Opcode ID: b514ff96a7a0168369b5678b1197fa5e644e2674fb81efe8be6e28ea913cb87a
                                • Instruction ID: 798a5b7bda64d87792a6ae51971e7431444d4071bab704e898f3fff197f57ab0
                                • Opcode Fuzzy Hash: b514ff96a7a0168369b5678b1197fa5e644e2674fb81efe8be6e28ea913cb87a
                                • Instruction Fuzzy Hash: DC1128B5800349DFDB20DF99D445BEEFBF8EB48320F10841AD958A7640D739A544CFA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 013EB9E1 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,013EB841,00000800,00000000,00000000), ref: 013EBA52
                                Memory Dump Source
                                • Source File: 00000000.00000002.1231385747.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_13e0000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: 8537c510ed706172afbe71703ec18212e963c1d82c4609f1afb09bd1d1c1becf
                                • Instruction ID: 38cbdc39f2b3ab7ddb386cb8d695fe501db9062f3eecb7482b4cce1d8d8559a9
                                • Opcode Fuzzy Hash: 8537c510ed706172afbe71703ec18212e963c1d82c4609f1afb09bd1d1c1becf
                                • Instruction Fuzzy Hash: BD1112B6D003098FDB21CF9AD948BDEFBF4AB48311F10842AD929A7240C379A545CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0751C618 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1237306867.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7510000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: c54e4e60f56278920421ad01fac01bdc01c94e534a7122f5a4c67bc33dc5be83
                                • Instruction ID: 1ac2454db3b8c9b03dd47123b7dd0393682fce03d0365852e7ee77608a4e99c5
                                • Opcode Fuzzy Hash: c54e4e60f56278920421ad01fac01bdc01c94e534a7122f5a4c67bc33dc5be83
                                • Instruction Fuzzy Hash: 271136B1D003498FDB24DFAAC4457DEFBF5EB88320F24881AD519A7240CB79A945CFA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 013EB760 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 013EB7C6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1231385747.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_13e0000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 04aeffe56560dc75801f25e3d526ebfbc7d52b416651d76ddb3d5869c3daca86
                                • Instruction ID: b7eb0fbe4bb56e658985bbce52545f78e8fcd45fcc4f36ef69c2a6b617431b89
                                • Opcode Fuzzy Hash: 04aeffe56560dc75801f25e3d526ebfbc7d52b416651d76ddb3d5869c3daca86
                                • Instruction Fuzzy Hash: AE110FB5C003498FDB21DF9AD444A9EFBF8AF88324F14842AD829A7640C379A545CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0751F58A Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 0751F5ED
                                Memory Dump Source
                                • Source File: 00000000.00000002.1237306867.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7510000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: 6f1375d18ea207b29b2058235f73150e0cc6af8ce143fd52c478a4a5ee9cdb8f
                                • Instruction ID: 0ea47ef2a36e2857bfc3cec2574c0f7077addd61f7b45f9e2c4868fca254c47f
                                • Opcode Fuzzy Hash: 6f1375d18ea207b29b2058235f73150e0cc6af8ce143fd52c478a4a5ee9cdb8f
                                • Instruction Fuzzy Hash: 4A11C2B58003499FDB20DF9AD885BDEFBF8EB48321F20841AE558A7250C375A944CFA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0751B480 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 0751F5ED
                                Memory Dump Source
                                • Source File: 00000000.00000002.1237306867.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7510000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: 484ca113225a82c2c9033b08f117a2b713fea10dc307714011b084fbf04cb798
                                • Instruction ID: c186407121e2164fdc45fd21acdbff383133e595a257d2838e22013aa5a363ad
                                • Opcode Fuzzy Hash: 484ca113225a82c2c9033b08f117a2b713fea10dc307714011b084fbf04cb798
                                • Instruction Fuzzy Hash: 9811F5B58003499FDB20DF9AD445BDEBBF8FB48311F10841AE518A7240D375A944CFA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07701928 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                Download Yara Rule
                                APIs
                                • FindCloseChangeNotification.KERNELBASE(?), ref: 07701980
                                Memory Dump Source
                                • Source File: 00000000.00000002.1237630934.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7700000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: ChangeCloseFindNotification
                                • String ID:
                                • API String ID: 2591292051-0
                                • Opcode ID: e66861d4d2d8e550fc260bd1f7f179f614839db59317633728d3abffc664a5da
                                • Instruction ID: f9304768be5504ec94167fe5df61d6b1788faf4662c9aefdc655e3bce2e7c690
                                • Opcode Fuzzy Hash: e66861d4d2d8e550fc260bd1f7f179f614839db59317633728d3abffc664a5da
                                • Instruction Fuzzy Hash: B21103B5C00349CFDB20DF9AD445BEEBBF5EB48320F10842AD958A7280D739A944CFA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0138D4C4 Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1231092854.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_138d000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 169292de771745a2a93932beeece45b7b89958995b1c033a0dbf595ca223e54f
                                • Instruction ID: 79a8842ac5535912cfc1ee0bbe80720db2ff3c6ee8f456e84acad4228da83312
                                • Opcode Fuzzy Hash: 169292de771745a2a93932beeece45b7b89958995b1c033a0dbf595ca223e54f
                                • Instruction Fuzzy Hash: 8A21F171504344DFDB15EF58D9C0B26BF65FB88328F20C56AE8090B696C336D456CAB2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0139D01C Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1231213548.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_139d000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 531e243938def26a75b8463c4f71c92add79d19da51062fd0ca9f1a9402ddecb
                                • Instruction ID: 37bbcb0328b85de9911a783faf0769cce8fbbf3e3fddf1f3e0fe0d8c3b92f8c1
                                • Opcode Fuzzy Hash: 531e243938def26a75b8463c4f71c92add79d19da51062fd0ca9f1a9402ddecb
                                • Instruction Fuzzy Hash: B1210071604304DFDF15DF64D985B16BB65FB84358F20C56DD84A0B786C33AD807CA62
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0139D1D4 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1231213548.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_139d000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 212120664feff36d809ce77d7e5d1a4d9d2ab98c7643052e592a684d6f50449b
                                • Instruction ID: 972bfb2161e5c09a6f1b0bd0264a35af2c85b25f30784234ffaace112eac373f
                                • Opcode Fuzzy Hash: 212120664feff36d809ce77d7e5d1a4d9d2ab98c7643052e592a684d6f50449b
