Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe
Analysis ID:	1431495
MD5:	0213307d4a5c33c73fc8763498a054e5
SHA1:	2c6978c737ad7b1a9547ed3365fef15996d98137
SHA256:	6266398586cea7e8cc4154202bb9f5541b1a6b6b5640f0efdd2f2ef9e82c7ae6
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe (PID: 7404 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe" MD5: 0213307D4A5C33C73FC8763498A054E5)

SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe (PID: 7588 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe" MD5: 0213307D4A5C33C73FC8763498A054E5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.albushrametalic.com", "Username": "mustafa@albushrametalic.com", "Password": "GLBL1285#"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1699372281.0000000004F90000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.2880131729.00000000028DC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1697066851.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.2880131729.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2880131729.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.2880131729.00000000028E4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.2878165030.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2878165030.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1697066851.000000000473B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1697066851.000000000473B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe PID: 7404	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe PID: 7404	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe PID: 7404	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe PID: 7588	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe PID: 7588	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.39e9970.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.39e9970.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.4f90000.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.4f90000.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.47759f0.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.47759f0.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.47759f0.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3171b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3178d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31817:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x318a9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31913:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31985:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31a1b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31aab:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3351b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3358d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33617:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x336a9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33713:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33785:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3381b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x338ab:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.47759f0.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.47759f0.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.47759f0.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3351b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6dd3b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3358d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6ddad:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33617:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6de37:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x336a9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6dec9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33713:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6df33:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33785:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6dfa5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3381b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e03b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x338ab:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e0cb:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 8 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 50.87.218.140, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, Initiated: true, ProcessId: 7588, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49736

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.albushrametalic.com", "Username": "mustafa@albushrametalic.com", "Password": "GLBL1285#"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	ReversingLabs: Detection: 21%
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Virustotal: Detection: 35%			Perma Link

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49733 version: TLS 1.2

Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 4x nop then jmp 053DF541h	0_2_053DECE7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 4x nop then jmp 053DF541h	0_2_053DEBDB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 4x nop then jmp 053DF541h	0_2_053DEA9A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 4x nop then jmp 053DF541h	0_2_053DECBC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 4x nop then jmp 053DF541h	0_2_053DEC9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 4x nop then jmp 053DF541h	0_2_053DEF1B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 4x nop then jmp 053DF541h	0_2_053DEB3B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 4x nop then jmp 053DF541h	0_2_053DEB09
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 4x nop then jmp 053DF541h	0_2_053DEB90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 4x nop then jmp 053DF541h	0_2_053DEAC6

Source: global traffic

TCP traffic: 192.168.2.4:49736 -> 50.87.218.140:587

Source: Joe Sandbox View

IP Address: 104.26.12.205 104.26.12.205

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.4:49736 -> 50.87.218.140:587

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: mail.albushrametalic.com

Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2880131729.00000000028DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.albushrametalic.com
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2879571005.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2878983807.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2880131729.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2878983807.0000000000D8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2879571005.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2878983807.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2880131729.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2878983807.0000000000D8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2880131729.0000000002861000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2879571005.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2880131729.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2878983807.0000000000D8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2879571005.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2880131729.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2878983807.0000000000D8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1697066851.000000000473B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2878165030.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1697066851.000000000473B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2878165030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2880131729.0000000002861000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2880131729.0000000002861000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2880131729.0000000002861000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49733 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.47759f0.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.47759f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 0_2_00A9E3B4	0_2_00A9E3B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 0_2_027C0779	0_2_027C0779
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 0_2_053DA668	0_2_053DA668
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 0_2_053D2117	0_2_053D2117
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 0_2_053D2150	0_2_053D2150
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 0_2_053D2141	0_2_053D2141
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 0_2_053DA230	0_2_053DA230
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 0_2_053DC2A0	0_2_053DC2A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 0_2_053DC290	0_2_053DC290
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 0_2_053DCC50	0_2_053DCC50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 0_2_053D3810	0_2_053D3810
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 0_2_053D3800	0_2_053D3800
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 0_2_053D08B0	0_2_053D08B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 0_2_053D089F	0_2_053D089F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 0_2_053DAAA0	0_2_053DAAA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 0_2_053DAA90	0_2_053DAA90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 2_2_00E2A968	2_2_00E2A968
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 2_2_00E24A98	2_2_00E24A98
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 2_2_00E2DBE0	2_2_00E2DBE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 2_2_00E23E80	2_2_00E23E80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 2_2_00E241C8	2_2_00E241C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 2_2_0661E4F9	2_2_0661E4F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 2_2_06615D68	2_2_06615D68
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 2_2_066145E0	2_2_066145E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 2_2_06613598	2_2_06613598
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 2_2_06619218	2_2_06619218
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 2_2_06611058	2_2_06611058
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 2_2_0661A180	2_2_0661A180
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 2_2_06615688	2_2_06615688
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 2_2_06613CDB	2_2_06613CDB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 2_2_06610328	2_2_06610328
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 2_2_0661C3A0	2_2_0661C3A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 2_2_0676A068	2_2_0676A068

Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe

Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"

Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1697066851.00000000043D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1696042995.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename6e05af16-ebc6-4b97-8d30-78ae493d4992.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1702722006.00000000099A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1695067425.0000000000CAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1697066851.000000000473B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename6e05af16-ebc6-4b97-8d30-78ae493d4992.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2878165030.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename6e05af16-ebc6-4b97-8d30-78ae493d4992.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2878440651.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Binary or memory string: OriginalFilenamelgL.exe" vs SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe

Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.47759f0.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.47759f0.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.39e9970.7.raw.unpack, V4uC3Iifq56IKQcfry.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.39e9970.7.raw.unpack, V4uC3Iifq56IKQcfry.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.99a0000.10.raw.unpack, P1VTvV0hsXjgi8LbY8.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.99a0000.10.raw.unpack, P1VTvV0hsXjgi8LbY8.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.99a0000.10.raw.unpack, P1VTvV0hsXjgi8LbY8.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.45de130.4.raw.unpack, qYt43Hw1x654cfr8dB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.45de130.4.raw.unpack, P1VTvV0hsXjgi8LbY8.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.45de130.4.raw.unpack, P1VTvV0hsXjgi8LbY8.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.45de130.4.raw.unpack, P1VTvV0hsXjgi8LbY8.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.465a550.6.raw.unpack, P1VTvV0hsXjgi8LbY8.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.465a550.6.raw.unpack, P1VTvV0hsXjgi8LbY8.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.465a550.6.raw.unpack, P1VTvV0hsXjgi8LbY8.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.99a0000.10.raw.unpack, qYt43Hw1x654cfr8dB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.465a550.6.raw.unpack, qYt43Hw1x654cfr8dB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.2c464c0.0.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.2a31e4c.1.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.2a421ec.2.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.2c35e60.3.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Mutant created: \Sessions\1\BaseNamedObjects\UevDKObWJiIT

Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	ReversingLabs: Detection: 21%
Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Virustotal: Detection: 35%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.39e9970.7.raw.unpack, V4uC3Iifq56IKQcfry.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, SpreadsheetName.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.99a0000.10.raw.unpack, P1VTvV0hsXjgi8LbY8.cs	.Net Code: cEuQDIn8i9 System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.45de130.4.raw.unpack, P1VTvV0hsXjgi8LbY8.cs	.Net Code: cEuQDIn8i9 System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.465a550.6.raw.unpack, P1VTvV0hsXjgi8LbY8.cs	.Net Code: cEuQDIn8i9 System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 0_2_027C0578 pushfd ; iretd	0_2_027C0581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 0_2_027C052A push eax; iretd	0_2_027C0531
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 0_2_04DC8E78 push eax; mov dword ptr [esp], ecx	0_2_04DC8E7C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 0_2_04DC8E69 push eax; mov dword ptr [esp], ecx	0_2_04DC8E7C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 0_2_04DC9951 push eax; ret	0_2_04DC9983
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 0_2_053DD311 pushad ; retf	0_2_053DD315
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 0_2_053D62A7 push ebx; iretd	0_2_053D62AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 0_2_053DB932 pushad ; retf	0_2_053DB991
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 0_2_053DE941 push esp; ret	0_2_053DE949
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 2_2_00E20B4F push edi; ret	2_2_00E20CC2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 2_2_00E27CDD push edx; ret	2_2_00E27CDE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 2_2_06765150 push es; ret	2_2_06765160
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Code function: 2_2_0676FCC7 push es; retf	2_2_0676FCC8

Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe

Static PE information: section name: .text entropy: 7.969312774312396

Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.99a0000.10.raw.unpack, M2ootgS1CfuBsWFleq.cs	High entropy of concatenated method names: 'vZArptG6dd', 'KNbr0vUSq2', 'CmLrabUQpy', 'Oinr7PDnsX', 'DenrZseSs1', 'UJkafPiX5p', 'MXSaO0BEXs', 'KZBabedClb', 'XuVaFdZh7t', 'naRajZtyeE'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.99a0000.10.raw.unpack, yBOc7lgHd6VrnlsTNx.cs	High entropy of concatenated method names: 'UPqdoU8QPl', 'DPSd8wVPIc', 'ToString', 'pMxdmcorhr', 'SNhd0fDIJD', 'PvNdhPrMOe', 'K5MdaSTlC1', 'EsIdr5I3NC', 'dkyd717yPa', 'm1DdZGOa5H'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.99a0000.10.raw.unpack, hraxQMhxnO8RmGZUUe.cs	High entropy of concatenated method names: 'Sb5Rew0NUm', 'kQiRv5pjio', 'mYlRwh6UCk', 'AFkRPgWbkF', 'rJFRl6TlL4', 'w80R3lsj6Z', 'V6hR4AStjU', 'QnrRUGM0Oh', 'oHxRBlGy5t', 'rGlR5UexwE'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.99a0000.10.raw.unpack, HBFKX1JVt9TEuOClus.cs	High entropy of concatenated method names: 'qnxDkx8Cp', 'pkrCGYPPw', 'a4eHqLIX7', 'GxLIMqn53', 'gy69MSsVx', 'eDGq7VxDc', 'ymuCutqRKZpRg7vuUR', 'n1qQnFAc9DEhvLpHQ8', 'MriEx2xJp', 'di8XfN7y4'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.99a0000.10.raw.unpack, OeU3cI8sp3OjCJn3Kf.cs	High entropy of concatenated method names: 'ToString', 'XxosSaUOgR', 'pCOslyfI6Y', 'Qcns3dZRg9', 'kRts4HyJNJ', 'FLYsUX4dKU', 'VmmsBUL8FS', 'diHs5TrmMV', 'cABskkZWna', 'Ortsy7lMLd'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.99a0000.10.raw.unpack, fDvwuDXcNnoxRn0R7w.cs	High entropy of concatenated method names: 'uFAnYrwVVs', 'trCnghZubq', 'bfknQWvbHe', 'h74nm31d24', 'xPwn0YoNRP', 'hETna4A6Yb', 'RxVnrqOYkg', 'HOaEbLb1d2', 'yNOEFixNkv', 'sTCEjvUgyI'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.99a0000.10.raw.unpack, uKNc5B3YlmhyRNdOetd.cs	High entropy of concatenated method names: 'fEBnAgJfTC', 'uHLnJbh8su', 'nfSnDVPMg9', 'xV8nCViDF1', 'EK2nMJAUpl', 'X0OnHLAJEt', 'Gp6nIFiTUV', 'zthnLmOiAL', 'GG2n9KZpKZ', 'naRnqIjx5w'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.99a0000.10.raw.unpack, P1VTvV0hsXjgi8LbY8.cs	High entropy of concatenated method names: 's9CgpR0WBt', 'zJdgmIPEaH', 'B08g0k4mMR', 'uW0ghX2J4M', 'ssggaex8Pq', 'hykgri8Thx', 'A2Ig7bw9K5', 'OcPgZo4opm', 'Ad8gGlD7YP', 'NoMgotyLBg'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.99a0000.10.raw.unpack, o5bTuy6gKTgq9DpGpW.cs	High entropy of concatenated method names: 'J1w7mlkaEU', 'e7K7hql4A8', 'Wae7rekZx4', 'yX7rVuOA9j', 'rBarzXvjS2', 's7T71RenW7', 'vp37Y7T7Pu', 'ro17Nhgtmv', 'pNb7gn2s8x', 'IFD7QcNfs3'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.99a0000.10.raw.unpack, uZfeGhWjtboPaKuqIs.cs	High entropy of concatenated method names: 'Dispose', 'xhVYjodVmv', 'YfnNlA2sJ0', 'VkuccqBVbJ', 'YImYV0uFFT', 'tj6YzjIWxR', 'ProcessDialogKey', 'gduN1kBhqD', 'ernNYSiimi', 'qTxNNx3hJO'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.99a0000.10.raw.unpack, zOvuh6z4XEuwhwvtHd.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gfHntRbjO6', 'NKvnRHBw95', 'IydnsaCObt', 'FLJndmYeZo', 'oC2nE9PiTU', 'AjWnna6lx3', 'dlJnX3futx'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.99a0000.10.raw.unpack, ylPS4VFN0pw8cwdurc.cs	High entropy of concatenated method names: 'D0MEmtKTnV', 'je6E01deJT', 'RpUEhs0rBs', 'xNcEa5gW0H', 'aEyErGxqmU', 'R1sE7LSJ4a', 'EcDEZVZUKY', 'Q3rEGomUjG', 'dZnEo45mba', 'dl1E84eh5C'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.99a0000.10.raw.unpack, qYt43Hw1x654cfr8dB.cs	High entropy of concatenated method names: 'wiY0wkx6QM', 'ckS0PJvcRP', 'RnI0xLyljp', 'ooT0uSARtS', 'b1Y0f59b9d', 'gdx0O7P9EB', 'dHE0bGphU1', 'UWU0FhcTtb', 'Wmw0jBHOH0', 'WNj0V62qpg'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.99a0000.10.raw.unpack, uWJfX3ONd7Hxnbpa08.cs	High entropy of concatenated method names: 'ByZE2LnrHO', 'lV9Elyw5Th', 'vptE3iOWvQ', 'R6iE40YhNN', 'X0kEw12wRj', 'PrkEU3mnjh', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.99a0000.10.raw.unpack, NirxcLpgnhABtVmpoV.cs	High entropy of concatenated method names: 'JG1aMNY1Dn', 'g98aI7syAS', 'DEVh3BfQH9', 'j2jh4jcGdP', 'D2lhU3CBpE', 'F9MhBUYMrE', 'Fpgh5HLRRq', 'lMFhktyeK8', 'h9PhyDcHqV', 'HKNheTKgfm'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.99a0000.10.raw.unpack, py9F9qQUTg99JaHyW8.cs	High entropy of concatenated method names: 'OpShCsmcqh', 'PFVhHD3E3j', 'c3ThLOWPvP', 'Ldlh9Y9l41', 'F3RhRwBh6a', 'jtphsjuhNY', 'XVZhdnSWL9', 'GYkhE8PQdj', 'SUOhnKtPy8', 'noXhXWkur6'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.99a0000.10.raw.unpack, KxecM573EOlWiRyX2L.cs	High entropy of concatenated method names: 'OcodFyRrm2', 'QwfdV3ElvY', 'CNxE1WpK7P', 'biaEYQ2lXP', 'xCXdS1c2Ew', 'xb7dv9sJNU', 'KUxdTnSOXI', 'on7dwlRtea', 'X3NdPC7LKK', 'ONydxq6VGF'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.99a0000.10.raw.unpack, luO9kIbSScgVlQaNVi.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'bxKNj3yGIp', 'aC4NV54DPr', 'qgTNzcZbug', 'dj5g1vqKZN', 'QoHgYtbshE', 'NvbgN3xrtk', 'kDWggOWQjM', 'ga7DULtvuABvf23Owly'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.99a0000.10.raw.unpack, QjoCtKKvdeTml6x2c4.cs	High entropy of concatenated method names: 'f0P7AIItXC', 'KKF7JPCOiK', 'N7L7Dr8K6p', 'Aqt7COiH1a', 'QuT7MjKH41', 'Q2x7HgCRcK', 'd087IIHSiX', 'B0R7LI1NZq', 'v4Z794Lhv0', 'T407qCQjla'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.99a0000.10.raw.unpack, WGiqJwVKmhfFXVpbWq.cs	High entropy of concatenated method names: 'eEDtLdnNms', 'zWnt9mPbcX', 'NfOt2iWEr8', 'PHXtlSNDsF', 'gZ3t4xnc2k', 'n0KtUuvLc5', 'sodt5MN3Hv', 'FWWtkywIqI', 'u3EteDdJHf', 'mS2tSoZMA0'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.99a0000.10.raw.unpack, jFJ6fd3ddQMLadc52Wm.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'b0wXw08Flu', 'uDDXPbsnSn', 'KU1XxgugVy', 'RLAXuKsoLo', 'A2gXfl86Gd', 'KCOXOfKXIS', 'FERXbT9Nnj'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.99a0000.10.raw.unpack, Reein8PgQXHy0KycGx.cs	High entropy of concatenated method names: 'x84Y7YgilO', 'nrrYZHLscX', 'SOQYoF8sl7', 'CifY8Z919L', 'VO8YRhmhxZ', 'BSlYsK6a9w', 'ctqly4Ne3x16cHsGgn', 'GCqYphc6T2GbsTBGa2', 'Se2YY1BNP2', 'nEpYgsCndi'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.45de130.4.raw.unpack, M2ootgS1CfuBsWFleq.cs	High entropy of concatenated method names: 'vZArptG6dd', 'KNbr0vUSq2', 'CmLrabUQpy', 'Oinr7PDnsX', 'DenrZseSs1', 'UJkafPiX5p', 'MXSaO0BEXs', 'KZBabedClb', 'XuVaFdZh7t', 'naRajZtyeE'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.45de130.4.raw.unpack, yBOc7lgHd6VrnlsTNx.cs	High entropy of concatenated method names: 'UPqdoU8QPl', 'DPSd8wVPIc', 'ToString', 'pMxdmcorhr', 'SNhd0fDIJD', 'PvNdhPrMOe', 'K5MdaSTlC1', 'EsIdr5I3NC', 'dkyd717yPa', 'm1DdZGOa5H'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.45de130.4.raw.unpack, hraxQMhxnO8RmGZUUe.cs	High entropy of concatenated method names: 'Sb5Rew0NUm', 'kQiRv5pjio', 'mYlRwh6UCk', 'AFkRPgWbkF', 'rJFRl6TlL4', 'w80R3lsj6Z', 'V6hR4AStjU', 'QnrRUGM0Oh', 'oHxRBlGy5t', 'rGlR5UexwE'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.45de130.4.raw.unpack, HBFKX1JVt9TEuOClus.cs	High entropy of concatenated method names: 'qnxDkx8Cp', 'pkrCGYPPw', 'a4eHqLIX7', 'GxLIMqn53', 'gy69MSsVx', 'eDGq7VxDc', 'ymuCutqRKZpRg7vuUR', 'n1qQnFAc9DEhvLpHQ8', 'MriEx2xJp', 'di8XfN7y4'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.45de130.4.raw.unpack, OeU3cI8sp3OjCJn3Kf.cs	High entropy of concatenated method names: 'ToString', 'XxosSaUOgR', 'pCOslyfI6Y', 'Qcns3dZRg9', 'kRts4HyJNJ', 'FLYsUX4dKU', 'VmmsBUL8FS', 'diHs5TrmMV', 'cABskkZWna', 'Ortsy7lMLd'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.45de130.4.raw.unpack, fDvwuDXcNnoxRn0R7w.cs	High entropy of concatenated method names: 'uFAnYrwVVs', 'trCnghZubq', 'bfknQWvbHe', 'h74nm31d24', 'xPwn0YoNRP', 'hETna4A6Yb', 'RxVnrqOYkg', 'HOaEbLb1d2', 'yNOEFixNkv', 'sTCEjvUgyI'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.45de130.4.raw.unpack, uKNc5B3YlmhyRNdOetd.cs	High entropy of concatenated method names: 'fEBnAgJfTC', 'uHLnJbh8su', 'nfSnDVPMg9', 'xV8nCViDF1', 'EK2nMJAUpl', 'X0OnHLAJEt', 'Gp6nIFiTUV', 'zthnLmOiAL', 'GG2n9KZpKZ', 'naRnqIjx5w'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.45de130.4.raw.unpack, P1VTvV0hsXjgi8LbY8.cs	High entropy of concatenated method names: 's9CgpR0WBt', 'zJdgmIPEaH', 'B08g0k4mMR', 'uW0ghX2J4M', 'ssggaex8Pq', 'hykgri8Thx', 'A2Ig7bw9K5', 'OcPgZo4opm', 'Ad8gGlD7YP', 'NoMgotyLBg'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.45de130.4.raw.unpack, o5bTuy6gKTgq9DpGpW.cs	High entropy of concatenated method names: 'J1w7mlkaEU', 'e7K7hql4A8', 'Wae7rekZx4', 'yX7rVuOA9j', 'rBarzXvjS2', 's7T71RenW7', 'vp37Y7T7Pu', 'ro17Nhgtmv', 'pNb7gn2s8x', 'IFD7QcNfs3'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.45de130.4.raw.unpack, uZfeGhWjtboPaKuqIs.cs	High entropy of concatenated method names: 'Dispose', 'xhVYjodVmv', 'YfnNlA2sJ0', 'VkuccqBVbJ', 'YImYV0uFFT', 'tj6YzjIWxR', 'ProcessDialogKey', 'gduN1kBhqD', 'ernNYSiimi', 'qTxNNx3hJO'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.45de130.4.raw.unpack, zOvuh6z4XEuwhwvtHd.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gfHntRbjO6', 'NKvnRHBw95', 'IydnsaCObt', 'FLJndmYeZo', 'oC2nE9PiTU', 'AjWnna6lx3', 'dlJnX3futx'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.45de130.4.raw.unpack, ylPS4VFN0pw8cwdurc.cs	High entropy of concatenated method names: 'D0MEmtKTnV', 'je6E01deJT', 'RpUEhs0rBs', 'xNcEa5gW0H', 'aEyErGxqmU', 'R1sE7LSJ4a', 'EcDEZVZUKY', 'Q3rEGomUjG', 'dZnEo45mba', 'dl1E84eh5C'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.45de130.4.raw.unpack, qYt43Hw1x654cfr8dB.cs	High entropy of concatenated method names: 'wiY0wkx6QM', 'ckS0PJvcRP', 'RnI0xLyljp', 'ooT0uSARtS', 'b1Y0f59b9d', 'gdx0O7P9EB', 'dHE0bGphU1', 'UWU0FhcTtb', 'Wmw0jBHOH0', 'WNj0V62qpg'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.45de130.4.raw.unpack, uWJfX3ONd7Hxnbpa08.cs	High entropy of concatenated method names: 'ByZE2LnrHO', 'lV9Elyw5Th', 'vptE3iOWvQ', 'R6iE40YhNN', 'X0kEw12wRj', 'PrkEU3mnjh', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.45de130.4.raw.unpack, NirxcLpgnhABtVmpoV.cs	High entropy of concatenated method names: 'JG1aMNY1Dn', 'g98aI7syAS', 'DEVh3BfQH9', 'j2jh4jcGdP', 'D2lhU3CBpE', 'F9MhBUYMrE', 'Fpgh5HLRRq', 'lMFhktyeK8', 'h9PhyDcHqV', 'HKNheTKgfm'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.45de130.4.raw.unpack, py9F9qQUTg99JaHyW8.cs	High entropy of concatenated method names: 'OpShCsmcqh', 'PFVhHD3E3j', 'c3ThLOWPvP', 'Ldlh9Y9l41', 'F3RhRwBh6a', 'jtphsjuhNY', 'XVZhdnSWL9', 'GYkhE8PQdj', 'SUOhnKtPy8', 'noXhXWkur6'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.45de130.4.raw.unpack, KxecM573EOlWiRyX2L.cs	High entropy of concatenated method names: 'OcodFyRrm2', 'QwfdV3ElvY', 'CNxE1WpK7P', 'biaEYQ2lXP', 'xCXdS1c2Ew', 'xb7dv9sJNU', 'KUxdTnSOXI', 'on7dwlRtea', 'X3NdPC7LKK', 'ONydxq6VGF'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.45de130.4.raw.unpack, luO9kIbSScgVlQaNVi.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'bxKNj3yGIp', 'aC4NV54DPr', 'qgTNzcZbug', 'dj5g1vqKZN', 'QoHgYtbshE', 'NvbgN3xrtk', 'kDWggOWQjM', 'ga7DULtvuABvf23Owly'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.45de130.4.raw.unpack, QjoCtKKvdeTml6x2c4.cs	High entropy of concatenated method names: 'f0P7AIItXC', 'KKF7JPCOiK', 'N7L7Dr8K6p', 'Aqt7COiH1a', 'QuT7MjKH41', 'Q2x7HgCRcK', 'd087IIHSiX', 'B0R7LI1NZq', 'v4Z794Lhv0', 'T407qCQjla'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.45de130.4.raw.unpack, WGiqJwVKmhfFXVpbWq.cs	High entropy of concatenated method names: 'eEDtLdnNms', 'zWnt9mPbcX', 'NfOt2iWEr8', 'PHXtlSNDsF', 'gZ3t4xnc2k', 'n0KtUuvLc5', 'sodt5MN3Hv', 'FWWtkywIqI', 'u3EteDdJHf', 'mS2tSoZMA0'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.45de130.4.raw.unpack, jFJ6fd3ddQMLadc52Wm.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'b0wXw08Flu', 'uDDXPbsnSn', 'KU1XxgugVy', 'RLAXuKsoLo', 'A2gXfl86Gd', 'KCOXOfKXIS', 'FERXbT9Nnj'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.45de130.4.raw.unpack, Reein8PgQXHy0KycGx.cs	High entropy of concatenated method names: 'x84Y7YgilO', 'nrrYZHLscX', 'SOQYoF8sl7', 'CifY8Z919L', 'VO8YRhmhxZ', 'BSlYsK6a9w', 'ctqly4Ne3x16cHsGgn', 'GCqYphc6T2GbsTBGa2', 'Se2YY1BNP2', 'nEpYgsCndi'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.39e9970.7.raw.unpack, V4uC3Iifq56IKQcfry.cs	High entropy of concatenated method names: 'JcqLcnHE8kRk7VHJhl', 'baAwnpSkPWAs4YMGxr', 'wTgrto4LNQ', 'imnL6GCB6AIFRqkhxN', 'RgtTUJcyZL', 'dHYrbjNADO', 'xiCr8b7Qs6', 'PT2rZj37UR', 'P1WruDgOtu', 'd71eKLY6YVFQv'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.39e9970.7.raw.unpack, vpednoN8EZgsJ4TDwx.cs	High entropy of concatenated method names: 'SvRTLtpnA', 'uJwWpedno', 'REZpgsJ4T', 'uwxys3A5Q', 'Tl3iTkB7U', 'EqRFtDP16', 'TW5lfqidm', 'wSKAUGlNW', 'LkrevaXpK', 'cwu0Op5AT'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.465a550.6.raw.unpack, M2ootgS1CfuBsWFleq.cs	High entropy of concatenated method names: 'vZArptG6dd', 'KNbr0vUSq2', 'CmLrabUQpy', 'Oinr7PDnsX', 'DenrZseSs1', 'UJkafPiX5p', 'MXSaO0BEXs', 'KZBabedClb', 'XuVaFdZh7t', 'naRajZtyeE'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.465a550.6.raw.unpack, yBOc7lgHd6VrnlsTNx.cs	High entropy of concatenated method names: 'UPqdoU8QPl', 'DPSd8wVPIc', 'ToString', 'pMxdmcorhr', 'SNhd0fDIJD', 'PvNdhPrMOe', 'K5MdaSTlC1', 'EsIdr5I3NC', 'dkyd717yPa', 'm1DdZGOa5H'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.465a550.6.raw.unpack, hraxQMhxnO8RmGZUUe.cs	High entropy of concatenated method names: 'Sb5Rew0NUm', 'kQiRv5pjio', 'mYlRwh6UCk', 'AFkRPgWbkF', 'rJFRl6TlL4', 'w80R3lsj6Z', 'V6hR4AStjU', 'QnrRUGM0Oh', 'oHxRBlGy5t', 'rGlR5UexwE'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.465a550.6.raw.unpack, HBFKX1JVt9TEuOClus.cs	High entropy of concatenated method names: 'qnxDkx8Cp', 'pkrCGYPPw', 'a4eHqLIX7', 'GxLIMqn53', 'gy69MSsVx', 'eDGq7VxDc', 'ymuCutqRKZpRg7vuUR', 'n1qQnFAc9DEhvLpHQ8', 'MriEx2xJp', 'di8XfN7y4'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.465a550.6.raw.unpack, OeU3cI8sp3OjCJn3Kf.cs	High entropy of concatenated method names: 'ToString', 'XxosSaUOgR', 'pCOslyfI6Y', 'Qcns3dZRg9', 'kRts4HyJNJ', 'FLYsUX4dKU', 'VmmsBUL8FS', 'diHs5TrmMV', 'cABskkZWna', 'Ortsy7lMLd'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.465a550.6.raw.unpack, fDvwuDXcNnoxRn0R7w.cs	High entropy of concatenated method names: 'uFAnYrwVVs', 'trCnghZubq', 'bfknQWvbHe', 'h74nm31d24', 'xPwn0YoNRP', 'hETna4A6Yb', 'RxVnrqOYkg', 'HOaEbLb1d2', 'yNOEFixNkv', 'sTCEjvUgyI'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.465a550.6.raw.unpack, uKNc5B3YlmhyRNdOetd.cs	High entropy of concatenated method names: 'fEBnAgJfTC', 'uHLnJbh8su', 'nfSnDVPMg9', 'xV8nCViDF1', 'EK2nMJAUpl', 'X0OnHLAJEt', 'Gp6nIFiTUV', 'zthnLmOiAL', 'GG2n9KZpKZ', 'naRnqIjx5w'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.465a550.6.raw.unpack, P1VTvV0hsXjgi8LbY8.cs	High entropy of concatenated method names: 's9CgpR0WBt', 'zJdgmIPEaH', 'B08g0k4mMR', 'uW0ghX2J4M', 'ssggaex8Pq', 'hykgri8Thx', 'A2Ig7bw9K5', 'OcPgZo4opm', 'Ad8gGlD7YP', 'NoMgotyLBg'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.465a550.6.raw.unpack, o5bTuy6gKTgq9DpGpW.cs	High entropy of concatenated method names: 'J1w7mlkaEU', 'e7K7hql4A8', 'Wae7rekZx4', 'yX7rVuOA9j', 'rBarzXvjS2', 's7T71RenW7', 'vp37Y7T7Pu', 'ro17Nhgtmv', 'pNb7gn2s8x', 'IFD7QcNfs3'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.465a550.6.raw.unpack, uZfeGhWjtboPaKuqIs.cs	High entropy of concatenated method names: 'Dispose', 'xhVYjodVmv', 'YfnNlA2sJ0', 'VkuccqBVbJ', 'YImYV0uFFT', 'tj6YzjIWxR', 'ProcessDialogKey', 'gduN1kBhqD', 'ernNYSiimi', 'qTxNNx3hJO'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.465a550.6.raw.unpack, zOvuh6z4XEuwhwvtHd.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gfHntRbjO6', 'NKvnRHBw95', 'IydnsaCObt', 'FLJndmYeZo', 'oC2nE9PiTU', 'AjWnna6lx3', 'dlJnX3futx'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.465a550.6.raw.unpack, ylPS4VFN0pw8cwdurc.cs	High entropy of concatenated method names: 'D0MEmtKTnV', 'je6E01deJT', 'RpUEhs0rBs', 'xNcEa5gW0H', 'aEyErGxqmU', 'R1sE7LSJ4a', 'EcDEZVZUKY', 'Q3rEGomUjG', 'dZnEo45mba', 'dl1E84eh5C'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.465a550.6.raw.unpack, qYt43Hw1x654cfr8dB.cs	High entropy of concatenated method names: 'wiY0wkx6QM', 'ckS0PJvcRP', 'RnI0xLyljp', 'ooT0uSARtS', 'b1Y0f59b9d', 'gdx0O7P9EB', 'dHE0bGphU1', 'UWU0FhcTtb', 'Wmw0jBHOH0', 'WNj0V62qpg'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.465a550.6.raw.unpack, uWJfX3ONd7Hxnbpa08.cs	High entropy of concatenated method names: 'ByZE2LnrHO', 'lV9Elyw5Th', 'vptE3iOWvQ', 'R6iE40YhNN', 'X0kEw12wRj', 'PrkEU3mnjh', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.465a550.6.raw.unpack, NirxcLpgnhABtVmpoV.cs	High entropy of concatenated method names: 'JG1aMNY1Dn', 'g98aI7syAS', 'DEVh3BfQH9', 'j2jh4jcGdP', 'D2lhU3CBpE', 'F9MhBUYMrE', 'Fpgh5HLRRq', 'lMFhktyeK8', 'h9PhyDcHqV', 'HKNheTKgfm'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.465a550.6.raw.unpack, py9F9qQUTg99JaHyW8.cs	High entropy of concatenated method names: 'OpShCsmcqh', 'PFVhHD3E3j', 'c3ThLOWPvP', 'Ldlh9Y9l41', 'F3RhRwBh6a', 'jtphsjuhNY', 'XVZhdnSWL9', 'GYkhE8PQdj', 'SUOhnKtPy8', 'noXhXWkur6'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.465a550.6.raw.unpack, KxecM573EOlWiRyX2L.cs	High entropy of concatenated method names: 'OcodFyRrm2', 'QwfdV3ElvY', 'CNxE1WpK7P', 'biaEYQ2lXP', 'xCXdS1c2Ew', 'xb7dv9sJNU', 'KUxdTnSOXI', 'on7dwlRtea', 'X3NdPC7LKK', 'ONydxq6VGF'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.465a550.6.raw.unpack, luO9kIbSScgVlQaNVi.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'bxKNj3yGIp', 'aC4NV54DPr', 'qgTNzcZbug', 'dj5g1vqKZN', 'QoHgYtbshE', 'NvbgN3xrtk', 'kDWggOWQjM', 'ga7DULtvuABvf23Owly'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.465a550.6.raw.unpack, QjoCtKKvdeTml6x2c4.cs	High entropy of concatenated method names: 'f0P7AIItXC', 'KKF7JPCOiK', 'N7L7Dr8K6p', 'Aqt7COiH1a', 'QuT7MjKH41', 'Q2x7HgCRcK', 'd087IIHSiX', 'B0R7LI1NZq', 'v4Z794Lhv0', 'T407qCQjla'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.465a550.6.raw.unpack, WGiqJwVKmhfFXVpbWq.cs	High entropy of concatenated method names: 'eEDtLdnNms', 'zWnt9mPbcX', 'NfOt2iWEr8', 'PHXtlSNDsF', 'gZ3t4xnc2k', 'n0KtUuvLc5', 'sodt5MN3Hv', 'FWWtkywIqI', 'u3EteDdJHf', 'mS2tSoZMA0'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.465a550.6.raw.unpack, jFJ6fd3ddQMLadc52Wm.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'b0wXw08Flu', 'uDDXPbsnSn', 'KU1XxgugVy', 'RLAXuKsoLo', 'A2gXfl86Gd', 'KCOXOfKXIS', 'FERXbT9Nnj'
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.465a550.6.raw.unpack, Reein8PgQXHy0KycGx.cs	High entropy of concatenated method names: 'x84Y7YgilO', 'nrrYZHLscX', 'SOQYoF8sl7', 'CifY8Z919L', 'VO8YRhmhxZ', 'BSlYsK6a9w', 'ctqly4Ne3x16cHsGgn', 'GCqYphc6T2GbsTBGa2', 'Se2YY1BNP2', 'nEpYgsCndi'