                                • Instruction Fuzzy Hash: 47213771604304DFDF05DF94D9C1B15BB65FB84328F20C5ADD8894B382C336D406CA61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0138D4BF Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1231092854.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_138d000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                • Instruction ID: aef4f7db8f10a8af0488ef5d460c9aff06b404cef8e4d0d3d50eb472cb30fec4
                                • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                • Instruction Fuzzy Hash: E111B176504280DFCB16DF54D5C4B16BF72FB84328F24C6AAD8490B697C336D456CBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0139D1CF Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1231213548.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_139d000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                • Instruction ID: bdca8fe46417ae6d3719522ae5070a39c52a230b05126b8f9e64e7e3bed44b88
                                • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                • Instruction Fuzzy Hash: 8B11BB75504280DFDB06CF58C6C0B15BBB2FB84328F24C6ADD8894B296C33AD40ACB61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0139D017 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1231213548.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_139d000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                • Instruction ID: a23813fd4fb6d078389d1385cc6edebde2e2f9ed8f5130a44aab984ae15cc8b7
                                • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                • Instruction Fuzzy Hash: 67118B75504280DFDB16CF58D5C4B15BBA2FB84328F24C6AAD8494B796C33AD44ACBA2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0138D745 Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1231092854.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_138d000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c586cd9131f51e1f7467bcc05df3dc2a603933431ce3a02c27bf0d06d1c8bc66
                                • Instruction ID: 3fb38e625dd95ebd2965d551c6e57230a78e7c6dd3df4a616ae3b2bdf6e38bcd
                                • Opcode Fuzzy Hash: c586cd9131f51e1f7467bcc05df3dc2a603933431ce3a02c27bf0d06d1c8bc66
                                • Instruction Fuzzy Hash: 9D01F2310083849AE7207FA5CC84B66BF9CDF41229F18C52AFD090A2C2C2399845CAB6
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0138D744 Relevance: .0, Instructions: 36COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1231092854.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_138d000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dde3bc57e4c2a58420b635c4883dc82f32dd00c8e6410c7c74e3d168b22a66ef
                                • Instruction ID: 5a41a60f65954849ac25093f9174dd7812b2c96bb7d0fda6189ae339bb4d2ce9
                                • Opcode Fuzzy Hash: dde3bc57e4c2a58420b635c4883dc82f32dd00c8e6410c7c74e3d168b22a66ef
                                • Instruction Fuzzy Hash: 96F062714053849EE710AF5ADC88B66FF98EB41635F18C55AFD084A2C6C279A844CBB1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Function 07513810 Relevance: 5.3, Strings: 4, Instructions: 259COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1237306867.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7510000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID: T+-q$[V~*$[V~*$]\`
                                • API String ID: 0-1849991408
                                • Opcode ID: bd77fc1c828b2ca541df2a042c270404c476bf9d963401ac8d8899a7a142c987
                                • Instruction ID: 759f7d03d44154aa70399638719c9d17c521b8c7022e6ef48583a8d8362df304
                                • Opcode Fuzzy Hash: bd77fc1c828b2ca541df2a042c270404c476bf9d963401ac8d8899a7a142c987
                                • Instruction Fuzzy Hash: 08B1E8B0E1561ADBEB04CFAAD5909DEFBF2BF89300F14D52AD415BB258D73099028F54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07513800 Relevance: 4.0, Strings: 3, Instructions: 257COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1237306867.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7510000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID: T+-q$[V~*$]\`
                                • API String ID: 0-3978741314
                                • Opcode ID: e6dcda236117bf31c17e1cae710eed151e29d0fe30bdac3ab17b7637c905b949
                                • Instruction ID: f661a73032bcda449e1c5493118c04a47bb9036073acb5cc032aa21f7f6ce12b
                                • Opcode Fuzzy Hash: e6dcda236117bf31c17e1cae710eed151e29d0fe30bdac3ab17b7637c905b949
                                • Instruction Fuzzy Hash: 4EB109B0E1521ADBEB04CFAAD9908DEFBF2BF89300F14D52AD415BB259D73099028F54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07700007 Relevance: .3, Instructions: 337COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1237630934.0000000007700000.00000040.00000800.00020000.00000000.sdmp, Offset: 07700000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7700000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bfe4b881f088c861c3a7510f07a9c6a9a712817fa07f0bbb8baaee4f13f72b01
                                • Instruction ID: d1ad4c377cc3d98781d4f69a436a349c2688604f409ff250c825b8b7afb88a67
                                • Opcode Fuzzy Hash: bfe4b881f088c861c3a7510f07a9c6a9a712817fa07f0bbb8baaee4f13f72b01
                                • Instruction Fuzzy Hash: AEC1CBB1301342CFDB26DB75C460BAEB7F6AF8A654F14486ED046CB2D1DA34D902CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0751C7A0 Relevance: .3, Instructions: 312COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1237306867.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7510000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5f7311c424e14c5e21a374303f86fa93838bcd832fbc89acdfddd0980e8af234
                                • Instruction ID: ba4c344af9099039baff495232f89b4a9e994be6d71f9d2405d25b62448334c0
                                • Opcode Fuzzy Hash: 5f7311c424e14c5e21a374303f86fa93838bcd832fbc89acdfddd0980e8af234
                                • Instruction Fuzzy Hash: F0E119B4E002198FDB14DFA8C580AAEFBB2FF89305F248169D454AB355DB35AD42CF64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0751A5A0 Relevance: .3, Instructions: 312COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1237306867.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7510000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 814a430725dec2637cdce0be7891c1dfca36e3dce46f1fa9adf4f03c454cb6da
                                • Instruction ID: 0be2c3327ef3eae9e184c09ea55ede54a97c510c41c31b5656766221da2373d8
                                • Opcode Fuzzy Hash: 814a430725dec2637cdce0be7891c1dfca36e3dce46f1fa9adf4f03c454cb6da
                                • Instruction Fuzzy Hash: 7FE1F7B4E012198FDB15DFA8C680AAEBBB2FF89305F24C169D454AB355D734AD42CF60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0751A168 Relevance: .3, Instructions: 312COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1237306867.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7510000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: acb7daf4db6397ba4166d16e4c327db304f7553b763c82636f4c2754caa5ad6c
                                • Instruction ID: 015bc0771eb2526a8050b03ffe7b4fecd36566a202c3c57554b9c7ce9478e984
                                • Opcode Fuzzy Hash: acb7daf4db6397ba4166d16e4c327db304f7553b763c82636f4c2754caa5ad6c
                                • Instruction Fuzzy Hash: 8DE107B4E012198FDB14CFA9C680AAEBBB2FF89305F24C169D454AB355D735AD42CF60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0751BDF0 Relevance: .3, Instructions: 312COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1237306867.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7510000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 664d194dcfd208e93853e9a0b693f2edcb4928e200d619fff81580dacdf7bba9
                                • Instruction ID: 972a839743a21c1a06b2e25b0e4aedd00181ffa2caceeaecf3de58dc3236e546
                                • Opcode Fuzzy Hash: 664d194dcfd208e93853e9a0b693f2edcb4928e200d619fff81580dacdf7bba9
                                • Instruction Fuzzy Hash: 4EE119B4E002198FDB14CFA9C580AAEFBB2FF89305F248169D454AB355D735AD42CFA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0751CBD8 Relevance: .3, Instructions: 312COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1237306867.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7510000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c99b552c9ca8ee870e59cf674485f483c601301258aba47e64c5640b0533f3e1
                                • Instruction ID: a2c310dc6efbc3a079be761671b02c2a52c9df301d11ce74ff1a7dee74665634
                                • Opcode Fuzzy Hash: c99b552c9ca8ee870e59cf674485f483c601301258aba47e64c5640b0533f3e1
                                • Instruction Fuzzy Hash: EEE11AB4E002198FDB14CFA9C580AAEFBB2FF89305F248169D454AB355D735AD42CFA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07512117 Relevance: .3, Instructions: 276COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1237306867.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7510000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b1d1c2df0871f0fb50352a1cde14f6d6728bad42846ceedcba55bbd4faca355c
                                • Instruction ID: e288a5cef8671cc4e2246069039ed1abb039527251b49e1129e6539c5a0420f4
                                • Opcode Fuzzy Hash: b1d1c2df0871f0fb50352a1cde14f6d6728bad42846ceedcba55bbd4faca355c
                                • Instruction Fuzzy Hash: D2D11435C1075A8ACB11EF74D9906D9B7B1FF96300F20C79AD4493B250EB74AADACB81
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07512141 Relevance: .3, Instructions: 274COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1237306867.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7510000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 353057dd6acdc58c4a8942090c963aa58c8fe1e20e66fc30a8d066efbf994fa4
                                • Instruction ID: fa8003b86ee53984c9dacf67cd0de7ae0b9df42417a264d87fd6ded0302c72d6
                                • Opcode Fuzzy Hash: 353057dd6acdc58c4a8942090c963aa58c8fe1e20e66fc30a8d066efbf994fa4
                                • Instruction Fuzzy Hash: 45D12435C10B1A8ACB11EF74D9906D9B7B1FF96300F20879AD4493B250EB74AAD9CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 013EE3B4 Relevance: .3, Instructions: 264COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1231385747.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_13e0000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9f6d1bfe9e295f87ee71dc6e879027613798601253fb36fb53db7891f0295125
                                • Instruction ID: 86a961248ecbcc2e92a111537cfc11d4113e661e99e41031584ad6cf4310dfa5
                                • Opcode Fuzzy Hash: 9f6d1bfe9e295f87ee71dc6e879027613798601253fb36fb53db7891f0295125
                                • Instruction Fuzzy Hash: 3FA15E32A0032A8FCF15DFA8C84859EBBF6FF84304B15457AE905AB295DB71E956CF40
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07512150 Relevance: .3, Instructions: 264COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1237306867.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7510000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c4f05a319bd40b1a0cb2eaf5d24cc5ee2932fde8b9c0fca8d72e9a4d86c7abb1
                                • Instruction ID: 7fc159abc32caae1b709854a3f9f91712bde513bb9f8633e6ab232115d8095d6
                                • Opcode Fuzzy Hash: c4f05a319bd40b1a0cb2eaf5d24cc5ee2932fde8b9c0fca8d72e9a4d86c7abb1
                                • Instruction Fuzzy Hash: EAD1F535C10B1A8ACB11EF74D990699F7B1FF96300F20C79AD4493B250EB74AAD9CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0751C791 Relevance: .2, Instructions: 161COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1237306867.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7510000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9ffcd8fd722e826d51054ade380a785a6dd9352a441a1b8a770b00a9c8d73c02
                                • Instruction ID: 9f9880a49ac87bd3ec06e9a5d9561161b7408a4cb30f52e64c9c22d46c8508d2
                                • Opcode Fuzzy Hash: 9ffcd8fd722e826d51054ade380a785a6dd9352a441a1b8a770b00a9c8d73c02
                                • Instruction Fuzzy Hash: 76514BB1E002198FDB14CFA9C9806EEFBB2FF89211F24816AD458A7355D7359D42CFA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0751A592 Relevance: .1, Instructions: 133COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1237306867.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7510000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5fa7ed72aeb0206c6ca4ae9c5fd0dfa82c88294a5ed42d78c1547b82c000dcb6
                                • Instruction ID: b89c8b12a0a401c7dafcb33465367faa0e8f28f039c932dcc4171b852a465231
                                • Opcode Fuzzy Hash: 5fa7ed72aeb0206c6ca4ae9c5fd0dfa82c88294a5ed42d78c1547b82c000dcb6
                                • Instruction Fuzzy Hash: 825119B4E012198FDB15CFA9C9805AEBBF6BF89201F24C16AD458AB355D7349D42CFA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0751EB56 Relevance: .0, Instructions: 24COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1237306867.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7510000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fccb0e3ef1d2c725c5904b1d9c2ed6b251b7803f14a6e44ed8f58038acadd2ab
                                • Instruction ID: d7ce860aeab7cde0af7e34fb7563a1564f1973340ec03764cd8bbaeadb202653
                                • Opcode Fuzzy Hash: fccb0e3ef1d2c725c5904b1d9c2ed6b251b7803f14a6e44ed8f58038acadd2ab
                                • Instruction Fuzzy Hash: 28E012B5909208CBDB008FA4E4560F8B7B8BB8B312F0064A5950EA3251D6308984AA50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Execution Graph

                                Execution Coverage:12.2%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:26
                                Total number of Limit Nodes:5
                                execution_graph 28254 1020848 28256 102084e 28254->28256 28255 102091b 28256->28255 28259 1021382 28256->28259 28264 1021488 28256->28264 28261 1021396 28259->28261 28260 1021484 28260->28256 28261->28260 28262 1021488 4 API calls 28261->28262 28270 1027090 28261->28270 28262->28261 28266 102148f 28264->28266 28267 1021396 28264->28267 28265 1021484 28265->28256 28266->28256 28267->28265 28268 1021488 4 API calls 28267->28268 28269 1027090 4 API calls 28267->28269 28268->28267 28269->28267 28271 102709a 28270->28271 28272 10270b4 28271->28272 28275 5f1d370 28271->28275 28280 5f1d340 28271->28280 28272->28261 28276 5f1d385 28275->28276 28277 5f1d59a 28276->28277 28278 5f1d5c0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28276->28278 28279 5f1d5b0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28276->28279 28277->28272 28278->28276 28279->28276 28281 5f1d345 28280->28281 28282 5f1d59a 28281->28282 28283 5f1d5c0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28281->28283 28284 5f1d5b0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28281->28284 28282->28272 28283->28281 28284->28281