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe PID: 7404, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Memory allocated: A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Memory allocated: 29E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Memory allocated: 2740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Memory allocated: 74E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Memory allocated: 6ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Memory allocated: 84E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Memory allocated: 94E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Memory allocated: 9A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Memory allocated: AA20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Memory allocated: BA20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Memory allocated: DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Memory allocated: 2860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Memory allocated: 4860000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Window / User API: threadDelayed 2388			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Window / User API: threadDelayed 2489			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe TID: 7424	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe TID: 7748	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe TID: 7748	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe TID: 7756	Thread sleep count: 2388 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe TID: 7748	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe TID: 7756	Thread sleep count: 2489 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe TID: 7748	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe TID: 7748	Thread sleep time: -99671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe TID: 7748	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe TID: 7748	Thread sleep time: -99435s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe TID: 7748	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe TID: 7748	Thread sleep time: -99218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe TID: 7748	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe TID: 7748	Thread sleep time: -98999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe TID: 7748	Thread sleep time: -98890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe TID: 7748	Thread sleep time: -98775s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe TID: 7748	Thread sleep time: -98656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe TID: 7748	Thread sleep time: -98546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe TID: 7748	Thread sleep time: -98437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe TID: 7748	Thread sleep time: -98327s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe TID: 7748	Thread sleep time: -98218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe TID: 7748	Thread sleep time: -98109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe TID: 7748	Thread sleep time: -97999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe TID: 7748	Thread sleep time: -97890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe TID: 7748	Thread sleep time: -97781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe TID: 7748	Thread sleep time: -97671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe TID: 7748	Thread sleep time: -97562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe TID: 7748	Thread sleep time: -97452s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe TID: 7748	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Thread delayed: delay time: 99671	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Thread delayed: delay time: 99435	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Thread delayed: delay time: 99218	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Thread delayed: delay time: 98999	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Thread delayed: delay time: 98775	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Thread delayed: delay time: 98656	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Thread delayed: delay time: 98546	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Thread delayed: delay time: 98437	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Thread delayed: delay time: 98327	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Thread delayed: delay time: 98218	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Thread delayed: delay time: 98109	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Thread delayed: delay time: 97999	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Thread delayed: delay time: 97890	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Thread delayed: delay time: 97781	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Thread delayed: delay time: 97671	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Thread delayed: delay time: 97562	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Thread delayed: delay time: 97452	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2879571005.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe

Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe

Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe"

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.47759f0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.47759f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2880131729.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2880131729.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2880131729.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2878165030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1697066851.000000000473B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe PID: 7588, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.39e9970.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.39e9970.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.4f90000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.4f90000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1699372281.0000000004F90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1697066851.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.47759f0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.47759f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2880131729.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2878165030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1697066851.000000000473B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe PID: 7588, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.47759f0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.47759f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2880131729.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2880131729.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2880131729.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2878165030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1697066851.000000000473B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe PID: 7588, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.39e9970.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.39e9970.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.4f90000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.4f90000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1699372281.0000000004F90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1697066851.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Credentials in Registry	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	22 Software Packing	NTDS	111 Security Software Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	21%	ReversingLabs	Win32.Trojan.Generic
SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	36%	Virustotal		Browse
SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
mail.albushrametalic.com	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://r3.i.lencr.org/0	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	Avira URL Cloud	safe
http://mail.albushrametalic.com	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	0%	Avira URL Cloud	safe
http://mail.albushrametalic.com	2%	Virustotal		Browse
http://www.zhongyicts.com.cn	1%	Virustotal		Browse
http://www.founder.com.cn/cn/bThe	0%	Virustotal		Browse
http://www.founder.com.cn/cn/cThe	0%	Virustotal		Browse
http://www.founder.com.cn/cn	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.albushrametalic.com	50.87.218.140	true	true	2%, Virustotal, Browse	unknown
api.ipify.org	104.26.12.205	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://account.dyn.com/	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1697066851.000000000473B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2878165030.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org/t	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2880131729.0000000002861000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://r3.i.lencr.org/0	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2879571005.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2878983807.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2880131729.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2878983807.0000000000D8C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.org	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1697066851.000000000473B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2878165030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2880131729.0000000002861000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail.albushrametalic.com	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2880131729.00000000028DC000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2879571005.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2880131729.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2878983807.0000000000D8C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2879571005.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2880131729.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2878983807.0000000000D8C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://r3.o.lencr.org0	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2879571005.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2878983807.0000000000D77000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2880131729.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2878983807.0000000000D8C000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000002.00000002.2880131729.0000000002861000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe, 00000000.00000002.1701006031.00000000069B2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false
50.87.218.140	mail.albushrametalic.com	United States		46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431495
Start date and time:	2024-04-25 10:27:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 117 Number of non-executed functions: 17
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:27:56	API Interceptor	25x Sleep call for process: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	Sonic-Glyder.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	Sky-Beta.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exe	Get hash	malicious	Bunny Loader	Browse	api.ipify.org/
	lods.cmd	Get hash	malicious	Remcos	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	Proforma Request.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Spare part list.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	DHL EXPRESS.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	M_F+niestandardowy stempel.xlsx.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	responsibilityleadpro.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	F#U0130YAT TEKL#U0130F.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	104.26.12.205
	New DHL Shipment Document Arrival Notice.pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	hesaphareketi_1.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	DHL Shipping doc.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://survey-smiles.com	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://rfpteams.ksplastlc.net	Get hash	malicious	Unknown	Browse	172.67.142.208
	https://app.milanote.com/1RZbnl1zfBXuaf?p=r2B66sphbV4	Get hash	malicious	Unknown	Browse	162.247.243.29
	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	http://decktop.us/gORiyf	Get hash	malicious	HTMLPhisher	Browse	104.16.117.116
	https://ortelia.com/download-ortelia-curator/	Get hash	malicious	Havoc	Browse	1.1.1.1
	o7b91j8vnJ.exe	Get hash	malicious	LummaC	Browse	172.67.163.209
	http://confirmartucuentamsnaquimx.hstn.me/login.live.com_login_verify_credentials_outlook.html	Get hash	malicious	HTMLPhisher	Browse	172.64.151.101
	https://ernestjcrist.icu/23d80j2d/qwd13d8jqd/index.html?13813e8=0101%2020596-12595&13813e8=https://femininplurielles.com	Get hash	malicious	TechSupportScam	Browse	104.21.53.38
	https://fassouyatajadalravuij.blob.core.windows.net/fassouyatajadalravuij/1.html?KIUS8wH0YY7cB2NMwxGsVoa5iezV7W9cvLqamEPM8HdxqBLgYyX6Goh6aNwgjitRkRWLcAfZPzQwfAIRlIAPQ3jfogxjD1t9nA60#cl/26081_md/7/18507/5419/19036/1614238	Get hash	malicious	Phisher	Browse	104.21.80.104
UNIFIEDLAYER-AS-1US	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	192.185.35.67
	http://pengoodet.live	Get hash	malicious	Unknown	Browse	69.89.24.98
	http://electricalsworksflorida.com/j6u	Get hash	malicious	HTMLPhisher	Browse	192.185.84.91
	https://gamma.app/docs/Shared-Document-9j9g6z8iqo1w0uu	Get hash	malicious	HTMLPhisher	Browse	192.185.97.246
	Total Invoice.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	192.185.129.60
	https://content.amanet.org/?m=CiGW.81UwlU3LD6ZH5M4ZoUXv03dAeWfC&r=https://control.mailblaze.com/index.php/survey/ps97367sjy584	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	162.241.114.35
	http://keeper.com	Get hash	malicious	Unknown	Browse	192.185.65.45
	https://ken.fnh.temporary.site/wp-includes/sitemaps/update	Get hash	malicious	Unknown	Browse	192.185.46.79
	5RiFmXTOMp.elf	Get hash	malicious	Mirai	Browse	142.7.26.76
	SARL RABINEAU Order FA2495.exe	Get hash	malicious	AgentTesla	Browse	192.254.225.166

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Minutes_of_15th_Session_of_PSC.pdf.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	Minutes_of_15th_Session_of_PSC.pdf.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	SecuriteInfo.com.Win32.PWSX-gen.25877.26069.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	Database4.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	UMJLhijN4z.exe	Get hash	malicious	AsyncRAT, Prynt Stealer, StormKitty, WorldWind Stealer	Browse	104.26.12.205
	Control-Tributario_KFRCkzlbCHUSEBMRSECA.zip	Get hash	malicious	Unknown	Browse	104.26.12.205
	Swift Payment.bat	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	https://8fq7c.eceydri.com/WK9D/	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	FW_ FHAS Inc_ - Private and Confidential.msg	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.26.12.205
	Proforma Request.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.944329695138337
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe
File size:	720'896 bytes
MD5:	0213307d4a5c33c73fc8763498a054e5
SHA1:	2c6978c737ad7b1a9547ed3365fef15996d98137
SHA256:	6266398586cea7e8cc4154202bb9f5541b1a6b6b5640f0efdd2f2ef9e82c7ae6
SHA512:	154fe0dc2e3184304ccdc360e9d10c025017b318998d405e9a8e74dc8161e40e1493aede3e8efcd412e62770dc6cc5c0afb26d5b1685ac0b692cfbf8c1aa8c62
SSDEEP:	12288:sWYIPXjxannnHg2SPMey7LKykiCjOkOt5hNF4rdYJpklo0rlBtVpd7kqD+:sWYIPFannnHg2SonkjOkiNS5YwrlBtn4
TLSH:	20E4238663E9472BF9BD13B018341910AB79E848D973F3191DC416D85E23B89D7F0B9B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....)f..............0...... ......:.... ........@.. .......................@............`................................

File Icon


Icon Hash:	c14e4c4c4c4c4f41

Static PE Info

General

Entrypoint:	0x4af63a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6629D29A [Thu Apr 25 03:48:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
xor eax, 35455354h
xor dword ptr [edi+eax*2], esi
dec eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx+4Ah], dl
push ebx
cmp byte ptr [eax+edi+34h], al
inc ebx
inc ebx
xor al, 37h
xor eax, 00000035h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xaf5e8	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb0000	0x1008	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xad660	0xad800	7a7a359c432e0833061e3f7d866dee20	False	0.953274157961095	data	7.969312774312396	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb0000	0x1008	0x1800	a06cb0134df38ab69b0029bcc352613a	False	0.5413411458333334	data	5.082436440506891	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb2000	0xc	0x800	9b87eaf445ec58db394ef287a1f8ad79	False	0.015625	data	0.03037337037012526	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xb00c8	0xc08	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9308441558441558
RT_GROUP_ICON	0xb0ce0	0x14	data	1.05
RT_VERSION	0xb0d04	0x300	MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"	0.4427083333333333

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 10:28:00.812685013 CEST	49733	443	192.168.2.4	104.26.12.205
Apr 25, 2024 10:28:00.812736988 CEST	443	49733	104.26.12.205	192.168.2.4
Apr 25, 2024 10:28:00.812823057 CEST	49733	443	192.168.2.4	104.26.12.205
Apr 25, 2024 10:28:00.822607040 CEST	49733	443	192.168.2.4	104.26.12.205
Apr 25, 2024 10:28:00.822634935 CEST	443	49733	104.26.12.205	192.168.2.4
Apr 25, 2024 10:28:01.055665016 CEST	443	49733	104.26.12.205	192.168.2.4
Apr 25, 2024 10:28:01.055753946 CEST	49733	443	192.168.2.4	104.26.12.205
Apr 25, 2024 10:28:01.062011003 CEST	49733	443	192.168.2.4	104.26.12.205
Apr 25, 2024 10:28:01.062035084 CEST	443	49733	104.26.12.205	192.168.2.4
Apr 25, 2024 10:28:01.062421083 CEST	443	49733	104.26.12.205	192.168.2.4
Apr 25, 2024 10:28:01.110483885 CEST	49733	443	192.168.2.4	104.26.12.205
Apr 25, 2024 10:28:01.217885971 CEST	49733	443	192.168.2.4	104.26.12.205
Apr 25, 2024 10:28:01.260152102 CEST	443	49733	104.26.12.205	192.168.2.4
Apr 25, 2024 10:28:01.355022907 CEST	443	49733	104.26.12.205	192.168.2.4
Apr 25, 2024 10:28:01.355082989 CEST	443	49733	104.26.12.205	192.168.2.4
Apr 25, 2024 10:28:01.355140924 CEST	49733	443	192.168.2.4	104.26.12.205
Apr 25, 2024 10:28:01.361155987 CEST	49733	443	192.168.2.4	104.26.12.205
Apr 25, 2024 10:28:02.036662102 CEST	49736	587	192.168.2.4	50.87.218.140
Apr 25, 2024 10:28:02.195396900 CEST	587	49736	50.87.218.140	192.168.2.4
Apr 25, 2024 10:28:02.195542097 CEST	49736	587	192.168.2.4	50.87.218.140
Apr 25, 2024 10:28:02.490710974 CEST	587	49736	50.87.218.140	192.168.2.4
Apr 25, 2024 10:28:02.490926027 CEST	49736	587	192.168.2.4	50.87.218.140
Apr 25, 2024 10:28:02.649997950 CEST	587	49736	50.87.218.140	192.168.2.4
Apr 25, 2024 10:28:02.650208950 CEST	49736	587	192.168.2.4	50.87.218.140
Apr 25, 2024 10:28:02.810406923 CEST	587	49736	50.87.218.140	192.168.2.4
Apr 25, 2024 10:28:02.810924053 CEST	49736	587	192.168.2.4	50.87.218.140
Apr 25, 2024 10:28:02.980613947 CEST	587	49736	50.87.218.140	192.168.2.4
Apr 25, 2024 10:28:02.980679035 CEST	587	49736	50.87.218.140	192.168.2.4
Apr 25, 2024 10:28:02.980720997 CEST	587	49736	50.87.218.140	192.168.2.4
Apr 25, 2024 10:28:02.980772972 CEST	587	49736	50.87.218.140	192.168.2.4
Apr 25, 2024 10:28:02.980773926 CEST	49736	587	192.168.2.4	50.87.218.140
Apr 25, 2024 10:28:02.980822086 CEST	49736	587	192.168.2.4	50.87.218.140
Apr 25, 2024 10:28:03.075043917 CEST	49736	587	192.168.2.4	50.87.218.140
Apr 25, 2024 10:28:03.234816074 CEST	587	49736	50.87.218.140	192.168.2.4
Apr 25, 2024 10:28:03.237978935 CEST	49736	587	192.168.2.4	50.87.218.140
Apr 25, 2024 10:28:03.396980047 CEST	587	49736	50.87.218.140	192.168.2.4
Apr 25, 2024 10:28:03.398127079 CEST	49736	587	192.168.2.4	50.87.218.140
Apr 25, 2024 10:28:03.557307959 CEST	587	49736	50.87.218.140	192.168.2.4
Apr 25, 2024 10:28:03.557698965 CEST	49736	587	192.168.2.4	50.87.218.140
Apr 25, 2024 10:28:03.757386923 CEST	587	49736	50.87.218.140	192.168.2.4
Apr 25, 2024 10:28:03.809722900 CEST	587	49736	50.87.218.140	192.168.2.4
Apr 25, 2024 10:28:03.810090065 CEST	49736	587	192.168.2.4	50.87.218.140
Apr 25, 2024 10:28:03.968780041 CEST	587	49736	50.87.218.140	192.168.2.4
Apr 25, 2024 10:28:03.968823910 CEST	587	49736	50.87.218.140	192.168.2.4
Apr 25, 2024 10:28:03.969353914 CEST	49736	587	192.168.2.4	50.87.218.140
Apr 25, 2024 10:28:04.169306993 CEST	587	49736	50.87.218.140	192.168.2.4
Apr 25, 2024 10:28:04.187998056 CEST	587	49736	50.87.218.140	192.168.2.4
Apr 25, 2024 10:28:04.188215971 CEST	49736	587	192.168.2.4	50.87.218.140
Apr 25, 2024 10:28:04.346904039 CEST	587	49736	50.87.218.140	192.168.2.4
Apr 25, 2024 10:28:04.347013950 CEST	587	49736	50.87.218.140	192.168.2.4
Apr 25, 2024 10:28:04.347800016 CEST	49736	587	192.168.2.4	50.87.218.140
Apr 25, 2024 10:28:04.347929001 CEST	49736	587	192.168.2.4	50.87.218.140
Apr 25, 2024 10:28:04.347929001 CEST	49736	587	192.168.2.4	50.87.218.140
Apr 25, 2024 10:28:04.347929001 CEST	49736	587	192.168.2.4	50.87.218.140
Apr 25, 2024 10:28:04.506491899 CEST	587	49736	50.87.218.140	192.168.2.4
Apr 25, 2024 10:28:04.506736040 CEST	587	49736	50.87.218.140	192.168.2.4
Apr 25, 2024 10:28:04.507910013 CEST	587	49736	50.87.218.140	192.168.2.4
Apr 25, 2024 10:28:04.563600063 CEST	49736	587	192.168.2.4	50.87.218.140
Apr 25, 2024 10:29:41.907696962 CEST	49736	587	192.168.2.4	50.87.218.140
Apr 25, 2024 10:29:42.068231106 CEST	587	49736	50.87.218.140	192.168.2.4
Apr 25, 2024 10:29:42.069293976 CEST	49736	587	192.168.2.4	50.87.218.140