                                Executed Functions

                                Function 01029BF8 Relevance: 2.8, Instructions: 2817COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6bc353514527dc3afc545489d6a9f66cfbe443b19933b2b8d67e872d5d4cf9b6
                                • Instruction ID: 25313b5136ecc305eb2c4277ba55446276cec30c8d8512b84d195649960773b9
                                • Opcode Fuzzy Hash: 6bc353514527dc3afc545489d6a9f66cfbe443b19933b2b8d67e872d5d4cf9b6
                                • Instruction Fuzzy Hash: FB530731D10B1A8ADB51EF68C8806A9F7B1FF99300F55D79AE45877121FB70AAC4CB81
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01029BF2 Relevance: 2.7, Instructions: 2716COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ca025624f575823bd9196f134350673929020ef038a3ed2bdf7b13ff55b7e5fc
                                • Instruction ID: 6583c83a7b4c26db2d052d9bd18edb25f02b3308c1727f004f690219891e0188
                                • Opcode Fuzzy Hash: ca025624f575823bd9196f134350673929020ef038a3ed2bdf7b13ff55b7e5fc
                                • Instruction Fuzzy Hash: 5453F531D10B1A8ADB51EF68C8806A9F7B1FF99300F55D79AE45877121FB70AAC4CB81
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0102CE90 Relevance: 2.3, Instructions: 2298COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3025836d3f8c7d23de61ed5e8358c2e7b28a182dd3050c11c9982976db5f5cc1
                                • Instruction ID: 64c12e35fe6afec02faa26c04b0ec1e6b185a7504c811d63452cca5a8451151c
                                • Opcode Fuzzy Hash: 3025836d3f8c7d23de61ed5e8358c2e7b28a182dd3050c11c9982976db5f5cc1
                                • Instruction Fuzzy Hash: FC331D31D1071A8EDB11EF68C8906ADF7B1FF99300F55C79AE458A7211EB70AAC5CB81
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01023E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID: \VGm
                                • API String ID: 0-1150679331
                                • Opcode ID: 8dafac9fb13876eaf6cd15a6baaa8956c083778e22dac49f77d6e7f2856f5225
                                • Instruction ID: d6cef3922249ec078abb9fe456297229f0376e6da513f4323d599a470c9f95ca
                                • Opcode Fuzzy Hash: 8dafac9fb13876eaf6cd15a6baaa8956c083778e22dac49f77d6e7f2856f5225
                                • Instruction Fuzzy Hash: EF915E70E003198FDB64CFA9D885BDDBBF2BF58314F248129E455EB254DB749885CB81
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01029378 Relevance: .6, Instructions: 616COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7278c9c56e18b625636bb6d556ca7340d449bf67a6ada1367da5f9878f595a2d
                                • Instruction ID: 6cc99f19e30b59012e584270de0bc3aab8c6198d617a5e0783c20caabbce4381
                                • Opcode Fuzzy Hash: 7278c9c56e18b625636bb6d556ca7340d449bf67a6ada1367da5f9878f595a2d
                                • Instruction Fuzzy Hash: D3326C34A002248FDB65DF68D584AAEBBF2FF88314F248569E949DB395DB70DC41CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01024A98 Relevance: .3, Instructions: 266COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 02a60fdfe051db34f94c897710a3b1fe7a8ac87a00e547887d09e900cf122533
                                • Instruction ID: 5aa276a08c20ed7dd103968d3bfd4a16dd8a26a84dbb21b49349e3cef0c46d8f
                                • Opcode Fuzzy Hash: 02a60fdfe051db34f94c897710a3b1fe7a8ac87a00e547887d09e900cf122533
                                • Instruction Fuzzy Hash: B9B17F70E003298FDB65DFADD8817DDBBF2AF48314F248129D855EB294EB749885CB81
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01024810 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2338 1024810-102489c 2341 10248e6-10248e8 2338->2341 2342 102489e-10248a9 2338->2342 2343 10248ea-1024902 2341->2343 2342->2341 2344 10248ab-10248b7 2342->2344 2351 1024904-102490f 2343->2351 2352 102494c-102494e 2343->2352 2345 10248da-10248e4 2344->2345 2346 10248b9-10248c3 2344->2346 2345->2343 2348 10248c7-10248d6 2346->2348 2349 10248c5 2346->2349 2348->2348 2350 10248d8 2348->2350 2349->2348 2350->2345 2351->2352 2353 1024911-102491d 2351->2353 2354 1024950-1024995 2352->2354 2355 1024940-102494a 2353->2355 2356 102491f-1024929 2353->2356 2362 102499b-10249a9 2354->2362 2355->2354 2357 102492b 2356->2357 2358 102492d-102493c 2356->2358 2357->2358 2358->2358 2360 102493e 2358->2360 2360->2355 2363 10249b2-1024a0f 2362->2363 2364 10249ab-10249b1 2362->2364 2371 1024a11-1024a15 2363->2371 2372 1024a1f-1024a23 2363->2372 2364->2363 2371->2372 2373 1024a17-1024a1a call 1020ab8 2371->2373 2374 1024a33-1024a37 2372->2374 2375 1024a25-1024a29 2372->2375 2373->2372 2378 1024a47-1024a4b 2374->2378 2379 1024a39-1024a3d 2374->2379 2375->2374 2377 1024a2b-1024a2e call 1020ab8 2375->2377 2377->2374 2382 1024a5b 2378->2382 2383 1024a4d-1024a51 2378->2383 2379->2378 2381 1024a3f 2379->2381 2381->2378 2385 1024a5c 2382->2385 2383->2382 2384 1024a53 2383->2384 2384->2382 2385->2385
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID: \VGm$\VGm
                                • API String ID: 0-2238751749
                                • Opcode ID: 9718ae5c4bafdf667a9088134e24332b04ff6d48a1fc8d563b88c45c4f2c85a3
                                • Instruction ID: 5883998d54db944a90b6cedfcc519fd0c033cd10134ef833a181aeda9c39c3a3
                                • Opcode Fuzzy Hash: 9718ae5c4bafdf667a9088134e24332b04ff6d48a1fc8d563b88c45c4f2c85a3
                                • Instruction Fuzzy Hash: 7B715B70E003599FDB24CFA9C8817DEBBF2BF88314F148129E455EB254EB749842CB95
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01024804 Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2445 1024804-102489c 2448 10248e6-10248e8 2445->2448 2449 102489e-10248a9 2445->2449 2450 10248ea-1024902 2448->2450 2449->2448 2451 10248ab-10248b7 2449->2451 2458 1024904-102490f 2450->2458 2459 102494c-102494e 2450->2459 2452 10248da-10248e4 2451->2452 2453 10248b9-10248c3 2451->2453 2452->2450 2455 10248c7-10248d6 2453->2455 2456 10248c5 2453->2456 2455->2455 2457 10248d8 2455->2457 2456->2455 2457->2452 2458->2459 2460 1024911-102491d 2458->2460 2461 1024950-1024962 2459->2461 2462 1024940-102494a 2460->2462 2463 102491f-1024929 2460->2463 2468 1024969-1024995 2461->2468 2462->2461 2464 102492b 2463->2464 2465 102492d-102493c 2463->2465 2464->2465 2465->2465 2467 102493e 2465->2467 2467->2462 2469 102499b-10249a9 2468->2469 2470 10249b2-1024a0f 2469->2470 2471 10249ab-10249b1 2469->2471 2478 1024a11-1024a15 2470->2478 2479 1024a1f-1024a23 2470->2479 2471->2470 2478->2479 2480 1024a17-1024a1a call 1020ab8 2478->2480 2481 1024a33-1024a37 2479->2481 2482 1024a25-1024a29 2479->2482 2480->2479 2485 1024a47-1024a4b 2481->2485 2486 1024a39-1024a3d 2481->2486 2482->2481 2484 1024a2b-1024a2e call 1020ab8 2482->2484 2484->2481 2489 1024a5b 2485->2489 2490 1024a4d-1024a51 2485->2490 2486->2485 2488 1024a3f 2486->2488 2488->2485 2492 1024a5c 2489->2492 2490->2489 2491 1024a53 2490->2491 2491->2489 2492->2492