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 10:28:00.694180965 CEST	59198	53	192.168.2.4	1.1.1.1
Apr 25, 2024 10:28:00.804600954 CEST	53	59198	1.1.1.1	192.168.2.4
Apr 25, 2024 10:28:01.886472940 CEST	55964	53	192.168.2.4	1.1.1.1
Apr 25, 2024 10:28:02.035995007 CEST	53	55964	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 25, 2024 10:28:00.694180965 CEST	192.168.2.4	1.1.1.1	0x8d35	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Apr 25, 2024 10:28:01.886472940 CEST	192.168.2.4	1.1.1.1	0x5806	Standard query (0)	mail.albushrametalic.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 25, 2024 10:28:00.804600954 CEST	1.1.1.1	192.168.2.4	0x8d35	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Apr 25, 2024 10:28:00.804600954 CEST	1.1.1.1	192.168.2.4	0x8d35	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Apr 25, 2024 10:28:00.804600954 CEST	1.1.1.1	192.168.2.4	0x8d35	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Apr 25, 2024 10:28:02.035995007 CEST	1.1.1.1	192.168.2.4	0x5806	No error (0)	mail.albushrametalic.com	50.87.218.140	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	104.26.12.205	443	7588	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-25 08:28:01 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-04-25 08:28:01 UTC	211	IN	HTTP/1.1 200 OK Date: Thu, 25 Apr 2024 08:28:01 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 879cf50bfbcb7b9f-ATL
2024-04-25 08:28:01 UTC	14	IN	Data Raw: 31 38 35 2e 31 35 32 2e 36 36 2e 32 33 30 Data Ascii: 185.152.66.230

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 25, 2024 10:28:02.490710974 CEST	587	49736	50.87.218.140	192.168.2.4	220-box2229.bluehost.com ESMTP Exim 4.96.2 #2 Thu, 25 Apr 2024 02:28:02 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 25, 2024 10:28:02.490926027 CEST	49736	587	192.168.2.4	50.87.218.140	EHLO 642294
Apr 25, 2024 10:28:02.649997950 CEST	587	49736	50.87.218.140	192.168.2.4	250-box2229.bluehost.com Hello 642294 [185.152.66.230] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 25, 2024 10:28:02.650208950 CEST	49736	587	192.168.2.4	50.87.218.140	STARTTLS
Apr 25, 2024 10:28:02.810406923 CEST	587	49736	50.87.218.140	192.168.2.4	220 TLS go ahead

Target ID:	0
Start time:	10:27:55
Start date:	25/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe"
Imagebase:	0x3d0000
File size:	720'896 bytes
MD5 hash:	0213307D4A5C33C73FC8763498A054E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1699372281.0000000004F90000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1697066851.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1697066851.000000000473B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1697066851.000000000473B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:27:59
Start date:	25/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe"
Imagebase:	0x620000
File size:	720'896 bytes
MD5 hash:	0213307D4A5C33C73FC8763498A054E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2880131729.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2880131729.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2880131729.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2880131729.00000000028E4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2878165030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2878165030.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	18.7%
Total number of Nodes:	267
Total number of Limit Nodes:	15

Executed Functions

Function 027C0779 Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695601297.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20d7db2abe722183feb04ddcdad48aadbadd52aca4cfc138871fcc79d564f1f4
Instruction ID: 141d5cd67bf8b3a96a7182ecdfb0e73b6964cb23fd7b37e48df4b91544768abb
Opcode Fuzzy Hash: 20d7db2abe722183feb04ddcdad48aadbadd52aca4cfc138871fcc79d564f1f4
Instruction Fuzzy Hash: F9C1BB707016008FDB29EBB5C550B6EB7F7AF89704F24856ED14ACB295DB34E902CB91

Uniqueness

Uniqueness Score: -1.00%

Function 053DEC9D Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bae24afef353553a1e985952db17e3d4c9e674780d8e318643e413a5c114140d
Instruction ID: b244880e95556d1593f01dd1aa9043b55bbad9745e6dde1d1a16881d9328d0ee
Opcode Fuzzy Hash: bae24afef353553a1e985952db17e3d4c9e674780d8e318643e413a5c114140d
Instruction Fuzzy Hash: C5412C7690A228DFDB20CF24E8847E8FBBABB4A305F1451D5D40EA7251C7749AC5CF11

Uniqueness

Uniqueness Score: -1.00%

Function 053DEB90 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f78513203f339bfd26d56945f250fea94c4df72f43bb9820f50826d03c2c897e
Instruction ID: 374171b5ddb3ac0b34e208b3c87209ae731f66f535eac5833911b52279f4c244
Opcode Fuzzy Hash: f78513203f339bfd26d56945f250fea94c4df72f43bb9820f50826d03c2c897e
Instruction Fuzzy Hash: C6411B7AD0A228DFDB20CF64E8847E8FBB9FB4A301F5451D9D40AA7251CB745A85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 053DEA9A Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2afae61f79db9a098945f3399491ad2b3c455186852252f9bcb5748bb50f6371
Instruction ID: 05e3b7c9fc23e4ab3e346311346bc6582e9333a68f3f2e8b4749b19f78ebffd4
Opcode Fuzzy Hash: 2afae61f79db9a098945f3399491ad2b3c455186852252f9bcb5748bb50f6371
Instruction Fuzzy Hash: 48413A7AD0A258DFDB20CF64E8847ECFBB9BB4A301F0551A5D40EA7251CB748A85CF21

Uniqueness

Uniqueness Score: -1.00%

Function 053DECE7 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f430102cb1c60d22c2c1e59bed9f6c30e6e882b09b5c828bc77a27c4097df740
Instruction ID: a04ef30f70f773ef65f8931c3922ba3d0cc6b0405af3a91475b24b36edac0254
Opcode Fuzzy Hash: f430102cb1c60d22c2c1e59bed9f6c30e6e882b09b5c828bc77a27c4097df740
Instruction Fuzzy Hash: 56410976906228DFDB21CF64E888BE8FBB9BB4A305F0451D5D40EA7251C7749AC4CF21

Uniqueness

Uniqueness Score: -1.00%

Function 053DEBDB Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a2ce6949e0be79eb25347093b5663d2474f00f1fc967f4f5b243466afe8bd2e
Instruction ID: 9ba1f8cde9054e5dde94acccbe94ad03a1b37b556145a2b9b329d298a5163eb3
Opcode Fuzzy Hash: 4a2ce6949e0be79eb25347093b5663d2474f00f1fc967f4f5b243466afe8bd2e
Instruction Fuzzy Hash: 54411A7A90A228DFCB20CF24E8847E8FBB9BB4A301F1451D5D40AA7251CB749AC4CF21

Uniqueness

Uniqueness Score: -1.00%

Function 053DEAC6 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21a687659ce71ffca169a34874c51ca0227abc0b613a8246cf227f7314f74a95
Instruction ID: c4f8cb8a9cd87e399c49537b717a99d0ad3c9083311a1dfb7b0e810df06f9b6b
Opcode Fuzzy Hash: 21a687659ce71ffca169a34874c51ca0227abc0b613a8246cf227f7314f74a95
Instruction Fuzzy Hash: 3A410B7A90A268DFDB20CF24E8897E8FBB9BB4A315F0151D5D00EA7251CB744AC4CF21

Uniqueness

Uniqueness Score: -1.00%

Function 053DEB3B Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24c510d69014c26b4330589909466271625e7c7509428629f6e74df65be984cd
Instruction ID: b2c536527ef136340580d4b2a2a30a87753c43cd1f8173327eca7599e4b274e8
Opcode Fuzzy Hash: 24c510d69014c26b4330589909466271625e7c7509428629f6e74df65be984cd
Instruction Fuzzy Hash: C9311D7A90A218DFDB20CF64E8887E8FBB9FB4A315F0551D5D40AA7251C7748AC5CF21

Uniqueness

Uniqueness Score: -1.00%

Function 053DEF1B Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 185e677b1c44581e720c537f9f780d7241921f14b31a214cc05d5b9012fac535
Instruction ID: 6e1f0304b8ec593893205adfa7b9313869e614e72f00bad6de2fb7a3953d805d
Opcode Fuzzy Hash: 185e677b1c44581e720c537f9f780d7241921f14b31a214cc05d5b9012fac535
Instruction Fuzzy Hash: F931F67A90A228DFDB20CF64E8887E8FBB9BB4A311F4151D5D00EA7251CB744AC4CF21

Uniqueness

Uniqueness Score: -1.00%

Function 053DEB09 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d55944d4fa6538c14847ec07e42b5ff3ad25db369ac33a450c1ba3a4f2b37535
Instruction ID: 2a12cf915ef72941eae19c6d9234677efaec53ac2458fada167c56d747f69b35
Opcode Fuzzy Hash: d55944d4fa6538c14847ec07e42b5ff3ad25db369ac33a450c1ba3a4f2b37535
Instruction Fuzzy Hash: 1B31297AD4A228DFDB20CF64E8847E8FBB9BB4A301F0051D5D00AA7251CB744A84CF21

Uniqueness

Uniqueness Score: -1.00%

Function 053DECBC Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 978ff98326461a6a0c33e9c708daa993472bf104db50df34205931604dff78ba
Instruction ID: 62c1291fc2f8cb97dec32688dea67286a5f4323f2484e87fc0e7a4137a570843
Opcode Fuzzy Hash: 978ff98326461a6a0c33e9c708daa993472bf104db50df34205931604dff78ba
Instruction Fuzzy Hash: FCE04F77E4E008EFCB00EEA4B9881F8F7BDAB5B252F0530A1940E97601D67049605A74

Uniqueness

Uniqueness Score: -1.00%

Function 00A9D7F8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00A9D876
GetCurrentThread.KERNEL32 ref: 00A9D8B3
GetCurrentProcess.KERNEL32 ref: 00A9D8F0
GetCurrentThreadId.KERNEL32 ref: 00A9D949

Memory Dump Source

Source File: 00000000.00000002.1694713219.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 8c4360b2d4fdf6338a249d8fb0402a2403643a00b17f231d898364b9cab06533
Instruction ID: b075bf6fd949823f64c1bb3b079b3440433bd673f2b56b594141312043649b85
Opcode Fuzzy Hash: 8c4360b2d4fdf6338a249d8fb0402a2403643a00b17f231d898364b9cab06533
Instruction Fuzzy Hash: 535134B0A003098FDB14DFA9D548B9EBBF1EB88314F248469E019A7361DB749984CF69

Uniqueness

Uniqueness Score: -1.00%

Function 053DD3C5 Relevance: 1.8, APIs: 1, Instructions: 251
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 053DD606

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 271117c2c8a4a4180a0dec7e0e9cbf69694509199cca8e906bc2c5b11cb118dc
Instruction ID: 29f94f8aaec2649c1e93f6052df8faa952303f02f33316cb46df0c5adb43c560
Opcode Fuzzy Hash: 271117c2c8a4a4180a0dec7e0e9cbf69694509199cca8e906bc2c5b11cb118dc
Instruction Fuzzy Hash: 10A15C72D00219DFDB10CFA8D841BEEFBB2BF48314F1485A9E849A7250DB759985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 053DD3D0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 053DD606

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 92d9b24b28b88c16dd576127a0e851c622913ad3ca1dd8d3c7177b40a9cf6d93
Instruction ID: 309bb63ee766f4e47f3ffed7141584b00be1200c0972caa609b884be5ed42159
Opcode Fuzzy Hash: 92d9b24b28b88c16dd576127a0e851c622913ad3ca1dd8d3c7177b40a9cf6d93
Instruction Fuzzy Hash: 02914C71D00219DFDB10CFA8D841BEEFBB2BF48314F1485A9E849A7250DB759985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A9B55F Relevance: 1.7, APIs: 1, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00A9B7C6

Memory Dump Source

Source File: 00000000.00000002.1694713219.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8772fc0615e4387aee1bdaf4b032799da7b455b719102edc30c7a551be7c49f7
Instruction ID: dc3f423a0464572ae6e6ab562ca032d4894ec0fbd3af5930ccb8dc0dc45f666b
Opcode Fuzzy Hash: 8772fc0615e4387aee1bdaf4b032799da7b455b719102edc30c7a551be7c49f7
Instruction Fuzzy Hash: 14815870A00B458FDB24DF29D64479ABBF1FF88300F10892ED08ADBA50D775E949CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A95A84 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1694713219.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3561bb439d2a1379eb923805b4db9415d77221d45537635cb6ba951537e3258
Instruction ID: 7485239c81352f30ca900806aa61e2ceb4968445a3488a0eae929758569aedda
Opcode Fuzzy Hash: c3561bb439d2a1379eb923805b4db9415d77221d45537635cb6ba951537e3258
Instruction Fuzzy Hash: DA41EE71D00A48CEEF12DFB8C84A7EDBBF0AF52314F248189C045AB265C7359946CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00A944E4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00A959C9

Memory Dump Source

Source File: 00000000.00000002.1694713219.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 07692501b50d02245ab103ac4369e0f3d53ba85ba807f5ba2394e40f4fe44ef8
Instruction ID: 0176a1b30e506b76ce287de9971efe8c82a18c8fb69aea663e43e68dfc39b7a7
Opcode Fuzzy Hash: 07692501b50d02245ab103ac4369e0f3d53ba85ba807f5ba2394e40f4fe44ef8
Instruction Fuzzy Hash: E841FFB0D00619CBDF24DFA9C985B8EBBF5BF49304F2080AAD408AB255DB756945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00A9590C Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00A959C9

Memory Dump Source

Source File: 00000000.00000002.1694713219.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2500bbde0b5ef6c01b6c5fed7e43ef3292f9f40dfa30a2face3a4c9168b55f4a
Instruction ID: bffe9addf0347faa9509f346fdb6ed61274e0b5e036839356eb96ab180394aca
Opcode Fuzzy Hash: 2500bbde0b5ef6c01b6c5fed7e43ef3292f9f40dfa30a2face3a4c9168b55f4a
Instruction Fuzzy Hash: 01410FB0C00619CFDF24CFA9C885B8EBBF5BF48304F2080AAD408AB251DBB55946CF94