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID: \VGm$\VGm
                                • API String ID: 0-2238751749
                                • Opcode ID: abc9e23c914da4b23e6fcfe49a84358ffec75d8801bf301ea573d24c83e87ea2
                                • Instruction ID: ee313ab0b8064c6690d23248216e2f0589526605c39d68b654d7243b3bcd20fc
                                • Opcode Fuzzy Hash: abc9e23c914da4b23e6fcfe49a84358ffec75d8801bf301ea573d24c83e87ea2
                                • Instruction Fuzzy Hash: D07169B0E002598FDB64CFA9C885BDEBBF2BF48314F148129E455EB254EB749842CF95
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01026ED7 Relevance: 2.6, Strings: 2, Instructions: 146COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2560 1026ed7-1026f42 call 1026c40 2569 1026f44-1026f5d call 1026384 2560->2569 2570 1026f5e-1026f8c 2560->2570 2574 1026f8e-1026f91 2570->2574 2576 1026f93-1026fa7 2574->2576 2577 1026fc4-1026fc7 2574->2577 2587 1026fa9-1026fab 2576->2587 2588 1026fad 2576->2588 2578 1026fd7-1026fda 2577->2578 2579 1026fc9 call 1027908 2577->2579 2580 1026fee-1026ff1 2578->2580 2581 1026fdc-1026fe3 2578->2581 2589 1026fcf-1026fd2 2579->2589 2585 1026ff3-1027028 2580->2585 2586 102702d-102702f 2580->2586 2583 10270eb-10270f1 2581->2583 2584 1026fe9 2581->2584 2584->2580 2585->2586 2590 1027031 2586->2590 2591 1027036-1027039 2586->2591 2592 1026fb0-1026fbf 2587->2592 2588->2592 2589->2578 2590->2591 2591->2574 2593 102703f-102704e 2591->2593 2592->2577 2596 1027050-1027053 2593->2596 2597 1027078-102708d 2593->2597 2599 102705b-1027076 2596->2599 2597->2583 2599->2596 2599->2597
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID: LRq$LRq
                                • API String ID: 0-3710822783
                                • Opcode ID: d3987b9624b6635f60831c996f10a2a3b75b2da64a20011dc9bf14ad21ec789c
                                • Instruction ID: 9effd0b00c17216f551952a302556d0af1bcee0e8c320cd06d28ce4d222bbcc4
                                • Opcode Fuzzy Hash: d3987b9624b6635f60831c996f10a2a3b75b2da64a20011dc9bf14ad21ec789c
                                • Instruction Fuzzy Hash: DE51D330A002259FDB55DF79C4507AEBBF2EF95300F50846AE845EB281EB729C46CB81
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05F1E188 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 3228 5f1e188-5f1e193 3229 5f1e195-5f1e1bc call 5f1d324 3228->3229 3230 5f1e1bd-5f1e1d5 call 5f1d330 3228->3230 3235 5f1e1da-5f1e1dc 3230->3235 3236 5f1e1e2-5f1e22c 3235->3236 3237 5f1e1de-5f1e1e1 3235->3237 3236->3235 3242 5f1e22e-5f1e241 3236->3242 3244 5f1e243-5f1e246 3242->3244 3245 5f1e247-5f1e2d4 GlobalMemoryStatusEx 3242->3245 3249 5f1e2d6-5f1e2dc 3245->3249 3250 5f1e2dd-5f1e305 3245->3250 3249->3250
                                Memory Dump Source
                                • Source File: 00000003.00000002.2484143128.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_5f10000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dd8f1270aeb627b777e221090dc802e13e030596ba30f1f9c8f60952580925d0
                                • Instruction ID: f5a681ffe477585afacd30c949d2c555372caa3b1e1bb708a0499e1abd6b95c1
                                • Opcode Fuzzy Hash: dd8f1270aeb627b777e221090dc802e13e030596ba30f1f9c8f60952580925d0
                                • Instruction Fuzzy Hash: F7411232D0478A8FCB14DFA9D8007EEBBF5AF89210F18856AD905E7241DB389845CBD4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05F1D330 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 3253 5f1d330-5f1e2d4 GlobalMemoryStatusEx 3256 5f1e2d6-5f1e2dc 3253->3256 3257 5f1e2dd-5f1e305 3253->3257 3256->3257
                                APIs
                                • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,05F1E1DA), ref: 05F1E2C7
                                Memory Dump Source
                                • Source File: 00000003.00000002.2484143128.0000000005F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_5f10000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: GlobalMemoryStatus
                                • String ID:
                                • API String ID: 1890195054-0
                                • Opcode ID: e75ad3bb9634a9a344784ac42572c8bb333cff3dc00bb8507cec6860845aecc3
                                • Instruction ID: b62cea340d64087f4e1abd8ee38e5f036d157d9c8ed03931dcb3ef28361e1d39
                                • Opcode Fuzzy Hash: e75ad3bb9634a9a344784ac42572c8bb333cff3dc00bb8507cec6860845aecc3
                                • Instruction Fuzzy Hash: C01114B1C006599BDB20DF9AC445BDEFBF8FB48320F14826AD918A7240D778A941CFA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01023E74 Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID: \VGm
                                • API String ID: 0-1150679331
                                • Opcode ID: d03104d90c064764e73b37335f78b2a245135b306a7162eb7548f9b27f9babdd
                                • Instruction ID: bc68bc3b7a9551e3e45a08b0e40870c9a50d422ad6299a1b30eef13fc7d21b75
                                • Opcode Fuzzy Hash: d03104d90c064764e73b37335f78b2a245135b306a7162eb7548f9b27f9babdd
                                • Instruction Fuzzy Hash: 25A16D70E003199FDB60CFA8D885BDDBBF1BF58314F248169E495EB254DB749886CB81
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0102F3D5 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID: PHq
                                • API String ID: 0-3820536768
                                • Opcode ID: 134d3b270feb8629d9aaa2a9a96f224f9c06b903374072300841879868d91544
                                • Instruction ID: 228d13f5f3a60720c956d6d90efd65faae5cdda338e7bc17833760a11f1ef682
                                • Opcode Fuzzy Hash: 134d3b270feb8629d9aaa2a9a96f224f9c06b903374072300841879868d91544
                                • Instruction Fuzzy Hash: 883100307002269FDB29AF38D5547AE7BF2AF89250B2445AAD442EB346DE34DC06CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0102F3E8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID: PHq
                                • API String ID: 0-3820536768
                                • Opcode ID: 0d5e5bdd2b6c6eebe0fd60439f6b7e9c954cbbfb212e98617be16e19be6d8290
                                • Instruction ID: 334ea95b2650b08c65a8278c5057409ce41db467f9b00e91f87926da109713f5
                                • Opcode Fuzzy Hash: 0d5e5bdd2b6c6eebe0fd60439f6b7e9c954cbbfb212e98617be16e19be6d8290
                                • Instruction Fuzzy Hash: 2931F030B002169FDB29AF39D55476E7BF2EF88680F2449A9D802EB355DE30DC06CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01026F78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID: LRq
                                • API String ID: 0-3187445251
                                • Opcode ID: ac4a7a3b84af9d211cdeaf436e87b25fe5f19790a045b9226b11ca3c24ad2d6a
                                • Instruction ID: 4ff0f76525d41d392cef770a2acae8558e2635867aac86520949bc1c07014d4a
                                • Opcode Fuzzy Hash: ac4a7a3b84af9d211cdeaf436e87b25fe5f19790a045b9226b11ca3c24ad2d6a
                                • Instruction Fuzzy Hash: A8318E34E10228CBDF55CFA9C480B9EB7B1FF95300F50856AF901EB280EB75A945CB80