Uniqueness

Uniqueness Score: -1.00%

Function 053DD141 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 053DD1D8

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d58f2cb3539710c96069e1a0c663b91bb4739d70a20f9c0de1c4085b1c39f4ff
Instruction ID: 7e1852bf4bca8c75656c5e7a418a4e2a43a3809545da6a6228f4540f173ce682
Opcode Fuzzy Hash: d58f2cb3539710c96069e1a0c663b91bb4739d70a20f9c0de1c4085b1c39f4ff
Instruction Fuzzy Hash: F42137B29002599FCB10CFA9D880BDEBBF5FF48310F10882AE959A7240D7789545CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 053DD148 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 053DD1D8

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 14e2bfb3519e4142db89aa401d068117d80c4a97ab5e7a2fa0cc572acf42bb6e
Instruction ID: 048a153dea4cfb5a8fe55dee77dd2c61840b431fcc38f77d2a63b946779a41fb
Opcode Fuzzy Hash: 14e2bfb3519e4142db89aa401d068117d80c4a97ab5e7a2fa0cc572acf42bb6e
Instruction Fuzzy Hash: FC2127B29003599FCB10DFA9C985BDEFBF5FF48310F108829E959A7250C7789944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 053DD230 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 053DD2B8

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8fffb3a401db2f9ad9a92b1f2b5ef96018f53530a2b407c2d1268f9c68b68e8b
Instruction ID: aa9ee7c80d7d5342ecf59a5be40ff2329bf9ac220fd302f966586af7570ca1d7
Opcode Fuzzy Hash: 8fffb3a401db2f9ad9a92b1f2b5ef96018f53530a2b407c2d1268f9c68b68e8b
Instruction Fuzzy Hash: CA212AB19003599FCB10DFA9D840AEEFBF5FF48320F10842AE559A7250C7759545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 053DCB71 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 053DCBF6

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: db5fa977167ca49365e59d0a4a2663cf211c337e6ccb2d61203a18853869529f
Instruction ID: addcf1c8fb27ec25ec7eb0f8448da9f99a2d86a072f6293d04c59e057b5cf181
Opcode Fuzzy Hash: db5fa977167ca49365e59d0a4a2663cf211c337e6ccb2d61203a18853869529f
Instruction Fuzzy Hash: 522168B29002098FDB10DFAAC4847EEFBF0FF48320F108429D459A7241C778A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 053DD238 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 053DD2B8

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f3c7d205f321c0733c53893ccdd61c5c4b8e13d66bde6b27f9fdfac083c44073
Instruction ID: 7be530b4bec8d55615bf120fb81f297b233e30b39d580ea9a8809918f8d9ae5d
Opcode Fuzzy Hash: f3c7d205f321c0733c53893ccdd61c5c4b8e13d66bde6b27f9fdfac083c44073
Instruction Fuzzy Hash: C12128B18002599FCB10DFAAC840ADEFBF5FF48320F108829E559A7250C7749944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 053DCB78 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 053DCBF6

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 48720368c6002716f4fdc3dce96a28d43f928238c88fbfbad87ec29c78eb1f52
Instruction ID: 66f0c27afee6ed154bc25c50d1483017aea636dc19e4421486add32ad6da9825
Opcode Fuzzy Hash: 48720368c6002716f4fdc3dce96a28d43f928238c88fbfbad87ec29c78eb1f52
Instruction Fuzzy Hash: B42138B29002098FDB10DFAAC4857EEFBF4EF48324F108429D459A7241C7789945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A9DA40 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A9DAC7

Memory Dump Source

Source File: 00000000.00000002.1694713219.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2d8fe383c3332dcce4c865989b533538bab5738c8af7f51db06b9f01c5d68c03
Instruction ID: 24651bc1c21c62ab2200c41871d2942307d337b392203612f3c78bb3542dba4c
Opcode Fuzzy Hash: 2d8fe383c3332dcce4c865989b533538bab5738c8af7f51db06b9f01c5d68c03
Instruction Fuzzy Hash: 3021C4B59002589FDB10CFAAD584ADEFBF4EB48320F14841AE958A7350D374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 053DD080 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 053DD0F6

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5fcea9be74a5b917128792df9847037f92bcd6ddd4db9688444cffd8804a7fff
Instruction ID: 6a71607285b9e5c002958130243889791f9bb761f6719db8d60ffefb3637f200
Opcode Fuzzy Hash: 5fcea9be74a5b917128792df9847037f92bcd6ddd4db9688444cffd8804a7fff
Instruction Fuzzy Hash: 0E1186B28002489FCB10DFAAC845BEEFFF5EF88324F208819E459A7250C775A544CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A9AFB0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00A9B841,00000800,00000000,00000000), ref: 00A9BA52

Memory Dump Source

Source File: 00000000.00000002.1694713219.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a96b470561535d5e9cc9731b3652ad8db7492073c6bc56a47dc68ead351e4fd3
Instruction ID: e1641580a51ff81cb2df55f4fe938f6dabb30723cc6f3265ce7b82f2f1516bdc
Opcode Fuzzy Hash: a96b470561535d5e9cc9731b3652ad8db7492073c6bc56a47dc68ead351e4fd3
Instruction Fuzzy Hash: 501112B69003089FCB20CF9AD544ADEFBF4EB48320F10842EE519A7610C3B5A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A9B9E1 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00A9B841,00000800,00000000,00000000), ref: 00A9BA52

Memory Dump Source

Source File: 00000000.00000002.1694713219.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4df2c9e2cec7b4385ea1c18eb6a73cfec52cec362778e9ce58ce32c583ac25ab
Instruction ID: cd456b76c20cc39cc9cea3b70f17b2de71313385c20ed35ea38a6bb686437d82
Opcode Fuzzy Hash: 4df2c9e2cec7b4385ea1c18eb6a73cfec52cec362778e9ce58ce32c583ac25ab
Instruction Fuzzy Hash: D91114B6D002499FDB20CFAAD584ADEFBF4EF48320F10842ED459A7611C775A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 053DD088 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 053DD0F6

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8293bbac01a90615666e48b64f4034589ab6709e46071229f4bfcb9273d31644
Instruction ID: 0df05530cf3e4e5b4a227d95091b6cd37a397fd5538d54bfe8d975ea35dd87ba
Opcode Fuzzy Hash: 8293bbac01a90615666e48b64f4034589ab6709e46071229f4bfcb9273d31644
Instruction Fuzzy Hash: 2D1126B29002499FCB10DFAAD844BDEFFF5EB88320F208819E559A7250C775A554CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 053DCAC0 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 053DCB2A

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3b4756e2792d5993cfaf9e1425d8438b4cb6a4bec727544a17f7df080b08254a
Instruction ID: 632d269aeb4178be0c52ef41262b1bc97e1847eb50fc155838c8181b1b13772b
Opcode Fuzzy Hash: 3b4756e2792d5993cfaf9e1425d8438b4cb6a4bec727544a17f7df080b08254a
Instruction Fuzzy Hash: 92115BB29042498FCB10DFAAD4457DEFFF4EF88324F208829D459A7240C775A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 053DFA39 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 053DFA9D

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7232b3d042f27da7986f27f7c50afec425ea7c1037bc126b0c2a8904720280bf
Instruction ID: cc147e88d18e5ae193f506dd10ca7792582f59cd77f05b451abd0151cad3409f
Opcode Fuzzy Hash: 7232b3d042f27da7986f27f7c50afec425ea7c1037bc126b0c2a8904720280bf
Instruction Fuzzy Hash: 7A11F5B68003499FCB10DF99D985BDEFBF8EB48324F10841AE559A7250C375A984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 053DCAC8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 053DCB2A

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b311a0f34d02350b4783c4cbcf60f7d0cfbf0fd5995b971c77cbdd6f8ea0d5ea
Instruction ID: 631238c1c824a7f4a23526d595bfb202e33ca1caf406dc950f7531d531f7aa16
Opcode Fuzzy Hash: b311a0f34d02350b4783c4cbcf60f7d0cfbf0fd5995b971c77cbdd6f8ea0d5ea
Instruction Fuzzy Hash: D9113AB29042488FDB10DFAAD4457DEFBF4EB88324F208429D459A7250C775A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A9B760 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00A9B7C6

Memory Dump Source

Source File: 00000000.00000002.1694713219.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bf6b0cdeffd1e9fcee6545aefba6c5b358c1eef2dce0d83fad2f5b8f412464fa
Instruction ID: 4388897240a9b889cc8a302402d09e78b2f371dd6437f5115432c5ccda31a95a
Opcode Fuzzy Hash: bf6b0cdeffd1e9fcee6545aefba6c5b358c1eef2dce0d83fad2f5b8f412464fa
Instruction Fuzzy Hash: 21111DB6D002498FCB10CF9AD544ADEFBF8AF88320F10852AD828B7610C379A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 053DBA28 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 053DFA9D

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 299913997bc1bbe7fffde6ee4c6dba58771d0b7ddc0e9dc107b9b88adeaba75d
Instruction ID: 34228d2057b69286415885abeda36c0556d4f2dc823c8327c42f1faef24d3217
Opcode Fuzzy Hash: 299913997bc1bbe7fffde6ee4c6dba58771d0b7ddc0e9dc107b9b88adeaba75d
Instruction Fuzzy Hash: CD1106B6800349DFCB10DF9AD585BDEFBF8EB48314F108459E559A7200C375A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 027C0BA0 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695601297.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0613635fe41ac44dd6fa57c9c7a9132c8a813f9699b7768e27d91415f442207
Instruction ID: 74f83bb625c4c74a2d26e2b81e9207aaee1505713fc5352c0062cc0f3e2aa5ce
Opcode Fuzzy Hash: e0613635fe41ac44dd6fa57c9c7a9132c8a813f9699b7768e27d91415f442207
Instruction Fuzzy Hash: E2A12570B012049FDB14DBA9D594AAEBBF6AF88704F2044ADE505AB3A1CB71ED45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 027C1658 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695601297.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f68d1272affe0a7bd3f640a65b01cc30f5e92cf204d122ee4a97e5b66a9fc4e
Instruction ID: c1077ab67b1f2aeb7e192b07fdfde362bb167a397f63d96deea35a7b2623398e
Opcode Fuzzy Hash: 0f68d1272affe0a7bd3f640a65b01cc30f5e92cf204d122ee4a97e5b66a9fc4e
Instruction Fuzzy Hash: E93177307046118FDB19EB39D55076AB3E2AF85344F68847ED00ACB3A2DF35E806CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A2D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693589580.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a2d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f792785955c983212dacd80b1649cefe3cc5e8df6463e9dd291a31a120d1f65
Instruction ID: b9bd1bbf3d547579278914f713e43ad7ee3c9b759b7cc7bcddf1701e6a9f8593
Opcode Fuzzy Hash: 1f792785955c983212dacd80b1649cefe3cc5e8df6463e9dd291a31a120d1f65
Instruction Fuzzy Hash: F2212571504204DFDB05EF18E9C4B26BF65FB98324F20C579E9094F257C336E856CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A3D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694386264.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a3d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7deb9460575b9737edb1b8ccbf535f342a1a472debc8fb154161215f5c93dbbf
Instruction ID: 30be535d5dd1a982013694b0de865f85c331689fd4119678d48402e941a216a1
Opcode Fuzzy Hash: 7deb9460575b9737edb1b8ccbf535f342a1a472debc8fb154161215f5c93dbbf
Instruction Fuzzy Hash: 98210471504200EFDB05DF94E9C0B67BBA5FB84314F20C66DF8494B296C736D846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00A3D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694386264.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a3d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc408be0d19f4a16c8ebb86392d9f74ffc324d98a8d4761bb412376cb2feeeb
Instruction ID: 498cd484f80f32dd145a323f1faf95b533623326c83e7b309e69c6a320456e51
Opcode Fuzzy Hash: 7fc408be0d19f4a16c8ebb86392d9f74ffc324d98a8d4761bb412376cb2feeeb
Instruction Fuzzy Hash: D1210471604200DFCB18DF24E9C4B26BFA5FB85B14F20C56DF84A4B296C33AD847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 027C1668 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695601297.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c187488851f36905853cf55d549c32810bc0d7f478042f341bcbd2e604a92fae
Instruction ID: f5b0e6d18f10b360eedd3eb7b3474f267ac057a6e6c5a2e4bf1073f65091bca5
Opcode Fuzzy Hash: c187488851f36905853cf55d549c32810bc0d7f478042f341bcbd2e604a92fae
Instruction Fuzzy Hash: 612138307006118FDB29AB39D51476AB3E6EF89354F64447DE109CB3A2DF35E805CB55

Uniqueness

Uniqueness Score: -1.00%

Function 027C1667 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695601297.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36b6dac11ca89bee95ccb1ead088d2a3371920f76d7a07f668f15e0a4707c8c1
Instruction ID: 43e4227827cc7d70546a23ee1ae69c05f8211c05244218d92055552db5948ab0
Opcode Fuzzy Hash: 36b6dac11ca89bee95ccb1ead088d2a3371920f76d7a07f668f15e0a4707c8c1
Instruction Fuzzy Hash: C82168307006118FCB29AB39D5547AAB3E6EF89344F64447DE00ACB3A2DF35D806CB55

Uniqueness

Uniqueness Score: -1.00%

Function 027C06E8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695601297.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d8bb769e563b8455a3b2a24b3abc0d2edde8959245eac2d86ce6adfc2476ea3
Instruction ID: 4b3dd2da0b637e31c403b78414dba78436d871cb6cbb8cbde877f9faddcc27b8
Opcode Fuzzy Hash: 8d8bb769e563b8455a3b2a24b3abc0d2edde8959245eac2d86ce6adfc2476ea3
Instruction Fuzzy Hash: 34217974E04259DFDB01DFB4D844BFEBFB0AB4A301F2844AAE464A3291C3748A54DF50

Uniqueness

Uniqueness Score: -1.00%

Function 027C1EE3 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695601297.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94a06e812bddb67fdbd1a5adc3638951ed59a16176f556da50d8a712650817be
Instruction ID: 0e37801e8205da1c85667050ed225d695c529509ba7bc10488065a3f814dfbe1
Opcode Fuzzy Hash: 94a06e812bddb67fdbd1a5adc3638951ed59a16176f556da50d8a712650817be
Instruction Fuzzy Hash: D8119E35A093948FCB13DB74E858AD9BFB2AF47300B5580EAE848DB162D7319829CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A2D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693589580.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a2d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 02b0990f622367f8e652b226477188443be467b8c08a69ee7e2c996b3b525606
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 5C11E172404280CFDB06DF04D9C4B16BF72FB94324F24C2A9D8090B257C33AE85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A3D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694386264.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a3d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 29d41dc3b33d0dcef10d9f45808cd5ff7f8733fb703590a3149ef6c763cb72af
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 8F11D075504280CFCB15CF14E5C4B15FF61FB45714F24C6AAE84A4B656C33AD80ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A3D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694386264.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a3d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 1dc9125a05ffa4ed38b8061e66915995601bc99b4974f2a6e764415eca1cfd79
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: E711BB75504280DFCB02CF50D5C4B56BBA1FB84314F24C6AAE8494B296C33AD80ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 027C04F0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695601297.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49282ca182f56e49cbc8d4c86d04510f3dd27c7a57fe4403ac22b0318db8394b
Instruction ID: 8284edfa0445d2e38d8ae4e8d9f1bac58c7c2619920a9f5e59ea119db28f1150
Opcode Fuzzy Hash: 49282ca182f56e49cbc8d4c86d04510f3dd27c7a57fe4403ac22b0318db8394b
Instruction Fuzzy Hash: 58113C357443008FCB25EB39D08589ABBE2AF8631431589AED59ACB765DF71E906CB80

Uniqueness

Uniqueness Score: -1.00%

Function 027C0457 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695601297.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e7a11e3ddf59b239c239736c855d2bcd1e3e9784db217633a0fd770c3e23a7
Instruction ID: de5e73b22e1aabbd45fd69e7b3fb66cb2f294f2f42e61a610508860e3eb8fc3c
Opcode Fuzzy Hash: 37e7a11e3ddf59b239c239736c855d2bcd1e3e9784db217633a0fd770c3e23a7
Instruction Fuzzy Hash: BE115B317006008FC721DF39C54499BBBE5AF8630471989AEE15ACB721DB70ED058B90

Uniqueness

Uniqueness Score: -1.00%

Function 00A2D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693589580.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a2d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 282651b9e749603d468179cbda2e66e57aa4a1d01d0a18b690c6a3bbd61ed9a7
Instruction ID: c0d59ee9ecf3133231067c78a26ab36010c47c37c4e630c8648869e68c8e5f23
Opcode Fuzzy Hash: 282651b9e749603d468179cbda2e66e57aa4a1d01d0a18b690c6a3bbd61ed9a7
Instruction Fuzzy Hash: 5301A2714083509AE7109F2DEE84B67BFA8EF51324F18C93AED094E287D67D9840CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 027C0468 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695601297.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b439f5d965d0e36c5aec05036eca4967a99f7b240c5ab881fb81e5186a7f32ad
Instruction ID: 1f78ea8c52631f57f9d04816bf6751898e6c2e72d57006f4ec38de081f92fd8a
Opcode Fuzzy Hash: b439f5d965d0e36c5aec05036eca4967a99f7b240c5ab881fb81e5186a7f32ad
Instruction Fuzzy Hash: 4E0144763006008F8720EB3AD90499BB7EAAF8671471589ADE15ACB720EB70ED058BD0

Uniqueness

Uniqueness Score: -1.00%

Function 027C06F8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695601297.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b6d7f0867e2f136f6e2a54326263b147fe164b6f4992dfc9233c27bca0b7554
Instruction ID: d40e63d4218d7fb4427afdc91613da3bafd05dec5c7dae7fb61ee07d74a2c731
Opcode Fuzzy Hash: 8b6d7f0867e2f136f6e2a54326263b147fe164b6f4992dfc9233c27bca0b7554
Instruction Fuzzy Hash: 8D011A74D04219DFCB04DFB5D808BFEBBF0BB4A301F1484A9A425A3291D7744A40DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00A2D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693589580.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a2d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f80c3daabe512132f0f766718e7c1d27c6a41d806b7979f6b5d99ae44df2ace
Instruction ID: 5fa521b1aaf2d56fedfafa976bb4ce2eb43af0ae669626d33e36a950048d65f0
Opcode Fuzzy Hash: 5f80c3daabe512132f0f766718e7c1d27c6a41d806b7979f6b5d99ae44df2ace
Instruction Fuzzy Hash: FBF062714083549EE7148F1AD888B66FFA8EF51734F18C45AED484F287C2799844CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 027C0F00 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695601297.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94bc759bca6a755793c703b363b3f8e76e99fb63e73c82da9014c8844a7c7f15
Instruction ID: 7c55bed81481b1cb5fe1b332ee03f72c4691fe955503baab58d0cf88e7e449f7
Opcode Fuzzy Hash: 94bc759bca6a755793c703b363b3f8e76e99fb63e73c82da9014c8844a7c7f15
Instruction Fuzzy Hash: 4B0169B0A18346DFD715CF78C484AAEBFF0AF0A314F21469EE150DB292D7759145CB90

Uniqueness

Uniqueness Score: -1.00%

Function 027C1E7F Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695601297.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3b48bdabca96d991d2fc6494b8e8f0f5d1f18cc9f218097db8b8653d98d39fa
Instruction ID: 84387e207949290b3ac94b2512ac2ec01cbdbca117efb72140e669dbe4b5aab4
Opcode Fuzzy Hash: b3b48bdabca96d991d2fc6494b8e8f0f5d1f18cc9f218097db8b8653d98d39fa
Instruction Fuzzy Hash: 8AF06DB0D0425A9EDB20DF79C8847ABBFF0AF09304F24496DD849E7641D7B55501CB90

Uniqueness

Uniqueness Score: -1.00%

Function 027C0F10 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695601297.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f62b0a01cc95f6b54e80eeac5a460d1fb99419aaa6df2d9df25120ed70114812
Instruction ID: e5f6abb239e136ed4756a53441e485beceef53ad92194ac56bb791dd3ebf8af3
Opcode Fuzzy Hash: f62b0a01cc95f6b54e80eeac5a460d1fb99419aaa6df2d9df25120ed70114812
Instruction Fuzzy Hash: 5FF0DAB0D0420ADFDB44DFA9C845AAEBBF4AB48300F1045AEE918E7241D77096408FD1

Uniqueness

Uniqueness Score: -1.00%

Function 027C1E90 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695601297.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83f51890c51034e63fa0146726114389635d83ee95b139609fe12dee860fbb9c
Instruction ID: af6c1b5dc065632f5c878536704b447127b153f7b73c26a6e92d83fe3075e913
Opcode Fuzzy Hash: 83f51890c51034e63fa0146726114389635d83ee95b139609fe12dee860fbb9c
Instruction Fuzzy Hash: E9E0A5B0D0021A9FD760EF6A894576BBAF4AF48750F64892D9409E6211EBB096008BA5

Uniqueness

Uniqueness Score: -1.00%

Function 027C0EB3 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695601297.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19ad9c118e1e4032a728cf24f0b8272b532ac8384ae930049b9f649b4be525e3
Instruction ID: b1708679f3af49b1a6a47aec91fc5feab4de747974f7ea1683478c5fba696499
Opcode Fuzzy Hash: 19ad9c118e1e4032a728cf24f0b8272b532ac8384ae930049b9f649b4be525e3
Instruction Fuzzy Hash: 3EE065B0A94645DFD710EB34D40854EBFB15B05314F25C5DDD161DB1A2D7B445058F80

Uniqueness

Uniqueness Score: -1.00%

Function 027C0EA8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695601297.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97699d74775efcce619913a4b05c26a2aee47c259cc4967fb140a8348ad46b07
Instruction ID: 08bfa6ca8f7a8857a019c8261b1ebf8058815a19d13823c7a8bd3475f6377de8
Opcode Fuzzy Hash: 97699d74775efcce619913a4b05c26a2aee47c259cc4967fb140a8348ad46b07
Instruction Fuzzy Hash: 8DE052B0DA021ADFE750DF69C544AAABBF0AB08700F20896DD029E7211D77496018F84

Uniqueness

Uniqueness Score: -1.00%

Function 027C0EB8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695601297.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b840710d277c0a8cb4fe73725c67e219a3553be0db2141a1c0181c0304c94ed
Instruction ID: 5f9cba2d03b9c9045a2d5d629ad673a170223bf476f97c5ca08df9ae79a4b933
Opcode Fuzzy Hash: 0b840710d277c0a8cb4fe73725c67e219a3553be0db2141a1c0181c0304c94ed
Instruction Fuzzy Hash: 32E092B0D9021ADFD740EFB9C905A5EBBF0BB08700F2185A9D019E7251E77496058F91

Uniqueness

Uniqueness Score: -1.00%

Function 027C0430 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695601297.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f33688e35655ac6d1e6e592bd024a0abaccddbf80398c0ea685feb858bbb434
Instruction ID: cd70b336eb1b2f331eb9ae95e5a9092962375d74dcec3af79e8f06f736e62789
Opcode Fuzzy Hash: 9f33688e35655ac6d1e6e592bd024a0abaccddbf80398c0ea685feb858bbb434
Instruction Fuzzy Hash: 62C0022A01F3C24EC703CB2589A05917F75BD5766839905C2D190CB693D614992ADB26

Uniqueness

Uniqueness Score: -1.00%

Function 027C0532 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695601297.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38b339f1be6468f398504b1148b3ba2b2193d326fceec8c01d9983e4f9843642
Instruction ID: 449d478a0c2ed7aa70373741dfa7b6be90b67f1f09739a2aee13e539e883af57
Opcode Fuzzy Hash: 38b339f1be6468f398504b1148b3ba2b2193d326fceec8c01d9983e4f9843642
Instruction Fuzzy Hash: 7FE02DB4D4421AEFEB50EFB89545BAEBBF0AB08710F60896EC415E6241E7B446448F91

Uniqueness

Uniqueness Score: -1.00%

Function 027C0538 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695601297.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e20401eebf80dea34b70a3f707a4eba90ac315de267596484a62014397d7a6
Instruction ID: a1948310c3ba435c446f7464abb0863bb93ea00d0c2f5a79c0369222e2683fcd
Opcode Fuzzy Hash: 46e20401eebf80dea34b70a3f707a4eba90ac315de267596484a62014397d7a6
Instruction Fuzzy Hash: 03D042B4D4431AEFDB50EFB9950579EBBF4AB04700F60896EC415E6241E7B446448FA1

Uniqueness

Uniqueness Score: -1.00%

Function 027C0FB0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695601297.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa122290503d81afc05e1169add061c73908b497732e5aa44d72d1b772976dc7
Instruction ID: 0ecdfad55ba064634423a8185cfd78c380320d9ea5622a36b30313357a870418
Opcode Fuzzy Hash: aa122290503d81afc05e1169add061c73908b497732e5aa44d72d1b772976dc7
Instruction Fuzzy Hash: 03D0123622420C9F4B81EFA4E800E9677DDBB65700B01842AF508C7431E721E464DB91

Uniqueness

Uniqueness Score: -1.00%

Function 027C0500 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695601297.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec033338cf11afb0ba9e2856e4b1ab1a6b6cd4a8f37dcb7c2f520e6692cc52ca
Instruction ID: e96ef02baa448730fc57e2c7e57276a2169914e31876312aaa8867be8d82dd94
Opcode Fuzzy Hash: ec033338cf11afb0ba9e2856e4b1ab1a6b6cd4a8f37dcb7c2f520e6692cc52ca
Instruction Fuzzy Hash: 20C08C313082088BCB48FF31904612D339BABC11093D4C079984E8B358EE39D803C745

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 053D3810 Relevance: 5.3, Strings: 4, Instructions: 259COMMON

Download Yara Rule

Strings

[V~*, xrefs: 053D3975
[V~*, xrefs: 053D397C
T+-q, xrefs: 053D3B4A
]\`, xrefs: 053D3A92

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: T+-q$[V~*$[V~*$]\`
API String ID: 0-1849991408
Opcode ID: 7e6e7723abca505490ef756a7f724d24136df9433c1f9457294a30734b3b8086
Instruction ID: 18b3ac8fa0ac7e6eee7d3babdfd41b28ba0d8205d783a841cab8e92cd786fa9e
Opcode Fuzzy Hash: 7e6e7723abca505490ef756a7f724d24136df9433c1f9457294a30734b3b8086
Instruction Fuzzy Hash: D5B12671E1521ADBDB05CFAAE98089EFBF2FF89300F14D92AD415BB218D73099058F65

Uniqueness

Uniqueness Score: -1.00%

Function 053D3800 Relevance: 4.0, Strings: 3, Instructions: 257COMMON

Download Yara Rule

Strings

[V~*, xrefs: 053D397C
T+-q, xrefs: 053D3B4A
]\`, xrefs: 053D3A92

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: T+-q$[V~*$]\`
API String ID: 0-3978741314
Opcode ID: 559e28304809c47ed1067e7196eb0b8913ad6dbe579385573cce28d8c255826c
Instruction ID: 478190a0ec04ca518347766d3b533e58e8172d2163be8a89194800ec8a4fa30c
Opcode Fuzzy Hash: 559e28304809c47ed1067e7196eb0b8913ad6dbe579385573cce28d8c255826c
Instruction Fuzzy Hash: 48B13471E1521ADFDB05CFAAE98089EFBF2FF89300B14D92AD415BB218D73099058F65

Uniqueness

Uniqueness Score: -1.00%

Function 053DA668 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e40a340a22f096e13699bc2415bcd6e84bb56104f9fc250e923b3a699d2d2372
Instruction ID: 5eeac15f01a6e26a0a78e8e7557d48b1e2610b4dea1a61a01f15ba5c7e512c36
Opcode Fuzzy Hash: e40a340a22f096e13699bc2415bcd6e84bb56104f9fc250e923b3a699d2d2372
Instruction Fuzzy Hash: CFE11B74E042198FCB14DFA9D6809AEFBB2FF89304F248169D415AB356DB30AD42CF61

Uniqueness

Uniqueness Score: -1.00%

Function 053DA230 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00a55392a812a0a2c1166ce1aff8b052fe36010597f38aabbe6498b36f68fea2
Instruction ID: 42b84175263fd3fb8667e0967ea352dcfe71b72d7711f606a783a90c3a22f767
Opcode Fuzzy Hash: 00a55392a812a0a2c1166ce1aff8b052fe36010597f38aabbe6498b36f68fea2
Instruction Fuzzy Hash: BEE11A75E042198FCB14DFA9D6809AEFBF2BF89304F248169E414AB355DB31AD42CF61

Uniqueness

Uniqueness Score: -1.00%

Function 053DC2A0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 161f347098a1a3944fdc8a8992a42fbce0b2a6044b530bd56e605f2702f1a6aa
Instruction ID: 79b00c6fc2b2c334ebdfa7dcdb66b1b329331d7eb90e3e6945459ed48431bf54
Opcode Fuzzy Hash: 161f347098a1a3944fdc8a8992a42fbce0b2a6044b530bd56e605f2702f1a6aa
Instruction Fuzzy Hash: D2E12B74E142198FCB14DFA9D5809AEFBB2FF88304F249169E414AB356DB31AD42CF61

Uniqueness

Uniqueness Score: -1.00%

Function 053DCC50 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f1bb7485426be7354092be5f8ce9b5dfc240473eeae22767288727d121d5b3b
Instruction ID: 0dd74c8b58c4f0451e2aae48bb5548c3c8a1f977902eee45ef7c8fe5a80dc1fe
Opcode Fuzzy Hash: 8f1bb7485426be7354092be5f8ce9b5dfc240473eeae22767288727d121d5b3b
Instruction Fuzzy Hash: F7E11AB4E142198FCB14DF99D5809AEFBF2BF89304F249169D414AB356DB30AD42CF61

Uniqueness

Uniqueness Score: -1.00%

Function 053DAAA0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac21be622102b31a1827d49da73a589f12b83bb5eded7ced50867b1e31e97460
Instruction ID: f6f2e053410377c6e930b639cb82e2f9c275995d71286168ba57bb57d808c689
Opcode Fuzzy Hash: ac21be622102b31a1827d49da73a589f12b83bb5eded7ced50867b1e31e97460
Instruction Fuzzy Hash: DFE12B75E042198FCB14DFA9D6809AEFBF2BF89304F249169E404AB355DB30AD42CF61

Uniqueness

Uniqueness Score: -1.00%

Function 053D2141 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8b87f0517bbe4a0d8071f8e91458ca90f544edeb4fb9b282a90bc6ffa1b8380
Instruction ID: b4030b44be31a5b5feaed29a6485109620938479c3d40435cdb4b60214b923c8
Opcode Fuzzy Hash: a8b87f0517bbe4a0d8071f8e91458ca90f544edeb4fb9b282a90bc6ffa1b8380
Instruction Fuzzy Hash: 07D1D631D1475A9ACB11EFA4D990A9DB7B1FF96300F10C7AAE0093B215FB706AC5CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A9E3B4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1694713219.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10957aa34fed6b9b81063cb2f439b71c18af756e6e26612d359129a3c21ede69
Instruction ID: 5f7a55b02807a930059a9cf89eedca2fc4499e43b5c8ebaa56ec9fdefba77c54
Opcode Fuzzy Hash: 10957aa34fed6b9b81063cb2f439b71c18af756e6e26612d359129a3c21ede69
Instruction Fuzzy Hash: EBA14B36F002199FCF05DFA4C94459EB7F2FF89300B15857AE806AB266DB31E956CB80

Uniqueness

Uniqueness Score: -1.00%

Function 053D2150 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28b5bbc6e2a83f42aed5b8f592941f28e9b07e4ff9ea4d579d91d1fd4328ff51
Instruction ID: 5cb0d0de1994e9c67a01db0adfde7d72d0fcba193489fe91a9a4394bb5d0cd8e
Opcode Fuzzy Hash: 28b5bbc6e2a83f42aed5b8f592941f28e9b07e4ff9ea4d579d91d1fd4328ff51
Instruction Fuzzy Hash: FFD1D631D1475A9ACB11EBA4D950A9DB7B1FF96300F10C7AAE0093B215FB706AC5CB91

Uniqueness

Uniqueness Score: -1.00%

Function 053D2117 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c408117840421169efef99e460f2b41dad0e8b580a4da9fc1d78d01c3478472
Instruction ID: 4bc2eaaa70a5e560cf55dd17b8f88dae0ade9075fcebaf73f14d1d8dd8d8c51a
Opcode Fuzzy Hash: 6c408117840421169efef99e460f2b41dad0e8b580a4da9fc1d78d01c3478472
Instruction Fuzzy Hash: 2DD1D731D1475A9ACB11EFA4D990A9DB7B1FF96300F10C7AAE0093B215FB706AC5CB91

Uniqueness

Uniqueness Score: -1.00%

Function 053D089F Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 311b902a1b3e705494889f66a648535fd667169382527b74df74dcadd1341d23
Instruction ID: 3671e7ef8e0c1601250cbcbf34029bf75ca7ebb23b9277204734886da83625df
Opcode Fuzzy Hash: 311b902a1b3e705494889f66a648535fd667169382527b74df74dcadd1341d23
Instruction Fuzzy Hash: 31514C71E056099FDB08CFA6E5456AEFBF2FF88310F10942AD415E7364E7745A418FA0

Uniqueness

Uniqueness Score: -1.00%

Function 053D08B0 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fad39ee14814f78409d7c73722c6a1facffc7e523b9d22eec52ef429781fa1b
Instruction ID: ba8f88a1dfdcd57563673cf6dc27ca1d06c37747d6c54e579beb32dc200ec1a0
Opcode Fuzzy Hash: 9fad39ee14814f78409d7c73722c6a1facffc7e523b9d22eec52ef429781fa1b
Instruction Fuzzy Hash: A6513771E0620A9FDB08CFA6E5495AEFBF2FB88310F10942AD415F7364E7745A018FA0