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01026B87 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID: LRq
                                • API String ID: 0-3187445251
                                • Opcode ID: b554f41f708bf9d3c38b89b76dff438db1da40df6b92f9623097745687853241
                                • Instruction ID: 6c8728039dcacc8eb4856ec4f1c5fd66aa7d1385fe6ffe68030968e620d3f02f
                                • Opcode Fuzzy Hash: b554f41f708bf9d3c38b89b76dff438db1da40df6b92f9623097745687853241
                                • Instruction Fuzzy Hash: 1721B1316093805FC3066B7998243AE7FB1EF8B600B0944DFD485CB2A3DA399846C796
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01027908 Relevance: .6, Instructions: 557COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f4bf35865855f3f272b6b0edd78fea0fd019e43e6715c1d2617c437a85d309d0
                                • Instruction ID: 24ba6524364c9b8e3d5c20145accdf14d0ddee59fc22fb64bb55c87b2d03096c
                                • Opcode Fuzzy Hash: f4bf35865855f3f272b6b0edd78fea0fd019e43e6715c1d2617c437a85d309d0
                                • Instruction Fuzzy Hash: F9126C78B10211DBDF66BB38E44526D32A2FBD5301B604A29E505CF3A6CF75EC4B8B91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01024A8C Relevance: .3, Instructions: 265COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8f5e17ce78fb98e5d244738dbc1b3a88bce6cc02333974146ef9999e0fd162e6
                                • Instruction ID: b6aece1a24b9fb78b85f9b49c174e0e99a9f8ec52d7967df6bde7986f3015ebb
                                • Opcode Fuzzy Hash: 8f5e17ce78fb98e5d244738dbc1b3a88bce6cc02333974146ef9999e0fd162e6
                                • Instruction Fuzzy Hash: C7B16D70E002298FDB61DFACD8857DDBBF1AF48314F248169D859EB294EB749885CB81
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01029364 Relevance: .2, Instructions: 242COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 640a09e3178020c9ece8745ac2602556087c9b656b5f6f4b927f0a290a631e7f
                                • Instruction ID: 34a293ea2c8449fe0e4503fb521a30db942923eab12ac7f6041e3d5971eef048
                                • Opcode Fuzzy Hash: 640a09e3178020c9ece8745ac2602556087c9b656b5f6f4b927f0a290a631e7f
                                • Instruction Fuzzy Hash: 9A918034A002248FDB65DF68D584AADBBF2FF88314F148569E945EB365DB71EC42CB40
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01020CD3 Relevance: .1, Instructions: 137COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8972e430931bd313d5fd6d9c3b192f61bf2671aca461480cc7b5b1edb2a1d32e
                                • Instruction ID: 1369f39ce8ac6ff398c6b48615d619f72db660fa4b780f8e089645dbacde858c
                                • Opcode Fuzzy Hash: 8972e430931bd313d5fd6d9c3b192f61bf2671aca461480cc7b5b1edb2a1d32e
                                • Instruction Fuzzy Hash: E6513370D002688FDB14DFA9C885BADBBF1AF48300F15816AD855AB391D7759844CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01026CDD Relevance: .1, Instructions: 135COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 58967e97b01aa66451f27ee64b086904a8df0b85136b956b6cfcdb2b373292d7
                                • Instruction ID: 07a149e4a25b0da8a9439bce94b45976a9fdbd43aaac5803987157de0e1abb7c
                                • Opcode Fuzzy Hash: 58967e97b01aa66451f27ee64b086904a8df0b85136b956b6cfcdb2b373292d7
                                • Instruction Fuzzy Hash: 8B512070D002288FDB18DFA9C885BDDBBF1BF48310F158169E859BB391DB75A880CB95
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01026CE8 Relevance: .1, Instructions: 132COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7b7183e1fe5a29419be2f5c0d8d9f35a592f08d3170cac44cee4f234e477447c
                                • Instruction ID: 281726ec777cd5c85b23e1e5c446e4dab302f26c4c64d2d4949b1790efcddf07
                                • Opcode Fuzzy Hash: 7b7183e1fe5a29419be2f5c0d8d9f35a592f08d3170cac44cee4f234e477447c
                                • Instruction Fuzzy Hash: 07512270D002288FDB18DFA9C885B9DBBF1BF48310F158169E855BB395DB75A880CF95
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01021128 Relevance: .1, Instructions: 125COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c2fdf408563d483dcc25ea3722222a5184721263b595b91ad117c025453060ed
                                • Instruction ID: c0378a2cedf4d6a377896f990ee95180ffd3c00cdfa69655787f64ffffb1929b
                                • Opcode Fuzzy Hash: c2fdf408563d483dcc25ea3722222a5184721263b595b91ad117c025453060ed
                                • Instruction Fuzzy Hash: 9C51F87462526A8FCF16FB29FC90A593F71FB923053148969D0005B3BEDE75690BCB82
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01021138 Relevance: .1, Instructions: 112COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 70fe555459dd6e65129c1cd7a829f2433ceb92897e92229bb287a9ac5b22f8ce
                                • Instruction ID: ecb805f558ea516cfc950a717ac9ba5cb50f30893c5901b67a47b7d0778809cd
                                • Opcode Fuzzy Hash: 70fe555459dd6e65129c1cd7a829f2433ceb92897e92229bb287a9ac5b22f8ce
                                • Instruction Fuzzy Hash: 1751E87562226A8FCF16FB29FC90A593F61F7923053148979D0005B3BEDE74690BCB82
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0102F298 Relevance: .1, Instructions: 96COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: de9b440bd1779618db7ba864f9ca4db8547cfae525b46ebc53c2a9f646c1136c
                                • Instruction ID: 8eff35ef3d0e9bf8487106c64bdcc1af26e4db682053ee0eef046128aabc781f
                                • Opcode Fuzzy Hash: de9b440bd1779618db7ba864f9ca4db8547cfae525b46ebc53c2a9f646c1136c
                                • Instruction Fuzzy Hash: 4C317034E102169BCB19DF69D454AAEBBF2EF89300F10C559E856EB345DB70AC46CB40
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0102F2A8 Relevance: .1, Instructions: 91COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e8e25e8beadac3ee6ff8bf42ecba6583954c41db81ca27bdfe1848580a8a9582
                                • Instruction ID: be189a9ffb4079a6e9b8e1ada49c66ef3a22c8ef32527dd5f3a29abc0ad98707
                                • Opcode Fuzzy Hash: e8e25e8beadac3ee6ff8bf42ecba6583954c41db81ca27bdfe1848580a8a9582
                                • Instruction Fuzzy Hash: EB315E34E106169BCB19DF69D494AAEBBF2EF89300F10C55AE856EB345DF70AC46CB40
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 010226DE Relevance: .1, Instructions: 90COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f3e205de530abfcb25e84b15c55698fa22b4479d73c885209ecc7349114e8458
                                • Instruction ID: 151fbfe9123800e709f52a3f332855c54f39271eb340018b973e9d6c49a6dca9
                                • Opcode Fuzzy Hash: f3e205de530abfcb25e84b15c55698fa22b4479d73c885209ecc7349114e8458
                                • Instruction Fuzzy Hash: E04101B0D00309DFEB14DFA9C584ADEBBF5BF48310F148029E819AB250DB759946CF90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 010226E8 Relevance: .1, Instructions: 90COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cc872459a8358992049e49740fb48af729124aeff91a7694d027677b03d2c6f4
                                • Instruction ID: e49355dfe1ef31b014237c0a384be32165794c359ddb11d578e1e44d9e43f0e0
                                • Opcode Fuzzy Hash: cc872459a8358992049e49740fb48af729124aeff91a7694d027677b03d2c6f4
                                • Instruction Fuzzy Hash: 1541CDB0D013499FEB24DFA9C584A9EBBF5BF48310F148029E819AB254DB75A946CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01025097 Relevance: .1, Instructions: 89COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 365b92a48187a00cb4071376555f5c454ac91612b61e7e15f090fff3b6b6a333
                                • Instruction ID: 6945ba243b277a0a91786a57bfa09997a1c1d1fee0a29187b537747bbeb04445
                                • Opcode Fuzzy Hash: 365b92a48187a00cb4071376555f5c454ac91612b61e7e15f090fff3b6b6a333
                                • Instruction Fuzzy Hash: 44316D30600265CFDF29EB78C9546ED7BF2AF89204F2005A8D541AB394DF769C42CB95
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 010250A8 Relevance: .1, Instructions: 89COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f0295ad64fef36436e501c32f331fb472b5e12bc522dcd019250fe8d86b588cd
                                • Instruction ID: 114bdebcd15b0ea5a091c96cf502f79d5f99fd6e6a7cd7d74b392a00cf4d03be
                                • Opcode Fuzzy Hash: f0295ad64fef36436e501c32f331fb472b5e12bc522dcd019250fe8d86b588cd
                                • Instruction Fuzzy Hash: 65310D30700225CFDF59EB78C9546ED77F2AB89244F2005A8D941AB394DF76DC42CB95
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01029250 Relevance: .1, Instructions: 82COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a24a97804e71bd6aaa5e3ac64a8e7b3a28fbfe542187a3b2920961733019d680
                                • Instruction ID: 9a3d13bc727a129e5ce0328200c28edce1b978949f0a785a0148b6cbe1d29fde
                                • Opcode Fuzzy Hash: a24a97804e71bd6aaa5e3ac64a8e7b3a28fbfe542187a3b2920961733019d680
                                • Instruction Fuzzy Hash: 2B31A431E102259BCB06DFA8D4507EEFBB2FF8A304F14D559E845EB245DB709846CB40
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01021488 Relevance: .1, Instructions: 82COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 156a727f07af736f8d400ffa81af06dc47892f099ca4238dbd146b81fca6fc51
                                • Instruction ID: 06d293688c0d3a771ac5c37b1c62507ff8a63b4c4f5685d79af14d7882d0d4ee
                                • Opcode Fuzzy Hash: 156a727f07af736f8d400ffa81af06dc47892f099ca4238dbd146b81fca6fc51
                                • Instruction Fuzzy Hash: 55219234A002669FDF66EF7894506AD7BE1EF48254F1404BAE48ADB341DB35D9428B81
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0102169F Relevance: .1, Instructions: 82COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6c37ee54a1e6ea5a985a772a4456bae0d50aeb2e8c17a44a19bee396f7411ce5
                                • Instruction ID: ed69c3380492b07f238b58909464891ec5fc5a1816a30751a9a55f49b154cc7d
                                • Opcode Fuzzy Hash: 6c37ee54a1e6ea5a985a772a4456bae0d50aeb2e8c17a44a19bee396f7411ce5
                                • Instruction Fuzzy Hash: 9E21A9389142248FDF72A72CF88876D3BA5EB45315F1049A5D046CF2ABDA39DC478B92
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01029260 Relevance: .1, Instructions: 78COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b31cdb4d2e0b869a0181af9993280b58d7c1bfa4b1016e2d02e4f5b6b9e0a011
                                • Instruction ID: d8041b1f350934b63cc06f81109be7eb6e81e056586c147fe732c75bfb827b37
                                • Opcode Fuzzy Hash: b31cdb4d2e0b869a0181af9993280b58d7c1bfa4b1016e2d02e4f5b6b9e0a011
                                • Instruction Fuzzy Hash: 5F219631E102299BDB15DFA9D4406DEF7B2FF89304F50D55AE805EB245DB709C46CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01029150 Relevance: .1, Instructions: 76COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ae923b3c995a2894752953b282c3e1a7af55ba8297df0355360a5a1ddf58fcec
                                • Instruction ID: afda013464f35a11fdd22ac3b53986d8bd37bfd97e80cbe73ebc925a7fbb8d02
                                • Opcode Fuzzy Hash: ae923b3c995a2894752953b282c3e1a7af55ba8297df0355360a5a1ddf58fcec
                                • Instruction Fuzzy Hash: DF21A330E006259BCB19CFA9D4546DEBBB2AF89304F20855AE852BB351EB709D46CB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00ECD01C Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478091035.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_ecd000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c3d1ebc52399d748f67fcedd52f0905c61acf7d9ae0ebaa39002bdc459e5663f
                                • Instruction ID: c39d771b0cd39a84c654da7438cd7ad84f1fb23a3d25bb29d976044a64a90515
                                • Opcode Fuzzy Hash: c3d1ebc52399d748f67fcedd52f0905c61acf7d9ae0ebaa39002bdc459e5663f
                                • Instruction Fuzzy Hash: D821CF756082009FDB14DF18DA85F16BBA6EB84328F20C5BDD84A5B286C337D847CA62
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01029A30 Relevance: .1, Instructions: 71COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8f1c410ecfd8e54e2cc41baec6465aeeb7bf4fc40026fbd3ad8c634a7bfec939
                                • Instruction ID: dff973d59e86582e6024891585d516036ac4048218c1edfe091ecb3db6762fd7
                                • Opcode Fuzzy Hash: 8f1c410ecfd8e54e2cc41baec6465aeeb7bf4fc40026fbd3ad8c634a7bfec939
                                • Instruction Fuzzy Hash: 2521C331B102258FEB14DB69C954BAE7BF6FF88714F148069E505EB3A0DAB1DC00CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01024F8A Relevance: .1, Instructions: 71COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2ca8fe9a4e5a38b5138d33d3a54d39353c110e180debf2c391b65f6053ffb09e
                                • Instruction ID: 119e8b3d09f301b2ce17845203c96bbd7828902f72dca5b7a79c375e18f22181
                                • Opcode Fuzzy Hash: 2ca8fe9a4e5a38b5138d33d3a54d39353c110e180debf2c391b65f6053ffb09e
                                • Instruction Fuzzy Hash: 59213734700215CFDB54DB38D998BAD77F1EF8D204B1044A9E446EB3A0DB359D05CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01029160 Relevance: .1, Instructions: 70COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3fe3c5b5147bbe8a2dc3136f2ae60c0a2e679b6e66dcb8a8f5d6d60844a1d090
                                • Instruction ID: 64378bfb867d6cbc8cda0504cf6af7107bc9f57dd380b74a3729b23747e10575
                                • Opcode Fuzzy Hash: 3fe3c5b5147bbe8a2dc3136f2ae60c0a2e679b6e66dcb8a8f5d6d60844a1d090
                                • Instruction Fuzzy Hash: A0215030E006299BCB19CFA9D854ADEF7B2EF89304F20855AE855BB341DB70A946CB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01021382 Relevance: .1, Instructions: 70COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 064a0d3bcd0b641d2e8b05e32b01a5f14387c49969a255ba5a359ba9481c6d9f
                                • Instruction ID: a9e39c9a8cb74a1ad592016e2ddd297ea8f98d619f7917c32c9d988113ea2c7a
                                • Opcode Fuzzy Hash: 064a0d3bcd0b641d2e8b05e32b01a5f14387c49969a255ba5a359ba9481c6d9f
                                • Instruction Fuzzy Hash: 48219378A401618FEF73572CD49876D3BE1EB42315F1048A9E58BCB6D2DA7988868783
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01021888 Relevance: .1, Instructions: 70COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6e361178f4c62fe8aeaacc780cbd15349335453ae6897e988ebc5eb03f5b2177
                                • Instruction ID: 7f93b5b3e30407c7a0a100da1aa6393200971f950487a39bfc14508cfd66264b
                                • Opcode Fuzzy Hash: 6e361178f4c62fe8aeaacc780cbd15349335453ae6897e988ebc5eb03f5b2177
                                • Instruction Fuzzy Hash: 3A215930B00265CFEF64EB68C5547AE77F2AB89240F2004A8D146EB394DB769D01CBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 010216B0 Relevance: .1, Instructions: 69COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7085aeadcbe786c1b1e317b8f5ecfc71ed31ffaf8e5d7be1da2cf3edf7d32670
                                • Instruction ID: b5e510e782553628ee61f8df84db125553d751a84f3ec7c94232fec9a770fdfb
                                • Opcode Fuzzy Hash: 7085aeadcbe786c1b1e317b8f5ecfc71ed31ffaf8e5d7be1da2cf3edf7d32670
                                • Instruction Fuzzy Hash: 45213638A102148FEF62F72CF88475E37A5FB85315F108965D046CB29BDA79EC478B91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01021878 Relevance: .1, Instructions: 69COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6b879c614015b1e3eb9130557e5c155ca8df47a62cba5c35288c3cf2b7a4cef3
                                • Instruction ID: 622202c0e2e2a301e626948e531d3e2d12e20319862bd6617e9674d60206dda5
                                • Opcode Fuzzy Hash: 6b879c614015b1e3eb9130557e5c155ca8df47a62cba5c35288c3cf2b7a4cef3
                                • Instruction Fuzzy Hash: 26218E30B00265CFEF65EB68C5547AE7BF2AF49204F2404A8D146EB395DB758D41CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01024F98 Relevance: .1, Instructions: 68COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8c5d540b207b8f7a472b033067e828c6dad182944786ea131f189e93abdd2a73
                                • Instruction ID: 85c2dc3759e0ada931510af4e9f7503b894653d53228ed098e75fb040af7e20d
                                • Opcode Fuzzy Hash: 8c5d540b207b8f7a472b033067e828c6dad182944786ea131f189e93abdd2a73
                                • Instruction Fuzzy Hash: FF212834B00214CFDB54EB79D998BAD77F1EB8D200F1044A9E506EB3A0DB769D05CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00ECD005 Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478091035.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_ecd000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 99ac261e40ee6c76fe593f9e29be525de5d7872fb4038f24441f656e329e945c
                                • Instruction ID: 86b265f00625e7081d0961bb5c330c974a53df9ba7581566e46c8adbb3552e42
                                • Opcode Fuzzy Hash: 99ac261e40ee6c76fe593f9e29be525de5d7872fb4038f24441f656e329e945c
                                • Instruction Fuzzy Hash: 532160755093808FD702CF24D990B15BF72EB46214F28C5EAD8498B6A7C33B980BCB62
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01020838 Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c30c6b92c267500f1688780e59d46500fab2204e880c90e3a71cb827b1abade1
                                • Instruction ID: 16f3bfae0f6ba6e7f2ad72572f91947cfa9fe39c3302a6c39ce2223ad42b30ac
                                • Opcode Fuzzy Hash: c30c6b92c267500f1688780e59d46500fab2204e880c90e3a71cb827b1abade1
                                • Instruction Fuzzy Hash: 4A11E730B043258FEF66667DD85037F3791DB46214F1049BAE0C6CF28BD9A5C8468BC1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01020848 Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 21b16546af5530a25153cd85f6e96e87273bf3388bc7139183a2d7574508f1f2
                                • Instruction ID: dbcfd782cd7739c30dc9ab7379ae258a8cdd8d26def5d1a30a6c39a3f7801fe6
                                • Opcode Fuzzy Hash: 21b16546af5530a25153cd85f6e96e87273bf3388bc7139183a2d7574508f1f2
                                • Instruction Fuzzy Hash: 1611C434B003298FEFA56A7DD44472B32D5EB85214F1048BAF0C6CF28AD9A5CC868BC1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 010217C2 Relevance: .1, Instructions: 59COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c7b5a5bac105281137059fc017c1c60ed524ea3ff2ab73611c298738b13959e8
                                • Instruction ID: 934b984db50538ecbc0aa4e4a32acec0cbfb43d921a9018f60241ca25a0500cf
                                • Opcode Fuzzy Hash: c7b5a5bac105281137059fc017c1c60ed524ea3ff2ab73611c298738b13959e8
                                • Instruction Fuzzy Hash: 1711CE75F003618FDF51AF78984866F7BE5EB89A50F100868E945D7344EA30C802C7D1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01021498 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b605e31a86c3723205347731a8913875105f8cd3828c9e9eca6d3186a72d5b65
                                • Instruction ID: 75827b5df327bb95376bb7c3410685795f9542ab4ee7e0a1fd69b67e40947811
                                • Opcode Fuzzy Hash: b605e31a86c3723205347731a8913875105f8cd3828c9e9eca6d3186a72d5b65
                                • Instruction Fuzzy Hash: D8014C31E013369FCF65EFBC84506AEBBF5EB48250B2404BAD849E7301EB35D9428B91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 010280F1 Relevance: .0, Instructions: 38COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bb52e162c250d29066b5f1acbe76383fbcc2152edbdc42d504e83ac6cb75c6a4
                                • Instruction ID: 4e82bac4492adb5086225bf96cf838161850915b24d2b9ff18439a7c7d933b34
                                • Opcode Fuzzy Hash: bb52e162c250d29066b5f1acbe76383fbcc2152edbdc42d504e83ac6cb75c6a4
                                • Instruction Fuzzy Hash: 6A018434910218EFDF01FBB8E891ADD7FB1EF40300F5082A9C0059B29AEA347E06C791
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01021524 Relevance: .0, Instructions: 36COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5f8486ac3813b4cc2ea8c1c4039dfbca8659d1ba20fa0806899c47bdacfdf466
                                • Instruction ID: 3a0fb9cb120b0ef73fd6454e6270601ca53c5bbdba29d532f017a6f8b6fe2bd1
                                • Opcode Fuzzy Hash: 5f8486ac3813b4cc2ea8c1c4039dfbca8659d1ba20fa0806899c47bdacfdf466
                                • Instruction Fuzzy Hash: 6EF02477A04270DFDB228BA884902ACBFB0FEA922171C00D7D8CADB211D732E406CB51
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01027090 Relevance: .0, Instructions: 34COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 60368050e6aef64e6e6fa2ed60c2a8918bca3d70e7ca082868979cdd1dc80282
                                • Instruction ID: cafe423d0b12dbc76e58d4c5e7aad213faa476fca73e34cfeaeea4b89bf0379b
                                • Opcode Fuzzy Hash: 60368050e6aef64e6e6fa2ed60c2a8918bca3d70e7ca082868979cdd1dc80282
                                • Instruction Fuzzy Hash: 2EF0E739B40218CFDB14DB78D598B6D77B2FF88326F1144A8E5069B3A4CB35AD42CB40
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01028100 Relevance: .0, Instructions: 33COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2478653424.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_1020000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3177aa361d6ec4152c0f14080ed56a17e133c65b7168e4bbdfdd064dcac76807
                                • Instruction ID: 07c1fdce58dc946d7935006f87f43c6021451bf0f83f7022b3c2cd8022b6509a
                                • Opcode Fuzzy Hash: 3177aa361d6ec4152c0f14080ed56a17e133c65b7168e4bbdfdd064dcac76807
                                • Instruction Fuzzy Hash: 74F01D34910218AFDF01FBA8F941ADDBBB1EF40300F5096A980049B259EA357E06CB91
                                Uniqueness

                                Uniqueness Score: -1.00%