Uniqueness

Uniqueness Score: -1.00%

Function 053DC290 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3a1f226290961fe875e7216e8bd8c5e7063879de29ef330edf80502a1a5216b
Instruction ID: c280d1c1f4b223da666b7fc27cd0cfe93d1cd45237910c594dceaff282e295ae
Opcode Fuzzy Hash: b3a1f226290961fe875e7216e8bd8c5e7063879de29ef330edf80502a1a5216b
Instruction Fuzzy Hash: 93512B71E142198FCB14CFA9D5805AEFBF2BF89304F24916AD418AB316DB319D42CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 053DAA90 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700950191.00000000053D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_53d0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c1292638e7d791794e1cd22498680f4f72c06b9cf5f606a6cbc209ece0eb2ea
Instruction ID: 0ce9d31bdaf396388f723c7cb31d034bbdcb383ec3c6681f1dcd7f379bb00e91
Opcode Fuzzy Hash: 6c1292638e7d791794e1cd22498680f4f72c06b9cf5f606a6cbc209ece0eb2ea
Instruction Fuzzy Hash: AD514E71E052198FCB14DFA9D5805AEFBF2BF89314F24C169D418AB315DB305942CFA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exePID: 7588, Parent PID: 7404COMMON

Execution Graph

Execution Coverage:	10.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	75
Total number of Limit Nodes:	7

Executed Functions

Function 00E2A968 Relevance: 2.8, Instructions: 2802COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4795e865fe5759fc15b54d8c617df5779de3fe707c122323b211c8b3f5ca31c
Instruction ID: d38197527ad0ecf4e0fca9b85f81e58fbd59be88f68873c582b463ea750c9ecb
Opcode Fuzzy Hash: c4795e865fe5759fc15b54d8c617df5779de3fe707c122323b211c8b3f5ca31c
Instruction Fuzzy Hash: D053F831C14B1A8ACB51EF68C880599F7B1FF99300F15D79AE4587B225FB70AAC5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00E2DBE0 Relevance: 2.3, Instructions: 2328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb23d859ace250463ccf26aef6a2b044f3e264e261558ff1835b7c64a46dc087
Instruction ID: d27fc47a014c502fc4fddbc608ace5a7dd09b49135156234e89b1d6dc88e1ecf
Opcode Fuzzy Hash: fb23d859ace250463ccf26aef6a2b044f3e264e261558ff1835b7c64a46dc087
Instruction Fuzzy Hash: 92332D31D10B198EDB11EF68C8806ADF7B1FF99300F15D69AE459B7211EB70AAC5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00E23E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\Vl, xrefs: 00E240CB

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: \Vl
API String ID: 0-682378881
Opcode ID: 3d86a18abd2999ad6cd4311f2c3d797c3cf5fc5dbcff9dc53ce9d0794ba4ca7e
Instruction ID: 77a8ac018898866a62e57766d1098afcb746e1147521d34507230fa10f905757
Opcode Fuzzy Hash: 3d86a18abd2999ad6cd4311f2c3d797c3cf5fc5dbcff9dc53ce9d0794ba4ca7e
Instruction Fuzzy Hash: 00915FB0E002198FDF10CFA9E9857DDBBF2AF88318F149129E415B7294EB749995CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00E24A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abb11cbd81f93f20399cfe1f37361c27f825fa471d32ffb2f37a583be1d250b3
Instruction ID: 480823589b14ea4c5c18c0e568db5a3fc3e3a3fcef2c1e0c49fe08f2599d8a27
Opcode Fuzzy Hash: abb11cbd81f93f20399cfe1f37361c27f825fa471d32ffb2f37a583be1d250b3
Instruction Fuzzy Hash: FFB141B1E002198FDF10CFA9E8957DDBBF2AF88318F249529D815F7294EB749845CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00E24810 Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vl, xrefs: 00E249D2
\Vl, xrefs: 00E2487F

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: \Vl$\Vl
API String ID: 0-415357090
Opcode ID: 133c66a0bedc3eb840343d1bb3b1fae176de6bd7d32fb0a801968145b95004fe
Instruction ID: b35a75b039d5f8f11b5f8d447df4635957d18d93d1d95bf00ba64e0c2b17d062
Opcode Fuzzy Hash: 133c66a0bedc3eb840343d1bb3b1fae176de6bd7d32fb0a801968145b95004fe
Instruction Fuzzy Hash: 78717CF0E00259CFDB14CFA9E8817DEBBF2AF88314F149129E415B7294EB749885CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00E24804 Relevance: 2.7, Strings: 2, Instructions: 178
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vl, xrefs: 00E249D2
\Vl, xrefs: 00E2487F

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: \Vl$\Vl
API String ID: 0-415357090
Opcode ID: cff7167732d1635159c40d6969c9be0a6448c304120ff391cec80cc290404b5c
Instruction ID: 56d1474c1805f3945b0f36688b2258478964c130374c9b9d521fedd828955359
Opcode Fuzzy Hash: cff7167732d1635159c40d6969c9be0a6448c304120ff391cec80cc290404b5c
Instruction Fuzzy Hash: DF717CB0E00259CFDF14CFA8E8817DEBBF1AF88314F149129E415B7294EB749885CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0661E991 Relevance: 1.6, APIs: 1, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2885707053.0000000006610000.00000040.00000800.00020000.00000000.sdmp, Offset: 06610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6610000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71b0928e977b05605811a7190ed1e894d9fca040285643da753c8f5597c16f7e
Instruction ID: b2f55d0fe7df3664b5cf2dac6479a71cc10be1d1a7a7e4bad0019786618674d6
Opcode Fuzzy Hash: 71b0928e977b05605811a7190ed1e894d9fca040285643da753c8f5597c16f7e
Instruction Fuzzy Hash: AC412271D003598FCB10DFA9D8446EEBBF5EF89210F14856AE908AB341DB789841CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0676D804 Relevance: 1.6, APIs: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0676D922

Memory Dump Source

Source File: 00000002.00000002.2885920332.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6760000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 933f5440dd5fafc6e7c17269b8e3fc3b63fabb84439cefe31931f28b09991f83
Instruction ID: 8d42666c164ebcd67d6693316536660494b5e1c6e012357733620ee9a76a588b
Opcode Fuzzy Hash: 933f5440dd5fafc6e7c17269b8e3fc3b63fabb84439cefe31931f28b09991f83
Instruction Fuzzy Hash: 7651C2B1D103499FDB24CF9AC884ADEFBB6FF48314F24852AE818AB210D7759845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0676D810 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0676D922

Memory Dump Source

Source File: 00000002.00000002.2885920332.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6760000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b3987f437f8bcf47c631bbbb5886badefa267f380d7d01f3c1f22cfd45a91000
Instruction ID: b135c1423c9271185867be71ba15ae875c7068de2a3541f3f322aeaba13160d0
Opcode Fuzzy Hash: b3987f437f8bcf47c631bbbb5886badefa267f380d7d01f3c1f22cfd45a91000
Instruction Fuzzy Hash: ED41B0B1D103499FDB24CF9AC884ADEBBB6FF48314F24852AE818AB210D7759845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0676CD6C Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0676FE91

Memory Dump Source

Source File: 00000002.00000002.2885920332.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6760000_SecuriteInfo.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 27ea82ac70be347a2479c1869a36a514cf485d170f90a0c4f5d8eb5266c0eaf2
Instruction ID: 060289c6fd604964c334eefc4b64f8d77eb251d54956d504984c75cea0a63065
Opcode Fuzzy Hash: 27ea82ac70be347a2479c1869a36a514cf485d170f90a0c4f5d8eb5266c0eaf2
Instruction Fuzzy Hash: BB412CB4900309CFDB54CF9AD448AAABBF6FF88314F24C459E519AB321D774A845CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0661EA78 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0661EADF

Memory Dump Source

Source File: 00000002.00000002.2885707053.0000000006610000.00000040.00000800.00020000.00000000.sdmp, Offset: 06610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6610000_SecuriteInfo.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 580bfc0246db92fbecbfc139f6c4f3f047659219fed39ab9e072b2eb607951e3
Instruction ID: 9a83784b12e99626e7d11734148ce45f05874768f7a1a6a959ef3447ba9daae3
Opcode Fuzzy Hash: 580bfc0246db92fbecbfc139f6c4f3f047659219fed39ab9e072b2eb607951e3
Instruction Fuzzy Hash: 3C11F3B1C006699FCB10DF9AC545BDEFBF4BF48320F14816AE818A7250D778A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E23E77 Relevance: 1.5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

\Vl, xrefs: 00E240CB

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: \Vl
API String ID: 0-682378881
Opcode ID: 912b723675efd070a5bb0bf8724316b728632bd4ab33a57ef076c2bd1f7ab7b5
Instruction ID: ec42f7f6e5c1db1ff0636595be6f4b81d92e0b91c48ba2fb22dc05b8bfb010d8
Opcode Fuzzy Hash: 912b723675efd070a5bb0bf8724316b728632bd4ab33a57ef076c2bd1f7ab7b5
Instruction Fuzzy Hash: 8E915EB0E002199FDF10CFA8E9857DDBBF2AF48318F249129E415B7294DB749995CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00E26EDB Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00E26F0E

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 95b0def82f6fded0f665ef0d9ff05b85228c6a7f79fd064b318e8aea929fddc8
Instruction ID: 77f2809c9dd0c6d79038cd43f151ece236480b1adde65e195da195b9e7b8d5b7
Opcode Fuzzy Hash: 95b0def82f6fded0f665ef0d9ff05b85228c6a7f79fd064b318e8aea929fddc8
Instruction Fuzzy Hash: D3619E34714224CFDB04EB68E558AAE7BF1EF89314F2054A9E406EB3A1CB75DC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E27D89 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00E27E1C

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: e782dabfba720a2acd33501fce256f6d2005d20c85027aca85a410c621a54fcf
Instruction ID: 4f042447d987646a70be0be76e27b11ccfd987152d4948aa00ed85f71d19cfa1
Opcode Fuzzy Hash: e782dabfba720a2acd33501fce256f6d2005d20c85027aca85a410c621a54fcf
Instruction Fuzzy Hash: 8731AC30E14219CFEB15CFA5D4447AEB3B2EF96304F219969E842FB290EB709C42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00E27D98 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00E27E1C

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 0bde0c5e3fbb80eef993026f358835e656ce8bde7ce7cd79a8ba7e997e6db859
Instruction ID: e45375c911973f071f837b832809ed4e7be03e35c79bc0e2db92a2fbcaab0bbe
Opcode Fuzzy Hash: 0bde0c5e3fbb80eef993026f358835e656ce8bde7ce7cd79a8ba7e997e6db859
Instruction Fuzzy Hash: 39318F30E14219CBDB14CFA5D4446AEB7B2FF85304F21946AE846FB240EB709D42CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E26BA0 Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00E26BD7

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: eee826582a76e4b69b2074f97416c8d0aab2541cbfd052dac6954fb230ab5179
Instruction ID: b68e30900a9c960cf346ee631976540b395adef02a4ff222bc67d1d7802faafe
Opcode Fuzzy Hash: eee826582a76e4b69b2074f97416c8d0aab2541cbfd052dac6954fb230ab5179
Instruction Fuzzy Hash: D72135317082509FC705FB79A46579E7FA1EF86300F0045EAD049CB396DA718C49CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E20848 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

Ko, xrefs: 00E208A8

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Ko
API String ID: 0-716275355
Opcode ID: 39ee1d527f586cbb5f3f04d989b8e4d304c8fd13dfe6908186d7394eb9f7254f
Instruction ID: 117bab5f974a1a0b9c4f7af4562d84a44b528436cef296f33e71689ef1dec3f1
Opcode Fuzzy Hash: 39ee1d527f586cbb5f3f04d989b8e4d304c8fd13dfe6908186d7394eb9f7254f
Instruction Fuzzy Hash: 82119131B102248FDF5C6A78F85476FB2A1EB91318F205979E006EF3E6DA61CD858BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00E20838 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

Ko, xrefs: 00E208A8

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Ko
API String ID: 0-716275355
Opcode ID: d519c5ba51ce7c0dce85ff831b1862418bff9381357c595c1a618c2ab15d5c4a
Instruction ID: 0e37981d12303650d3e90d90bfd34977e50ce5eb7c2f29ffc126f950a3ad6955
Opcode Fuzzy Hash: d519c5ba51ce7c0dce85ff831b1862418bff9381357c595c1a618c2ab15d5c4a
Instruction Fuzzy Hash: B311BF31A002249FDF1D5AB4F85436BB661EB92358F10597AE402EB2D3EA60CD858BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00E28FA8 Relevance: .9, Instructions: 939COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62e4f69654180ff2d6e29ab94d7f224296019939a8f74296a54203dfa3aba4ac
Instruction ID: 06947113a049a70d11634b647db99dcd7d1be4a33fa84480abf4234900ff7a8c
Opcode Fuzzy Hash: 62e4f69654180ff2d6e29ab94d7f224296019939a8f74296a54203dfa3aba4ac
Instruction Fuzzy Hash: 6C825C38B00614CFC759EF24E5A5A6E77B2EB88700F10A8AAD909D7368DF719D42CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00E28FB8 Relevance: .9, Instructions: 934COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c0e95bc00acbc97dab33a7b678761b3d7d48103756d99adc6f53dc8634c2089
Instruction ID: 8152a6983770116c38a5a5aa843f876340e8d3cdbecafa25975fd1f9a98b509a
Opcode Fuzzy Hash: 6c0e95bc00acbc97dab33a7b678761b3d7d48103756d99adc6f53dc8634c2089
Instruction Fuzzy Hash: 60825C38B00614CFC759EF24E5A5A6E77B2EB88700F10A8AAD909D7368DF719D42CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00E28677 Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f06e9088d4814ec0e57654607cfc861bf434358e2a2e51e9cc216e7c02f4510c
Instruction ID: 32dcd02df47114b7a7429c55e34c6f3a6d207fb523d1499ae7a123fac6acb284
Opcode Fuzzy Hash: f06e9088d4814ec0e57654607cfc861bf434358e2a2e51e9cc216e7c02f4510c
Instruction Fuzzy Hash: 5322B0707011019FDB19AB38E594269B7A3FBC5346F24697AE002CF355CF71ED8687A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E28729 Relevance: .6, Instructions: 557COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f4dfe629c892ddf6e9d1d51313158248acbdcbd4c23ab4aaaeff19c153f5a35
Instruction ID: c342f0683e9c77ab7c2b3cf1561f6155d631f1b886d1c20dfec362c5ff686820
Opcode Fuzzy Hash: 1f4dfe629c892ddf6e9d1d51313158248acbdcbd4c23ab4aaaeff19c153f5a35
Instruction Fuzzy Hash: C4129D707011059FDB19AB38E59026DB3A3EBC5346F24A97AE006CF355CF71ED868BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E2A18C Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe9b38d67047eee450dc00a54676a5fc52d4a1816ae0f41edf9eb6073ec9944b
Instruction ID: 9ed7008e409f22643703822d11562d13dcd0c1b5bdbb743a22df9ef74aaee3f0
Opcode Fuzzy Hash: fe9b38d67047eee450dc00a54676a5fc52d4a1816ae0f41edf9eb6073ec9944b
Instruction Fuzzy Hash: CFE17234B00214CFCB14DF68E994AAEB7B2EB88314F285479E506EB354DB35DC46CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00E2A500 Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e4fa423023a24cee768ac10123a228a28807394ed4517d01e695a124a6953b6
Instruction ID: 1b7bf7fd49d55d0de4fda63ce16d93641dd1146ff7c5c585b291fc937057c26b
Opcode Fuzzy Hash: 5e4fa423023a24cee768ac10123a228a28807394ed4517d01e695a124a6953b6
Instruction Fuzzy Hash: 18D1A070A002158FDB14DF69E88079EB7B2FF88314F28957AE509EB395DB70DC458B92

Uniqueness

Uniqueness Score: -1.00%

Function 00E24A8C Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7427770b947e6638ffb7922e5ced5880ab82eac9205c75c6061bbe69290f3262
Instruction ID: dbf243dc3960e1d28f51949f329803c8194a98bcccdd1126bb82a16ae365b289
Opcode Fuzzy Hash: 7427770b947e6638ffb7922e5ced5880ab82eac9205c75c6061bbe69290f3262
Instruction Fuzzy Hash: 9DB131B0E002298FDF10CFA8E8967DDBBF1AF48358F149529D815F7294EB749845CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00E26CDC Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5379c9b128216c671edd311b8ff6b8b64f9676fbcd5581433857a67fc3ea821
Instruction ID: 7451a2f58f0c15b64e9b542e9cff22714a00d14a5712969c1968d5649445676e
Opcode Fuzzy Hash: d5379c9b128216c671edd311b8ff6b8b64f9676fbcd5581433857a67fc3ea821
Instruction Fuzzy Hash: 875134B4E002288FDB14DFA9D885B9DBBB1FF48304F158119E819BB351CB74A944CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00E217C0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c496ac7c6218fced7690484d7756102b67802c0646da10807adc8e015e8b020
Instruction ID: b107b75f00eb2e88cb262fc0f2518f8925fbd7efb455f150d27c86fe2e7eec65
Opcode Fuzzy Hash: 7c496ac7c6218fced7690484d7756102b67802c0646da10807adc8e015e8b020
Instruction Fuzzy Hash: AB415975A002515FCF12AF38F85875E7BA6EBD1308F0415E6D00AD7366EB74CE498782

Uniqueness

Uniqueness Score: -1.00%

Function 00E26CE8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c046b93a3c8fbfa1e9c5bcfb158c3545a06b2e6fb2cdbc613d8155b1f466c3a9
Instruction ID: 1a690c8927e44229c05f09b474b986d4453fa29376c1e01ee3207371c9453553
Opcode Fuzzy Hash: c046b93a3c8fbfa1e9c5bcfb158c3545a06b2e6fb2cdbc613d8155b1f466c3a9
Instruction Fuzzy Hash: 3B514574E002288FDB14DFA9D885B9DBBF1BF48304F158119E819BB350CB74A845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00E21128 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86d2600fe4370012a651f8ac7c98cd1bfd9d83932b76c0ee033f424ade5adaac
Instruction ID: c42b2476b774606133aa8d343c06a81893294f77924cd2e614f749e7352197d1
Opcode Fuzzy Hash: 86d2600fe4370012a651f8ac7c98cd1bfd9d83932b76c0ee033f424ade5adaac
Instruction Fuzzy Hash: 9B510D34111A418FC70AFF6CFAA1A597BB6F7D230970469E9D0045B37EDB706989CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E21138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8606145ddaa758508ec36c7fd5f91158baebb7b4fa8cd1a4c2b3da97d83cb0ad
Instruction ID: 76bf52d6781072cfc03fcc2180f5848cb12936ca5771efa7f3bb3b2dfd0fa298
Opcode Fuzzy Hash: 8606145ddaa758508ec36c7fd5f91158baebb7b4fa8cd1a4c2b3da97d83cb0ad
Instruction Fuzzy Hash: DE51FB34211A41CFC70AFB6CFAA1A597BB6F7D530930469E9D0045B33EDB706989CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E226DC Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 585714f10a64884192bfd337cc9c97f76446a998974ce30103c54ab8342cd73b
Instruction ID: f093d556ca6c31f007ddc0826fa912f7325ebec562b3531ac626337b2695fb1d
Opcode Fuzzy Hash: 585714f10a64884192bfd337cc9c97f76446a998974ce30103c54ab8342cd73b
Instruction Fuzzy Hash: EB41EFB0D003599FDB14CFA9D485ADEBFB5EF48314F24802AE419AB254DB749945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E226E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23d5f1ed9c184b6457b6e5282ffe3ed5cf7ae01f6600d8888dabd5b85a33e040
Instruction ID: 8bbe0ea78ccd4861d5f598db17d910282a3211bbc7a382bf3ebafbff28e6e2b4
Opcode Fuzzy Hash: 23d5f1ed9c184b6457b6e5282ffe3ed5cf7ae01f6600d8888dabd5b85a33e040
Instruction Fuzzy Hash: 0B41EFB0D00359EFDB14DFA9C484ADEBFB5FF48314F24842AE809AB254DB75A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E250A8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35cc33d148754625ff7f4412a213fd2a09a3503c9d2afc020ce2c646d23713d4
Instruction ID: 156786051cae8bd66bea2d4bf45f5fb5e3739c5da687f631865ef7221e035e0c
Opcode Fuzzy Hash: 35cc33d148754625ff7f4412a213fd2a09a3503c9d2afc020ce2c646d23713d4
Instruction Fuzzy Hash: 4A315C35701A298FDB18EB74DA1179D73F6AF88348F2014A8D401BB3A4DB36DD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E25098 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d10b7fecf60d8b5361f08b7e5f9150a7363041c6bc0127ffd051d5c4568c841a
Instruction ID: b84766e66fc6a1bed3092519d8dc78323df432b5bba6167db0bb0b5a0d0b62de
Opcode Fuzzy Hash: d10b7fecf60d8b5361f08b7e5f9150a7363041c6bc0127ffd051d5c4568c841a
Instruction Fuzzy Hash: 3E318D31701A258FDB18EB74EA50AAD77F2AF88308F2014ECD401BB3A4DB368D51CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00C5D005 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2878704083.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c5d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1955b7e8e0446d80502176f933e72570399a1e6f9ec59d4f1929e9fe8f0719b7
Instruction ID: b0e8c5fa6a68bd8a50b5778f67f563b2b4a706e5eb76c13032bd10c0a6d1eb88
Opcode Fuzzy Hash: 1955b7e8e0446d80502176f933e72570399a1e6f9ec59d4f1929e9fe8f0719b7
Instruction Fuzzy Hash: 72312B7550E3C08FD7138B24C9A4715BF71AF47214F2985DBD889CF2A7C22A984ECB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E216A0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1c1a0cbec5ce8d5e21c5d40cbd3a187911c92ebf9d25ffee7449a9e7667c12b
Instruction ID: 9c2574ae073f904a9e3a9d66df87f396723ac0226d92d838cb7a0efc820b785a
Opcode Fuzzy Hash: c1c1a0cbec5ce8d5e21c5d40cbd3a187911c92ebf9d25ffee7449a9e7667c12b
Instruction Fuzzy Hash: 2B3107345001514FCF12EB38F89875D7765EBA2348F006AE6D006DB2BAD774CD8ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 00E2A070 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1f83dac56455aec2469b060567dbf14e2125c8de545ad766d50d089cb72b664
Instruction ID: a5363be75bc68ce1b0aae38b6124b3dd0c34cc12cc1aa6ce0841902975ce8b1c
Opcode Fuzzy Hash: d1f83dac56455aec2469b060567dbf14e2125c8de545ad766d50d089cb72b664
Instruction Fuzzy Hash: E3318171E0021A9BDB05CFA5E85469EF7B2FF89314F18952AE805FB350DB709C46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00E2A080 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f868225afca30e605be6e519430eead91bb4b3f86eedd6cbea0a0cbb9aa07e9f
Instruction ID: 7a3afd9ec18af50dd4fa4bbedde17483d3d574d862fcf9824603798afedd16bd
Opcode Fuzzy Hash: f868225afca30e605be6e519430eead91bb4b3f86eedd6cbea0a0cbb9aa07e9f
Instruction Fuzzy Hash: 94217171E002199BCB05DFA5E854A9EF7B6FF89314F18952AE805BB340DB709C46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E21380 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6c7f1194ffdceab19951930afb69b2dcc0740dd961896bb093384ddb766b25f
Instruction ID: 0607f8db565fbf534940462e413e073085f43039786213692cf6282129e1ad9c
Opcode Fuzzy Hash: f6c7f1194ffdceab19951930afb69b2dcc0740dd961896bb093384ddb766b25f
Instruction Fuzzy Hash: BC213B706013204FDF356765F95832D3762D762359F0015FAD01AFB2A1CEA5CD888752

Uniqueness

Uniqueness Score: -1.00%

Function 00E29F70 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3738dac50416e0b5fe78e29d9288ae16ffe89e4452ad50376a9b33eba314692a
Instruction ID: 7f001c31553f9506f354310907312536f1967cc9f8e20d720dd06b5ddd264d74
Opcode Fuzzy Hash: 3738dac50416e0b5fe78e29d9288ae16ffe89e4452ad50376a9b33eba314692a
Instruction Fuzzy Hash: 6F21BF31E002168BDB09CFA4D4519EEF7B2BF89314F24952AE815FB381DB70AC42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00C5D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2878704083.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c5d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f2b85e079f530dda109dfde8741afcaccd1aeb96c1ea0864995304e29baf2d5
Instruction ID: 3f51a7b97aa5a0046655fe019fa7d8db89ffba256357580f7af1f4e6c3fb3971
Opcode Fuzzy Hash: 4f2b85e079f530dda109dfde8741afcaccd1aeb96c1ea0864995304e29baf2d5
Instruction Fuzzy Hash: B5210479504304DFCB24DF24D9C4B26BBA5FB84315F20C56DEC4A4B392C73AD88ACA66

Uniqueness

Uniqueness Score: -1.00%

Function 00E24F88 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 020801bc0ee40ea99b494e29c6a9d41e758526e513779a0d73c4d79653ba4f20
Instruction ID: 2bc2e5ad2e6eaf4c33ab550b25ecaa1752b36ab591e19247b70403b4269a4fec
Opcode Fuzzy Hash: 020801bc0ee40ea99b494e29c6a9d41e758526e513779a0d73c4d79653ba4f20
Instruction Fuzzy Hash: 57214835B00654CFDB14DB78DA58BAE7BF1AF89304B2014A8E406FB3A5EB719D00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E2187B Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7331a684cace20f3ba90333870bc3d77909d07edf32a77c40861e09fe8613ad1
Instruction ID: 7f7f2f0878a8ceb04cd62ccf5d397ac581813a04c8b0790ec2fb78e9b860f241
Opcode Fuzzy Hash: 7331a684cace20f3ba90333870bc3d77909d07edf32a77c40861e09fe8613ad1
Instruction Fuzzy Hash: 22216B307002258FDB18EB68D6657AD77F1AB99308F2014E8D005FB2A1DB368E81CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E21888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5137999d717ca8fc68d0369219094d64e55212e23588e511434035aa08deeed2
Instruction ID: b04a474d9ae3c365aa3ca4946c1eb37aab699dbf5e891d368d1957f943d01682
Opcode Fuzzy Hash: 5137999d717ca8fc68d0369219094d64e55212e23588e511434035aa08deeed2
Instruction Fuzzy Hash: CC213030700219CFDB18EB64D6657AE77F5AB99344F2014A8D005FB364DB36DE81CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E29F80 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b221b1c977dea56edf91f248d8d70f8046ce98b39d755396046332f7511486f
Instruction ID: 9eb7c21f6d896acc6ffefe29892a43d5270635ae9bf46b537a0242f33beb9db1
Opcode Fuzzy Hash: 4b221b1c977dea56edf91f248d8d70f8046ce98b39d755396046332f7511486f
Instruction Fuzzy Hash: CD219531E002159BDB15CFA5D550AEEF7B2BF89304F24952AE815FB381DB70AC46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00E216B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02cde09a77bdd3f5b248153655b1309aae5d9c0fb1b0a4e396082619a6c97d15
Instruction ID: 248e83056383fd6de057b6351db0cfc5712b6e2b39c29c3ddce4577edf585a97
Opcode Fuzzy Hash: 02cde09a77bdd3f5b248153655b1309aae5d9c0fb1b0a4e396082619a6c97d15
Instruction Fuzzy Hash: 83210D346001115FCF11FB28F89875E735AE796308F0069B6D00AD7379DBB0DD898B92

Uniqueness

Uniqueness Score: -1.00%

Function 00E24F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7a5c873034aec23deae53f764a746a3937e85508e6d6af100800629b2ddc798
Instruction ID: 04e459905036a40c41f62f814b5a9e0e780f98ee4340d21d54f72b3d8dc0ae4f
Opcode Fuzzy Hash: d7a5c873034aec23deae53f764a746a3937e85508e6d6af100800629b2ddc798
Instruction Fuzzy Hash: 5D21FC35700614CFDB14DB75DA59BAE77F1AF89304B2014A8E406F73A5DB759D00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E2148B Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e386eb5fd21631d84d189eb2b977b90b329a7dcd15c9acb12088fa19e310f9a
Instruction ID: b2a8008305136233fbadfb09d154542bfb6f3cc5091d6a53b0afb5f5dea17f98
Opcode Fuzzy Hash: 4e386eb5fd21631d84d189eb2b977b90b329a7dcd15c9acb12088fa19e310f9a
Instruction Fuzzy Hash: D9117031B003659FDB21AFB8A4511AEBBF5EF88314B1414B9D806F7242D735DA428BE5

Uniqueness

Uniqueness Score: -1.00%

Function 00E21498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1188336dd98b34a2bafe7c8f4a0ea97967d93b96bfce3cbc2ec1b56c2463bbbb
Instruction ID: 4423d0b811d3ca20a8ea4a1ee1ba6b0bcf7447691b496b7737db8681ff30d9a3
Opcode Fuzzy Hash: 1188336dd98b34a2bafe7c8f4a0ea97967d93b96bfce3cbc2ec1b56c2463bbbb
Instruction Fuzzy Hash: 02016131B002248FDF21EFB8A55119DB7E5EB58314B1414BAD805F7342E735DA418BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00E28F10 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff34ac0d5e92322aa20576b9fe1a47a913de67080cf0f883c18eedada3827cb
Instruction ID: c0e61be34e662253567add514c141bff11577a30777afab8de839132c98c57bf
Opcode Fuzzy Hash: dff34ac0d5e92322aa20576b9fe1a47a913de67080cf0f883c18eedada3827cb
Instruction Fuzzy Hash: 0001623491424CAFCB41FBB8F9659DDBBB5EB40304F0066B9C0099B269DFB06F499792

Uniqueness

Uniqueness Score: -1.00%

Function 00E21524 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af56e97699d1248df75390d98338ad7c9ab747e1b1ffc794e2e203c4699f3199
Instruction ID: 66f12b39dfb911b53fb71d7792b983a30436a18b8346781ac64029001b95ea82
Opcode Fuzzy Hash: af56e97699d1248df75390d98338ad7c9ab747e1b1ffc794e2e203c4699f3199
Instruction Fuzzy Hash: C6F02B33A44170CFD7229FA4B4911ACBBA1EEE832171920E7D846FB252D735DA42D751

Uniqueness

Uniqueness Score: -1.00%

Function 00E27EB0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fec572bc11ba0767e92d867a2041afbfbc49b7c095b5b33f563b34473fe20386
Instruction ID: 5c69f5aa02bcbad2a4e94dfdcdda5a8f5db86836163a9988b403289cbfc9537b
Opcode Fuzzy Hash: fec572bc11ba0767e92d867a2041afbfbc49b7c095b5b33f563b34473fe20386
Instruction Fuzzy Hash: CDF0C435B00114CFC714EB64E998B6D77B2EF88755F6140A8E5069B3A0CF35AD42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00E28F20 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2879692137.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84af1a4d0bafa3b6ed4647433316b37c6eb2b9dcca01192fa999e7399e1261d7
Instruction ID: 9d86aa91295b11e9ad36bff6e872feb6f67eeead7b3150e45d8be45cac82805d
Opcode Fuzzy Hash: 84af1a4d0bafa3b6ed4647433316b37c6eb2b9dcca01192fa999e7399e1261d7
Instruction Fuzzy Hash: D7F06834910109EFCB45FBB8F95199DB7B5EB40304F1066B9C0059B268DF716F498B91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 06762E06 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 06762E86
GetCurrentThread.KERNEL32 ref: 06762EC3
GetCurrentProcess.KERNEL32 ref: 06762F00
GetCurrentThreadId.KERNEL32 ref: 06762F59

Memory Dump Source

Source File: 00000002.00000002.2885920332.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6760000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 66d6915939c5d692ea7661e5094124fca7e183965f8c11e4ec2838d75574e183
Instruction ID: 95f0c76511f708ee8d5b18bf43f24f0e19d011e88b21c2f1f71a8a5db651ae7e
Opcode Fuzzy Hash: 66d6915939c5d692ea7661e5094124fca7e183965f8c11e4ec2838d75574e183
Instruction Fuzzy Hash: B95169B0D003098FDB54DFAAD948BEEBBF1AB48314F20C469E419A7361D7346984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 06762E08 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 06762E86
GetCurrentThread.KERNEL32 ref: 06762EC3
GetCurrentProcess.KERNEL32 ref: 06762F00
GetCurrentThreadId.KERNEL32 ref: 06762F59

Memory Dump Source

Source File: 00000002.00000002.2885920332.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6760000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1ed784e6ec9f2dd0550d8de93b1af955b75a076893f095e04c82a57eed90285f
Instruction ID: 9874870348b52ae774f9169b5d864d0a1410fb5ddf2f2a7b63e4434b28832d92
Opcode Fuzzy Hash: 1ed784e6ec9f2dd0550d8de93b1af955b75a076893f095e04c82a57eed90285f
Instruction Fuzzy Hash: 7F5159B0D003098FDB54DFAAD948BDEBBF1AB48314F20C469E419A7361D7746984CF65

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.18376.4403.exe

Function 00A9D7F8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 053DD3C5 Relevance: 1.8, APIs: 1, Instructions: 251
processCOMMON

Function 053DD3D0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 00A9B55F Relevance: 1.7, APIs: 1, Instructions: 205
COMMON

Function 00A95A84 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Function 00A944E4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 00A9590C Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Function 053DD141 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre