Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe

Overview

General Information

Sample name:5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe
Analysis ID:1445896
MD5:ea52eb173762deb852109486758797ad
SHA1:d6326aa179babb5149982c797460347d586988f7
SHA256:8d2d64d1725161c2aa28dddb6ccb302291badc5a9a96816d0027e5aece23ec4a
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.privateemail.com", "Username": "rex@dino-mx.live", "Password": "BTwcMq@2"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
      • 0x33523:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
      • 0x33595:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
      • 0x3361f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
      • 0x336b1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
      • 0x3371b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
      • 0x3378d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
      • 0x33823:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
      • 0x338b3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.3243585955.00000000025AC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000000.1983017793.0000000000082000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000000.1983017793.0000000000082000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000000.00000002.3243585955.00000000025B4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              00000000.00000002.3243585955.0000000002581000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 3 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe.80000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.0.5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe.80000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.0.5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe.80000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                    • 0x33523:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                    • 0x33595:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                    • 0x3361f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                    • 0x336b1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                    • 0x3371b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                    • 0x3378d:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                    • 0x33823:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                    • 0x338b3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 198.54.122.135, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, Initiated: true, ProcessId: 7044, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49705

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeAvira: detected
                    Found malware configuration
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.privateemail.com", "Username": "rex@dino-mx.live", "Password": "BTwcMq@2"}
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeJoe Sandbox ML: detected
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49704 version: TLS 1.2
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: global trafficTCP traffic: 192.168.2.5:49705 -> 198.54.122.135:587
                    Source: Joe Sandbox ViewIP Address: 198.54.122.135 198.54.122.135
                    Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                    Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                    Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.5:49705 -> 198.54.122.135:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: mail.privateemail.com
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3245168842.0000000005920000.00000004.00000020.00020000.00000000.sdmp, 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3243071928.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3243585955.00000000025B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3243071928.00000000007EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3245168842.0000000005920000.00000004.00000020.00020000.00000000.sdmp, 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3243071928.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3243585955.00000000025B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3243585955.00000000025AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.privateemail.com
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3245168842.0000000005920000.00000004.00000020.00020000.00000000.sdmp, 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3243071928.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3243585955.00000000025B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3245168842.0000000005920000.00000004.00000020.00020000.00000000.sdmp, 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3243071928.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3243585955.00000000025B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3243585955.0000000002531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeString found in binary or memory: https://account.dyn.com/
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeString found in binary or memory: https://api.ipify.org
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3243585955.0000000002531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3243585955.0000000002531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3245168842.0000000005920000.00000004.00000020.00020000.00000000.sdmp, 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3243071928.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3243585955.00000000025B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49704 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, gmBpn1ecBmQ.cs.Net Code: siUW49

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, type: SAMPLEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.0.5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe.80000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeCode function: 0_2_0093E2800_2_0093E280
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeCode function: 0_2_0093A4F80_2_0093A4F8
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeCode function: 0_2_0093A9600_2_0093A960
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeCode function: 0_2_00934A980_2_00934A98
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeCode function: 0_2_00933E800_2_00933E80
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeCode function: 0_2_009341BE0_2_009341BE
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeCode function: 0_2_009341C80_2_009341C8
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeCode function: 0_2_00931A440_2_00931A44
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeCode function: 0_2_00931BA10_2_00931BA1
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeCode function: 0_2_00933E760_2_00933E76
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeCode function: 0_2_061DA0680_2_061DA068
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeCode function: 0_2_061DBB580_2_061DBB58
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeCode function: 0_2_061E55980_2_061E5598
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeCode function: 0_2_061E65E80_2_061E65E8
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeCode function: 0_2_061EB2300_2_061EB230
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeCode function: 0_2_061E23580_2_061E2358
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeCode function: 0_2_061EC1700_2_061EC170
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeCode function: 0_2_061E7D780_2_061E7D78
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeCode function: 0_2_061E76980_2_061E7698
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeCode function: 0_2_061EE3900_2_061EE390
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeCode function: 0_2_061E00400_2_061E0040
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeCode function: 0_2_061E5CF00_2_061E5CF0
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeCode function: 0_2_061E00060_2_061E0006
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000000.1983017793.0000000000082000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename1953639c-f60b-489d-a7df-596e6ab574dc.exe4 vs 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3242639453.00000000004F8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3242906996.000000000070E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeBinary or memory string: OriginalFilename1953639c-f60b-489d-a7df-596e6ab574dc.exe4 vs 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.0.5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe.80000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, roEs93G.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, roEs93G.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, JQn0Aia1.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, JQn0Aia1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeBinary string: ID: 0x{0:X}qSize of the SerializedPropertyStore is less than 8 ({0})/StoreSize: {0} (0x{0X})3\Device\LanmanRedirector\[Failed to retrieve system handle information.>
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@2/2
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeMutant created: NULL
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeCode function: 0_2_00930CCC push edi; retf 0_2_00930C7A
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeCode function: 0_2_061DFCBF push es; retf 0_2_061DFCC8
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeMemory allocated: 930000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeMemory allocated: 2530000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeMemory allocated: 4530000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeWindow / User API: threadDelayed 1036Jump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeWindow / User API: threadDelayed 4258Jump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe TID: 5404Thread sleep time: -17524406870024063s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe TID: 5404Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe TID: 1080Thread sleep count: 1036 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe TID: 5404Thread sleep time: -99890s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe TID: 1080Thread sleep count: 4258 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe TID: 5404Thread sleep time: -99781s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe TID: 5404Thread sleep time: -99672s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe TID: 5404Thread sleep time: -99562s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe TID: 5404Thread sleep time: -99453s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe TID: 5404Thread sleep time: -99343s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe TID: 5404Thread sleep time: -99234s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe TID: 5404Thread sleep time: -99125s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe TID: 5404Thread sleep time: -99015s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe TID: 5404Thread sleep time: -98906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe TID: 5404Thread sleep time: -98797s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe TID: 5404Thread sleep time: -98687s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe TID: 5404Thread sleep time: -98577s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe TID: 5404Thread sleep time: -98468s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe TID: 5404Thread sleep time: -98359s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe TID: 5404Thread sleep time: -98229s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe TID: 5404Thread sleep time: -98125s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe TID: 5404Thread sleep time: -98009s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe TID: 5404Thread sleep time: -97890s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe TID: 5404Thread sleep time: -97781s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe TID: 5404Thread sleep time: -97672s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe TID: 5404Thread sleep time: -97562s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe TID: 5404Thread sleep time: -97453s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe TID: 5404Thread sleep time: -97343s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe TID: 5404Thread sleep time: -97234s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe TID: 5404Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeThread delayed: delay time: 99890Jump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeThread delayed: delay time: 99781Jump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeThread delayed: delay time: 99672Jump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeThread delayed: delay time: 99562Jump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeThread delayed: delay time: 99453Jump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeThread delayed: delay time: 99343Jump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeThread delayed: delay time: 99234Jump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeThread delayed: delay time: 99125Jump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeThread delayed: delay time: 99015Jump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeThread delayed: delay time: 98906Jump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeThread delayed: delay time: 98797Jump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeThread delayed: delay time: 98687Jump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeThread delayed: delay time: 98577Jump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeThread delayed: delay time: 98468Jump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeThread delayed: delay time: 98359Jump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeThread delayed: delay time: 98229Jump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeThread delayed: delay time: 98125Jump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeThread delayed: delay time: 98009Jump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeThread delayed: delay time: 97890Jump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeThread delayed: delay time: 97781Jump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeThread delayed: delay time: 97672Jump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeThread delayed: delay time: 97562Jump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeThread delayed: delay time: 97453Jump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeThread delayed: delay time: 97343Jump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeThread delayed: delay time: 97234Jump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3245213535.000000000593E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll74
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeQueries volume information: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe.80000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.3243585955.00000000025AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.1983017793.0000000000082000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3243585955.00000000025B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3243585955.0000000002581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe PID: 7044, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe.80000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1983017793.0000000000082000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3243585955.0000000002581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe PID: 7044, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe.80000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.3243585955.00000000025AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.1983017793.0000000000082000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3243585955.00000000025B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3243585955.0000000002581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe PID: 7044, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    Query Registry                    		Remote Services1
                    Email Collection                    		11
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts141
                    Virtualization/Sandbox Evasion                    		1
                    Input Capture                    		111
                    Security Software Discovery                    		Remote Desktop Protocol1
                    Input Capture                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                    Deobfuscate/Decode Files or Information                    		1
                    Credentials in Registry                    		1
                    Process Discovery                    		SMB/Windows Admin Shares11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Obfuscated Files or Information                    		NTDS141
                    Virtualization/Sandbox Evasion                    		Distributed Component Object Model2
                    Data from Local System                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets1
                    Application Window Discovery                    		SSHKeylogging23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
                    System Network Configuration Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                    File and Directory Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem24
                    System Information Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe100%AviraTR/Spy.Gen8
                    5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://api.ipify.org/0%URL Reputationsafe
                    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                    https://api.ipify.org0%URL Reputationsafe
                    https://sectigo.com/CPS00%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    http://ocsp.sectigo.com00%URL Reputationsafe
                    https://api.ipify.org/t0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://mail.privateemail.com0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.privateemail.com
                    		198.54.122.135
                    		truetrue
                      		unknown
                      api.ipify.org
                      		172.67.74.152
                      		truefalse
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                        • URL Reputation: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3245168842.0000000005920000.00000004.00000020.00020000.00000000.sdmp, 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3243071928.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3243585955.00000000025B4000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.ipify.org5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exefalse
                        • URL Reputation: safe
                        		unknown
                        https://sectigo.com/CPS05302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3245168842.0000000005920000.00000004.00000020.00020000.00000000.sdmp, 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3243071928.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3243585955.00000000025B4000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://account.dyn.com/5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exefalse
                        • URL Reputation: safe
                        		unknown
                        http://ocsp.sectigo.com05302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3245168842.0000000005920000.00000004.00000020.00020000.00000000.sdmp, 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3243071928.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3243585955.00000000025B4000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.ipify.org/t5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3243585955.0000000002531000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://mail.privateemail.com5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3243585955.00000000025AC000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe, 00000000.00000002.3243585955.0000000002531000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        198.54.122.135
                        		mail.privateemail.comUnited States
                        		22612NAMECHEAP-NETUStrue
                        172.67.74.152
                        		api.ipify.orgUnited States
                        		13335CLOUDFLARENETUSfalse

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1445896
                        Start date and time:2024-05-22 18:13:05 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 4m 39s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:5
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@1/0@2/2
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 68
                        • Number of non-executed functions: 15
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        12:13:52API Interceptor26x Sleep call for process: 5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        198.54.122.135SecuriteInfo.com.Win64.PWSX-gen.16698.32595.exeGet hashmaliciousAgentTeslaBrowse
                          rSipari__PO408232023_ZNG__stanbul_pdf.exeGet hashmaliciousAgentTeslaBrowse
                            50 adet PO #408232023_Web Sitesi #U00dcr#U00fcnleri_pdf.exeGet hashmaliciousAgentTeslaBrowse
                              17158441246d37802f97c2611e248b49702f7346b2788831fc8c7e217b8fb1e2cb7dbf2dad677.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                detalle_transferencia_2024-05-13T064143.173 0200_3049280002017526_PDF.vbsGet hashmaliciousAgentTeslaBrowse
                                  rSyDiExlek.exeGet hashmaliciousSnake KeyloggerBrowse
                                    17129026260efdd91c6d1ffeca6e8eda3ece36cd849272dce1a2d9ab3c208be65a370d4493880.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                      17128389081d4616ae42b2693f5ea6783112f41cb2ee5184f49d983f8bf833df0b0e97b429449.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                        BBL ADVICE FOR INWARD_BC I650120-000_04012024.vbsGet hashmaliciousAgentTeslaBrowse
                                          Kmjcdaceubh.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            172.67.74.152K8mzlntJVN.msiGet hashmaliciousUnknownBrowse
                                            • api.ipify.org/
                                            stub.exeGet hashmaliciousUnknownBrowse
                                            • api.ipify.org/
                                            stub.exeGet hashmaliciousUnknownBrowse
                                            • api.ipify.org/
                                            Sonic-Glyder.exeGet hashmaliciousStealitBrowse
                                            • api.ipify.org/?format=json
                                            Sky-Beta.exeGet hashmaliciousUnknownBrowse
                                            • api.ipify.org/?format=json
                                            Sky-Beta.exeGet hashmaliciousUnknownBrowse
                                            • api.ipify.org/?format=json
                                            Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                                            • api.ipify.org/?format=json
                                            Sky-Beta.exeGet hashmaliciousStealitBrowse
                                            • api.ipify.org/?format=json
                                            SongOfVikings.exeGet hashmaliciousUnknownBrowse
                                            • api.ipify.org/?format=json
                                            SongOfVikings.exeGet hashmaliciousUnknownBrowse
                                            • api.ipify.org/?format=json

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            mail.privateemail.comSecuriteInfo.com.Win64.PWSX-gen.16698.32595.exeGet hashmaliciousAgentTeslaBrowse
                                            • 198.54.122.135
                                            rSipari__PO408232023_ZNG__stanbul_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                            • 198.54.122.135
                                            50 adet PO #408232023_Web Sitesi #U00dcr#U00fcnleri_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                            • 198.54.122.135
                                            17158441246d37802f97c2611e248b49702f7346b2788831fc8c7e217b8fb1e2cb7dbf2dad677.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                            • 198.54.122.135
                                            detalle_transferencia_2024-05-13T064143.173 0200_3049280002017526_PDF.vbsGet hashmaliciousAgentTeslaBrowse
                                            • 198.54.122.135
                                            rSyDiExlek.exeGet hashmaliciousSnake KeyloggerBrowse
                                            • 198.54.122.135
                                            17129026260efdd91c6d1ffeca6e8eda3ece36cd849272dce1a2d9ab3c208be65a370d4493880.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                            • 198.54.122.135
                                            17128389081d4616ae42b2693f5ea6783112f41cb2ee5184f49d983f8bf833df0b0e97b429449.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                            • 198.54.122.135
                                            BBL ADVICE FOR INWARD_BC I650120-000_04012024.vbsGet hashmaliciousAgentTeslaBrowse
                                            • 198.54.122.135
                                            Kmjcdaceubh.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 198.54.122.135
                                            api.ipify.orgSOA_41457.exeGet hashmaliciousAgentTeslaBrowse
                                            • 172.67.74.152
                                            INSTALLATION BOQ KATSINA.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.26.13.205
                                            Doc1000050789.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 172.67.74.152
                                            SecuriteInfo.com.Win64.PWSX-gen.16698.32595.exeGet hashmaliciousAgentTeslaBrowse
                                            • 172.67.74.152
                                            rSipari__PO408232023_ZNG__stanbul_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.26.13.205
                                            MSK203.exeGet hashmaliciousGuLoaderBrowse
                                            • 104.26.12.205
                                            PO N#U00b0202415-0004 LUZNAGRA-INDUSTRIA_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.26.12.205
                                            Offer Required.bat.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.26.12.205
                                            Swift_copy.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.26.12.205
                                            Wire Transfer Payment Copy #18-05-2024.exeGet hashmaliciousAgentTeslaBrowse
                                            • 172.67.74.152

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            NAMECHEAP-NETUSEST- 250424-0370pdf.exeGet hashmaliciousFormBookBrowse
                                            • 162.0.237.22
                                            SecuriteInfo.com.Win64.PWSX-gen.16698.32595.exeGet hashmaliciousAgentTeslaBrowse
                                            • 198.54.122.135
                                            rSipari__PO408232023_ZNG__stanbul_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                            • 198.54.122.135
                                            50 adet PO #408232023_Web Sitesi #U00dcr#U00fcnleri_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                            • 198.54.122.135
                                            Okthabah.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                            • 162.0.237.22
                                            taskhost.exeGet hashmaliciousXmrigBrowse
                                            • 162.255.119.99
                                            http://siddiquimehvish07.github.io/netflix.github.ioGet hashmaliciousUnknownBrowse
                                            • 162.0.235.241
                                            Request for Quotation # 3200025006.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                            • 162.0.237.22
                                            F2qfVHeuUh.exeGet hashmaliciousFormBookBrowse
                                            • 63.250.43.147
                                            https://www.keysurgical.de/Home/SelectLanguage?language=en-US&redirectUrl=https://energreen.rs/.well-known/acme-challenge/Get hashmaliciousUnknownBrowse
                                            • 162.0.229.211
                                            CLOUDFLARENETUShttps://link.mail.beehiiv.com/ss/c/u001.CEz1YkosQOgW_2I8tJTUL2rOicXJM7RxHjhrRWDeG5g4TuF3JnRWze3ceZ9WwqET/46i/a2N64yc5RA-IsZ3qpS7tjQ/h6/h001.j_JgYHgZoY9wighPNvNrp_oY-YX91EMEgYGT_rGLcUUGet hashmaliciousUnknownBrowse
                                            • 104.16.117.116
                                            https://oknya83345.eleteriod.com/infd201971/#YWhlaW5tYWFAY2lkZWwuY29tGet hashmaliciousHTMLPhisherBrowse
                                            • 104.17.2.184
                                            what dmv forms do i need to sell my car in ny 88970.jsGet hashmaliciousGookitLoaderBrowse
                                            • 172.67.210.170
                                            https://idujew.sbs/NOT5u64664/index.php?lpkey=174916883959189c66&trkd=edygik.org&lpkey1=55d651zqqmy1nvr4a6&language=en-GB&scanid=55d651zqqmy1nvr4a6&ip=84.43.87.132&t1=36&t2=ALL&t3=pn&t4=796&t5=1805&dm=1&pbid=3417&uid=8xOEX_FfuSdS9gxXBMKnAtAB9taRkK&uclick=1zqqmy1nvr&uclickhash=1zqqmy1nvr-1zqqmy1nvr-b4-x9-8r8n-2tmyi4-2t1n3y-a154faGet hashmaliciousUnknownBrowse
                                            • 188.114.96.3
                                            https://xerox-ndzda15184.strudse.com/edtpx73416/#bGNvbnJhZEBoaW5ja2xleWFsbGVuLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                            • 104.17.2.184
                                            http://www.cpcheckme.comGet hashmaliciousUnknownBrowse
                                            • 104.17.25.14
                                            ZXQ3AcEN5Q.exeGet hashmaliciousUnknownBrowse
                                            • 172.64.41.3
                                            https://worker-yellow-recipe-87f5.krevidajrezart.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                            • 104.17.25.14
                                            https://forfbidrecrossboot.pages.dev/503.jsGet hashmaliciousUnknownBrowse
                                            • 188.114.96.3
                                            ZXQ3AcEN5Q.exeGet hashmaliciousUnknownBrowse
                                            • 104.21.45.251

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            3b5074b1b5d032e5620f69f9f700ff0ewhat dmv forms do i need to sell my car in ny 88970.jsGet hashmaliciousGookitLoaderBrowse
                                            • 172.67.74.152
                                            RFQ-101432620247fl#U00e2#U00aexslx.exeGet hashmaliciousAgentTeslaBrowse
                                            • 172.67.74.152
                                            SOA_41457.exeGet hashmaliciousAgentTeslaBrowse
                                            • 172.67.74.152
                                            QUOTATION SHEET_RFQ 564077 2024.5.17.exeGet hashmaliciousAgentTeslaBrowse
                                            • 172.67.74.152
                                            INSTALLATION BOQ KATSINA.exeGet hashmaliciousAgentTeslaBrowse
                                            • 172.67.74.152
                                            https://www.google.com.bh/url?hl=en&q=https://www.google.com.bh/url?hl%3Den%26q%3Dhttp://www.google.com/amp/www.google.com/amp/www.google.com/amp/%252574%252569%25256E%252579%252575%252572%25256C%25252E%252563%25256F%25256D%25252F%25256D%252576%252574%252575%252575%252566%252537%252533%26source%3Dgmail%26ust%3D1716286979743000%26usg%3DAOvVaw0kIG15Hao_4RLWdhQSbrTj&source=gmail&ust=1716287016979000&usg=AOvVaw2OvZXU7t2_QCy0TjxskKGnGet hashmaliciousUnknownBrowse
                                            • 172.67.74.152
                                            New Order.exeGet hashmaliciousUnknownBrowse
                                            • 172.67.74.152
                                            New Order.exeGet hashmaliciousUnknownBrowse
                                            • 172.67.74.152
                                            http://twomancake.comGet hashmaliciousUnknownBrowse
                                            • 172.67.74.152
                                            Doc1000050789.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 172.67.74.152

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            No created / dropped files found

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):5.004495501190702
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Windows Screen Saver (13104/52) 0.07%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            File name:5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe
                                            File size:240'128 bytes
                                            MD5:ea52eb173762deb852109486758797ad
                                            SHA1:d6326aa179babb5149982c797460347d586988f7
                                            SHA256:8d2d64d1725161c2aa28dddb6ccb302291badc5a9a96816d0027e5aece23ec4a
                                            SHA512:198dce7ae340f4890c6787cd9a97ba4d931b69d031daed80f7bc2019d4c5dae21aaf877dc5bc5c050c5ddf774661ee40584233014487eccff117b70aedae2491
                                            SSDEEP:3072:VhSmieCmikyXi0bydYt/lrjHVtWV5qeLrgtL:VhSmieCmikyXi0byk9/HVt8rU
                                            TLSH:60340F037E88EB15D1A83E3782EF6D2413B2B4C71633C60B6F49AF6518516825D7EB2D
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Cf............................n.... ........@.. ....................................@................................

                                            File Icon

                                            Icon Hash:00928e8e8686b000

                                            Static PE Info

                                            General

                                            Entrypoint:0x43bf6e
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x6643A583 [Tue May 14 17:55:15 2024 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add al, byte ptr [eax]
                                            adc byte ptr [eax], al
                                            add byte ptr [eax], al
                                            and byte ptr [eax], al
                                            add byte ptr [eax+00000018h], al
                                            push eax
                                            add byte ptr [eax], al
                                            add byte ptr [eax], 00000000h
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add dword ptr [eax], eax
                                            add dword ptr [eax], eax
                                            add byte ptr [eax], al
                                            cmp byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x3bf180x53.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x3c0000x546.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x3e0000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000x39f740x3a00000a3909bd05f93a3837e78025c08fe80False0.3577502020474138data5.015918661488969IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rsrc0x3c0000x5460x600b264bd5e3ffb9db1666f019685939f55False0.4029947916666667data4.0106295185141425IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x3e0000xc0x20047722ed4378cb86afb4b1954e8c92277False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_VERSION0x3c0a00x2bcdata0.44285714285714284
                                            RT_MANIFEST0x3c35c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Network Behavior

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            May 22, 2024 18:13:50.987557888 CEST49704443192.168.2.5172.67.74.152
                                            May 22, 2024 18:13:50.987603903 CEST44349704172.67.74.152192.168.2.5
                                            May 22, 2024 18:13:50.987828016 CEST49704443192.168.2.5172.67.74.152
                                            May 22, 2024 18:13:50.995300055 CEST49704443192.168.2.5172.67.74.152
                                            May 22, 2024 18:13:50.995368004 CEST44349704172.67.74.152192.168.2.5
                                            May 22, 2024 18:13:51.490605116 CEST44349704172.67.74.152192.168.2.5
                                            May 22, 2024 18:13:51.490866899 CEST49704443192.168.2.5172.67.74.152
                                            May 22, 2024 18:13:51.494224072 CEST49704443192.168.2.5172.67.74.152
                                            May 22, 2024 18:13:51.494276047 CEST44349704172.67.74.152192.168.2.5
                                            May 22, 2024 18:13:51.494713068 CEST44349704172.67.74.152192.168.2.5
                                            May 22, 2024 18:13:51.539978981 CEST49704443192.168.2.5172.67.74.152
                                            May 22, 2024 18:13:51.582511902 CEST44349704172.67.74.152192.168.2.5
                                            May 22, 2024 18:13:52.507375956 CEST44349704172.67.74.152192.168.2.5
                                            May 22, 2024 18:13:52.507523060 CEST44349704172.67.74.152192.168.2.5
                                            May 22, 2024 18:13:52.507879972 CEST49704443192.168.2.5172.67.74.152
                                            May 22, 2024 18:13:52.513277054 CEST49704443192.168.2.5172.67.74.152
                                            May 22, 2024 18:13:52.965719938 CEST49705587192.168.2.5198.54.122.135
                                            May 22, 2024 18:13:52.970714092 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:13:52.970901012 CEST49705587192.168.2.5198.54.122.135
                                            May 22, 2024 18:13:53.631640911 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:13:53.632011890 CEST49705587192.168.2.5198.54.122.135
                                            May 22, 2024 18:13:53.637463093 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:13:53.790719986 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:13:53.791053057 CEST49705587192.168.2.5198.54.122.135
                                            May 22, 2024 18:13:53.796005964 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:13:53.947731018 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:13:53.948462963 CEST49705587192.168.2.5198.54.122.135
                                            May 22, 2024 18:13:53.953428030 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:13:54.107162952 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:13:54.109297991 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:13:54.109498978 CEST49705587192.168.2.5198.54.122.135
                                            May 22, 2024 18:13:54.114021063 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:13:54.118983984 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:13:54.118999958 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:13:54.119040012 CEST49705587192.168.2.5198.54.122.135
                                            May 22, 2024 18:13:54.132498026 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:13:54.132590055 CEST49705587192.168.2.5198.54.122.135
                                            May 22, 2024 18:13:54.156265974 CEST49705587192.168.2.5198.54.122.135
                                            May 22, 2024 18:13:54.187964916 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:13:54.347467899 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:13:54.351870060 CEST49705587192.168.2.5198.54.122.135
                                            May 22, 2024 18:13:54.357345104 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:13:54.514314890 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:13:54.515434027 CEST49705587192.168.2.5198.54.122.135
                                            May 22, 2024 18:13:54.535021067 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:13:54.690218925 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:13:54.718137980 CEST49705587192.168.2.5198.54.122.135
                                            May 22, 2024 18:13:54.723074913 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:13:54.881850958 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:13:54.889238119 CEST49705587192.168.2.5198.54.122.135
                                            May 22, 2024 18:13:54.894157887 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:13:55.051369905 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:13:55.051762104 CEST49705587192.168.2.5198.54.122.135
                                            May 22, 2024 18:13:55.057353020 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:13:55.250443935 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:13:55.250677109 CEST49705587192.168.2.5198.54.122.135
                                            May 22, 2024 18:13:55.255705118 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:13:55.423995018 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:13:55.424962997 CEST49705587192.168.2.5198.54.122.135
                                            May 22, 2024 18:13:55.425055981 CEST49705587192.168.2.5198.54.122.135
                                            May 22, 2024 18:13:55.425055981 CEST49705587192.168.2.5198.54.122.135
                                            May 22, 2024 18:13:55.425055981 CEST49705587192.168.2.5198.54.122.135
                                            May 22, 2024 18:13:55.430039883 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:13:55.435869932 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:13:55.487266064 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:13:55.487274885 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:13:55.821208000 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:13:55.868885040 CEST49705587192.168.2.5198.54.122.135
                                            May 22, 2024 18:15:32.978312969 CEST49705587192.168.2.5198.54.122.135
                                            May 22, 2024 18:15:32.998413086 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:15:33.152476072 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:15:33.153117895 CEST49705587192.168.2.5198.54.122.135
                                            May 22, 2024 18:15:33.157126904 CEST58749705198.54.122.135192.168.2.5
                                            May 22, 2024 18:15:33.157284021 CEST49705587192.168.2.5198.54.122.135
                                            May 22, 2024 18:15:33.203636885 CEST58749705198.54.122.135192.168.2.5

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            May 22, 2024 18:13:50.922910929 CEST5889053192.168.2.51.1.1.1
                                            May 22, 2024 18:13:50.980293036 CEST53588901.1.1.1192.168.2.5
                                            May 22, 2024 18:13:52.956156969 CEST5293653192.168.2.51.1.1.1
                                            May 22, 2024 18:13:52.964782953 CEST53529361.1.1.1192.168.2.5

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            May 22, 2024 18:13:50.922910929 CEST192.168.2.51.1.1.10x86fdStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                            May 22, 2024 18:13:52.956156969 CEST192.168.2.51.1.1.10x1080Standard query (0)mail.privateemail.comA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            May 22, 2024 18:13:50.980293036 CEST1.1.1.1192.168.2.50x86fdNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                            May 22, 2024 18:13:50.980293036 CEST1.1.1.1192.168.2.50x86fdNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                            May 22, 2024 18:13:50.980293036 CEST1.1.1.1192.168.2.50x86fdNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                            May 22, 2024 18:13:52.964782953 CEST1.1.1.1192.168.2.50x1080No error (0)mail.privateemail.com198.54.122.135A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • api.ipify.org

                                            HTTPS Proxied Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.549704172.67.74.1524437044C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe
                                            TimestampBytes transferredDirectionData
                                            2024-05-22 16:13:51 UTC155OUTGET / HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                            Host: api.ipify.org
                                            Connection: Keep-Alive
                                            2024-05-22 16:13:52 UTC211INHTTP/1.1 200 OK
                                            Date: Wed, 22 May 2024 16:13:52 GMT
                                            Content-Type: text/plain
                                            Content-Length: 12
                                            Connection: close
                                            Vary: Origin
                                            CF-Cache-Status: DYNAMIC
                                            Server: cloudflare
                                            CF-RAY: 887e188d7b357d26-EWR
                                            2024-05-22 16:13:52 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 37 35
                                            Data Ascii: 8.46.123.175


                                            SMTP Packets

                                            TimestampSource PortDest PortSource IPDest IPCommands
                                            May 22, 2024 18:13:53.631640911 CEST58749705198.54.122.135192.168.2.5220 PrivateEmail.com prod Mail Node
                                            May 22, 2024 18:13:53.632011890 CEST49705587192.168.2.5198.54.122.135EHLO 899552
                                            May 22, 2024 18:13:53.790719986 CEST58749705198.54.122.135192.168.2.5250-mta-06.privateemail.com
                                            250-PIPELINING
                                            250-SIZE 81788928
                                            250-ETRN
                                            250-AUTH PLAIN LOGIN
                                            250-ENHANCEDSTATUSCODES
                                            250-8BITMIME
                                            250-CHUNKING
                                            250 STARTTLS
                                            May 22, 2024 18:13:53.791053057 CEST49705587192.168.2.5198.54.122.135STARTTLS
                                            May 22, 2024 18:13:53.947731018 CEST58749705198.54.122.135192.168.2.5220 Ready to start TLS

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:12:13:50
                                            Start date:22/05/2024
                                            Path:C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_payload.exe"
                                            Imagebase:0x80000
                                            File size:240'128 bytes
                                            MD5 hash:EA52EB173762DEB852109486758797AD
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.3243585955.00000000025AC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.1983017793.0000000000082000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000000.1983017793.0000000000082000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.3243585955.00000000025B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3243585955.0000000002581000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.3243585955.0000000002581000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:false

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:11.1%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:197
                                              Total number of Limit Nodes:20
                                              execution_graph 40738 6ed044 40739 6ed05c 40738->40739 40740 6ed0b6 40739->40740 40745 61dd9c8 40739->40745 40749 61dd9b7 40739->40749 40753 61dcc44 40739->40753 40762 61de718 40739->40762 40746 61dd9ee 40745->40746 40747 61dcc44 CallWindowProcW 40746->40747 40748 61dda0f 40747->40748 40748->40740 40750 61dd9c5 40749->40750 40751 61dcc44 CallWindowProcW 40750->40751 40752 61dda0f 40751->40752 40752->40740 40756 61dcc4f 40753->40756 40754 61de789 40787 61dcd6c 40754->40787 40756->40754 40757 61de779 40756->40757 40771 61de97c 40757->40771 40777 61de8a0 40757->40777 40782 61de8b0 40757->40782 40758 61de787 40758->40758 40765 61de755 40762->40765 40763 61de789 40764 61dcd6c CallWindowProcW 40763->40764 40767 61de787 40764->40767 40765->40763 40766 61de779 40765->40766 40768 61de97c CallWindowProcW 40766->40768 40769 61de8b0 CallWindowProcW 40766->40769 40770 61de8a0 CallWindowProcW 40766->40770 40767->40767 40768->40767 40769->40767 40770->40767 40772 61de93a 40771->40772 40773 61de98a 40771->40773 40791 61de958 40772->40791 40795 61de968 40772->40795 40774 61de950 40774->40758 40779 61de8b1 40777->40779 40778 61de950 40778->40758 40780 61de958 CallWindowProcW 40779->40780 40781 61de968 CallWindowProcW 40779->40781 40780->40778 40781->40778 40784 61de8c4 40782->40784 40783 61de950 40783->40758 40785 61de958 CallWindowProcW 40784->40785 40786 61de968 CallWindowProcW 40784->40786 40785->40783 40786->40783 40788 61dcd77 40787->40788 40789 61dfe6a CallWindowProcW 40788->40789 40790 61dfe19 40788->40790 40789->40790 40790->40758 40792 61de968 40791->40792 40793 61de979 40792->40793 40798 61dfda0 40792->40798 40793->40774 40796 61de979 40795->40796 40797 61dfda0 CallWindowProcW 40795->40797 40796->40774 40797->40796 40799 61dcd6c CallWindowProcW 40798->40799 40800 61dfdba 40799->40800 40800->40793 40807 930848 40808 93084e 40807->40808 40809 93091b 40808->40809 40815 931380 40808->40815 40820 93148a 40808->40820 40825 61d1d00 40808->40825 40829 61d1cf0 40808->40829 40833 61d1d83 40808->40833 40816 931396 40815->40816 40817 931484 40816->40817 40818 93148a 3 API calls 40816->40818 40839 937ea8 40816->40839 40817->40808 40818->40816 40821 931396 40820->40821 40822 931484 40820->40822 40821->40822 40823 937ea8 3 API calls 40821->40823 40824 93148a 3 API calls 40821->40824 40822->40808 40823->40821 40824->40821 40826 61d1d0f 40825->40826 40854 61d14c4 40826->40854 40830 61d1d00 40829->40830 40831 61d14c4 3 API calls 40830->40831 40832 61d1d30 40831->40832 40832->40808 40835 61d1ce5 40833->40835 40838 61d1d8a 40833->40838 40834 61d1d57 40834->40808 40835->40834 40836 61d14c4 3 API calls 40835->40836 40837 61d1d30 40836->40837 40837->40808 40838->40808 40840 937eb2 40839->40840 40841 937ecc 40840->40841 40844 61efa1a 40840->40844 40849 61efa28 40840->40849 40841->40816 40845 61efa28 40844->40845 40846 61efc4e 40845->40846 40847 61efc78 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 40845->40847 40848 61efc68 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 40845->40848 40846->40841 40847->40845 40848->40845 40850 61efa3d 40849->40850 40851 61efc4e 40850->40851 40852 61efc78 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 40850->40852 40853 61efc68 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 40850->40853 40851->40841 40852->40850 40853->40850 40855 61d14cf 40854->40855 40858 61d2c2c 40855->40858 40857 61d36b6 40859 61d2c37 40858->40859 40860 61d3ddc 40859->40860 40863 61d5a5e 40859->40863 40867 61d5a60 40859->40867 40860->40857 40865 61d5a60 40863->40865 40864 61d5aa5 40864->40860 40865->40864 40871 61d5c10 40865->40871 40868 61d5a81 40867->40868 40869 61d5aa5 40868->40869 40870 61d5c10 3 API calls 40868->40870 40869->40860 40870->40869 40872 61d5c1d 40871->40872 40873 61d5c56 40872->40873 40875 61d495c 40872->40875 40873->40864 40876 61d4967 40875->40876 40878 61d5cc8 40876->40878 40879 61d4990 40876->40879 40878->40878 40880 61d499b 40879->40880 40886 61d49a0 40880->40886 40882 61d5d37 40890 61daf60 40882->40890 40899 61daf48 40882->40899 40883 61d5d71 40883->40878 40889 61d49ab 40886->40889 40887 61d6ed8 40887->40882 40888 61d5a60 3 API calls 40888->40887 40889->40887 40889->40888 40892 61daf91 40890->40892 40894 61db091 40890->40894 40891 61daf9d 40891->40883 40892->40891 40908 61db1c8 40892->40908 40913 61db1d8 40892->40913 40893 61dafdd 40917 61dc4d8 40893->40917 40927 61dc4c9 40893->40927 40894->40883 40901 61daf91 40899->40901 40903 61db091 40899->40903 40900 61daf9d 40900->40883 40901->40900 40904 61db1d8 3 API calls 40901->40904 40905 61db1c8 3 API calls 40901->40905 40902 61dafdd 40906 61dc4c9 GetModuleHandleW 40902->40906 40907 61dc4d8 GetModuleHandleW 40902->40907 40903->40883 40904->40902 40905->40902 40906->40903 40907->40903 40909 61db1d8 40908->40909 40937 61db228 40909->40937 40946 61db218 40909->40946 40910 61db1e2 40910->40893 40915 61db218 2 API calls 40913->40915 40916 61db228 2 API calls 40913->40916 40914 61db1e2 40914->40893 40915->40914 40916->40914 40918 61dc503 40917->40918 40955 61da24c 40918->40955 40921 61dc586 40923 61dc5b2 40921->40923 40970 61da17c 40921->40970 40924 61da24c GetModuleHandleW 40924->40921 40928 61dc503 40927->40928 40929 61da24c GetModuleHandleW 40928->40929 40930 61dc56a 40929->40930 40934 61da24c GetModuleHandleW 40930->40934 40935 61dca40 GetModuleHandleW 40930->40935 40936 61dc990 GetModuleHandleW 40930->40936 40931 61dc586 40932 61da17c GetModuleHandleW 40931->40932 40933 61dc5b2 40931->40933 40932->40933 40934->40931 40935->40931 40936->40931 40938 61db239 40937->40938 40941 61db25c 40937->40941 40939 61da17c GetModuleHandleW 40938->40939 40940 61db244 40939->40940 40940->40941 40945 61db4b1 GetModuleHandleW 40940->40945 40941->40910 40942 61db254 40942->40941 40943 61db460 GetModuleHandleW 40942->40943 40944 61db48d 40943->40944 40944->40910 40945->40942 40947 61db21d 40946->40947 40948 61da17c GetModuleHandleW 40947->40948 40950 61db25c 40947->40950 40949 61db244 40948->40949 40949->40950 40954 61db4b1 GetModuleHandleW 40949->40954 40950->40910 40951 61db254 40951->40950 40952 61db460 GetModuleHandleW 40951->40952 40953 61db48d 40952->40953 40953->40910 40954->40951 40956 61da257 40955->40956 40957 61dc56a 40956->40957 40958 61dcfb8 GetModuleHandleW 40956->40958 40959 61dcfa8 GetModuleHandleW 40956->40959 40957->40924 40960 61dc990 40957->40960 40965 61dca40 40957->40965 40958->40957 40959->40957 40961 61dc9a0 40960->40961 40962 61dc9ab 40961->40962 40963 61dcfb8 GetModuleHandleW 40961->40963 40964 61dcfa8 GetModuleHandleW 40961->40964 40962->40921 40963->40962 40964->40962 40966 61dca6d 40965->40966 40967 61dcaee 40966->40967 40968 61dcfb8 GetModuleHandleW 40966->40968 40969 61dcfa8 GetModuleHandleW 40966->40969 40968->40967 40969->40967 40971 61db418 GetModuleHandleW 40970->40971 40973 61db48d 40971->40973 40973->40923 40801 61dd810 40802 61dd878 CreateWindowExW 40801->40802 40804 61dd934 40802->40804 40805 61d3050 DuplicateHandle 40806 61d30e6 40805->40806 40974 61db680 40975 61db6c8 LoadLibraryExW 40974->40975 40976 61db6c2 40974->40976 40977 61db6f9 40975->40977 40976->40975

                                              Executed Functions

                                              Function 061E2358 Relevance: 9.0, Strings: 6, Instructions: 1491COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                              • API String ID: 0-3723351465
                                              • Opcode ID: e890667c278ed8e42c8d968038971793fff20b43a97d586b81aa4f22a52f5b59
                                              • Instruction ID: f2f06917fd23c05fad8ac5a5df58a79f760fef07cee937bb1252ccd145b0e2bb
                                              • Opcode Fuzzy Hash: e890667c278ed8e42c8d968038971793fff20b43a97d586b81aa4f22a52f5b59
                                              • Instruction Fuzzy Hash: 92D26A30E006058FDB64DF68C594A9DB7F6FF89300F5585AAD409AB365EB34ED86CB80
                                              Function 061EB230 Relevance: 8.3, Strings: 6, Instructions: 761COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                              • API String ID: 0-3723351465
                                              • Opcode ID: 00229c60d9e216bc4578eb637725faa479bd5ca27035b714ce3f9d666b89b2d4
                                              • Instruction ID: 5e189ce80249b1264848e3e59dec3fbcbe2e617b68e200fe802090a87ddd5245
                                              • Opcode Fuzzy Hash: 00229c60d9e216bc4578eb637725faa479bd5ca27035b714ce3f9d666b89b2d4
                                              • Instruction Fuzzy Hash: 00528270E046098FDF64CB68D690BAEB7B6EF85310F20882AE409DB355DB35DD46CB91
                                              Function 0093A960 Relevance: 3.1, Instructions: 3103COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3243193544.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_930000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 98f7353a393783f54bde8673f7e96563d6b838e707129e892215fc9e74a586ec
                                              • Instruction ID: 5bad06fc710090b5918e0c4ab7b1d4b1a6e545fb11cb3fc2792bd5cacbeda0d9
                                              • Opcode Fuzzy Hash: 98f7353a393783f54bde8673f7e96563d6b838e707129e892215fc9e74a586ec
                                              • Instruction Fuzzy Hash: 0F631A31D10B1A8ACB11EF68C8546A9F7B1FF99300F15D79AE058B7121EB70AAD5CF81
                                              Function 061E7D78 Relevance: 3.0, Strings: 2, Instructions: 475COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2391 61e7d78-61e7d96 2392 61e7d98-61e7d9b 2391->2392 2393 61e7dbe-61e7dc1 2392->2393 2394 61e7d9d-61e7db9 2392->2394 2395 61e7dd8-61e7ddb 2393->2395 2396 61e7dc3-61e7dd1 2393->2396 2394->2393 2397 61e7dfc-61e7dff 2395->2397 2398 61e7ddd-61e7df7 2395->2398 2407 61e7e1e-61e7e34 2396->2407 2408 61e7dd3 2396->2408 2400 61e7e0c-61e7e0e 2397->2400 2401 61e7e01-61e7e0b 2397->2401 2398->2397 2404 61e7e15-61e7e18 2400->2404 2405 61e7e10 2400->2405 2404->2392 2404->2407 2405->2404 2411 61e804f-61e8059 2407->2411 2412 61e7e3a-61e7e43 2407->2412 2408->2395 2413 61e805a-61e808f 2412->2413 2414 61e7e49-61e7e66 2412->2414 2417 61e8091-61e8094 2413->2417 2421 61e803c-61e8049 2414->2421 2422 61e7e6c-61e7e94 2414->2422 2419 61e809a-61e80a9 2417->2419 2420 61e82c9-61e82cc 2417->2420 2431 61e80ab-61e80c6 2419->2431 2432 61e80c8-61e810c 2419->2432 2423 61e82ce-61e82ea 2420->2423 2424 61e82ef-61e82f2 2420->2424 2421->2411 2421->2412 2422->2421 2448 61e7e9a-61e7ea3 2422->2448 2423->2424 2425 61e839d-61e839f 2424->2425 2426 61e82f8-61e8304 2424->2426 2428 61e83a6-61e83a9 2425->2428 2429 61e83a1 2425->2429 2434 61e830f-61e8311 2426->2434 2428->2417 2435 61e83af-61e83b8 2428->2435 2429->2428 2431->2432 2442 61e829d-61e82b3 2432->2442 2443 61e8112-61e8123 2432->2443 2438 61e8329-61e832d 2434->2438 2439 61e8313-61e8319 2434->2439 2446 61e832f-61e8339 2438->2446 2447 61e833b 2438->2447 2444 61e831d-61e831f 2439->2444 2445 61e831b 2439->2445 2442->2420 2456 61e8288-61e8297 2443->2456 2457 61e8129-61e8146 2443->2457 2444->2438 2445->2438 2449 61e8340-61e8342 2446->2449 2447->2449 2448->2413 2450 61e7ea9-61e7ec5 2448->2450 2454 61e8344-61e8347 2449->2454 2455 61e8353-61e838c 2449->2455 2461 61e802a-61e8036 2450->2461 2462 61e7ecb-61e7ef5 2450->2462 2454->2435 2455->2419 2474 61e8392-61e839c 2455->2474 2456->2442 2456->2443 2457->2456 2469 61e814c-61e8242 call 61e6598 2457->2469 2461->2421 2461->2448 2475 61e7efb-61e7f23 2462->2475 2476 61e8020-61e8025 2462->2476 2524 61e8244-61e824e 2469->2524 2525 61e8250 2469->2525 2475->2476 2483 61e7f29-61e7f57 2475->2483 2476->2461 2483->2476 2488 61e7f5d-61e7f66 2483->2488 2488->2476 2490 61e7f6c-61e7f9e 2488->2490 2497 61e7fa9-61e7fc5 2490->2497 2498 61e7fa0-61e7fa4 2490->2498 2497->2461 2501 61e7fc7-61e801e call 61e6598 2497->2501 2498->2476 2500 61e7fa6 2498->2500 2500->2497 2501->2461 2526 61e8255-61e8257 2524->2526 2525->2526 2526->2456 2527 61e8259-61e825e 2526->2527 2528 61e826c 2527->2528 2529 61e8260-61e826a 2527->2529 2530 61e8271-61e8273 2528->2530 2529->2530 2530->2456 2531 61e8275-61e8281 2530->2531 2531->2456
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $]q$$]q
                                              • API String ID: 0-127220927
                                              • Opcode ID: 1f8ae6e04f837a6e363a4e59e486ade23b21292f91eefb2ef4dc9f6fcae1031d
                                              • Instruction ID: c1e6abadd473ab0ae867dcaf6402211a04af5b6987a4ec38298eeac33a558517
                                              • Opcode Fuzzy Hash: 1f8ae6e04f837a6e363a4e59e486ade23b21292f91eefb2ef4dc9f6fcae1031d
                                              • Instruction Fuzzy Hash: 32028C30B006158FDB98DF78D490AAEB7E2EF88300F158929E409DB395DB35ED46CB91
                                              Function 0093E280 Relevance: 2.8, Strings: 2, Instructions: 331COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2665 93e280-93e292 2666 93e2f6-93e2fd 2665->2666 2667 93e294-93e2ca 2665->2667 2673 93e2d1-93e2d3 2667->2673 2674 93e2d5-93e2ee 2673->2674 2675 93e2fe-93e365 2673->2675 2674->2666 2685 93e367-93e369 2675->2685 2686 93e36e-93e37e 2675->2686 2687 93e60d-93e614 2685->2687 2688 93e380 2686->2688 2689 93e385-93e395 2686->2689 2688->2687 2691 93e5f4-93e602 2689->2691 2692 93e39b-93e3a9 2689->2692 2695 93e615-93e68e 2691->2695 2696 93e604-93e608 call 937b10 2691->2696 2692->2695 2697 93e3af 2692->2697 2696->2687 2697->2695 2699 93e3f3-93e415 2697->2699 2700 93e4b2-93e4da 2697->2700 2701 93e3b6-93e3c8 2697->2701 2702 93e41a-93e43b 2697->2702 2703 93e579-93e5a5 2697->2703 2704 93e4df-93e507 2697->2704 2705 93e440-93e461 2697->2705 2706 93e5a7-93e5c2 call 930350 2697->2706 2707 93e466-93e487 2697->2707 2708 93e5c4-93e5e6 2697->2708 2709 93e5e8-93e5f2 2697->2709 2710 93e54e-93e574 2697->2710 2711 93e3cd-93e3ee 2697->2711 2712 93e48c-93e4ad 2697->2712 2713 93e50c-93e549 2697->2713 2699->2687 2700->2687 2701->2687 2702->2687 2703->2687 2704->2687 2705->2687 2706->2687 2707->2687 2708->2687 2709->2687 2710->2687 2711->2687 2712->2687 2713->2687
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3243193544.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_930000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Xaq$$]q
                                              • API String ID: 0-1280934391
                                              • Opcode ID: bd4bd2e6045eaed2c53eab388fe5a7c38201615a61079bd815da094627939c24
                                              • Instruction ID: 8d33b4219d89bc8d060b1721be3239156d1c285f73e39238b6196f92e1f0de4a
                                              • Opcode Fuzzy Hash: bd4bd2e6045eaed2c53eab388fe5a7c38201615a61079bd815da094627939c24
                                              • Instruction Fuzzy Hash: 44B1A530B042198BDB08EBB9985567E7BB7BFC8710F14892DD406D7399DE38CC069B92
                                              Function 061E5598 Relevance: 1.8, Strings: 1, Instructions: 598COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $
                                              • API String ID: 0-3993045852
                                              • Opcode ID: 03900d41ff10d54229a2fbde1f654124e44e0e7643a21568302415ee03863303
                                              • Instruction ID: 171144d1e506ffcc33f0a83390bd987a8fe89e9128b52bb693b193b8788f65c9
                                              • Opcode Fuzzy Hash: 03900d41ff10d54229a2fbde1f654124e44e0e7643a21568302415ee03863303
                                              • Instruction Fuzzy Hash: 0D22E135E006158FDF64DBA5C5906AEBBF3EF84318F24846AD40AAB344DB36DD42CB91
                                              Function 00933E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3243193544.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_930000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \Vl
                                              • API String ID: 0-682378881
                                              • Opcode ID: c011f98131464296836bffff7904f38717a76e83b92a4d56712470c180f45a9d
                                              • Instruction ID: e97c6df45662296769258935f5fb1e8ad14015aeb8df1925d41516b85d53c875
                                              • Opcode Fuzzy Hash: c011f98131464296836bffff7904f38717a76e83b92a4d56712470c180f45a9d
                                              • Instruction Fuzzy Hash: B2917C70E00209CFDF14CFA8C98579EBBF6AF98314F148129E415A7254EB74A986CF81
                                              Function 00933E76 Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3243193544.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_930000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \Vl
                                              • API String ID: 0-682378881
                                              • Opcode ID: d6a61c6e7dd3c9fe9e37da2a5c603b738e07ad25242de89418839d330b41efb0
                                              • Instruction ID: e212ad5dba51eae785ad72aa36cca7f516528138e678103e5b8f2af5b6705136
                                              • Opcode Fuzzy Hash: d6a61c6e7dd3c9fe9e37da2a5c603b738e07ad25242de89418839d330b41efb0
                                              • Instruction Fuzzy Hash: D0A17B70E0420ADFDF14CFA8C9857DEBBF5AF98314F148129E414A7254EB74A986CF81
                                              Function 061E65E8 Relevance: .8, Instructions: 826COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c60d1d104dade7293b00c3b79bea4fba48ad4ff022e94bf7afc4c70e4ebf5767
                                              • Instruction ID: c682d3c49db2b7cd2dca30b7c937afee0cffbfec34bdd9da4cfd76f9a8f2e68d
                                              • Opcode Fuzzy Hash: c60d1d104dade7293b00c3b79bea4fba48ad4ff022e94bf7afc4c70e4ebf5767
                                              • Instruction Fuzzy Hash: C462AD34F006048FDB64DB68D594AADB7F2EF88314F548869E40ADB3A5DB35EC46CB81
                                              Function 061EC170 Relevance: .6, Instructions: 635COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f8be65b3991a078bedb3255f4706022c5b98440104ff190e1bb440e2a74dac39
                                              • Instruction ID: a41d41b785a8220405bc8ecf4649d65c34ed6d2c343b99264d6cc1afcb0f5042
                                              • Opcode Fuzzy Hash: f8be65b3991a078bedb3255f4706022c5b98440104ff190e1bb440e2a74dac39
                                              • Instruction Fuzzy Hash: E6329E34B006098FDB54DB68D990BAEBBB6FF88314F10842AE419E7355DB35EC46CB91
                                              Function 0093A4F8 Relevance: .4, Instructions: 366COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3243193544.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_930000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fc3ba3997de8e90ce06e159b01963bf4aa93aee39a5267052d659b3c709fbef2
                                              • Instruction ID: b3622e3b0a84a5d523e7e2e81983fca2ba0fda44b17f5b8f28fa4417e161b2fa
                                              • Opcode Fuzzy Hash: fc3ba3997de8e90ce06e159b01963bf4aa93aee39a5267052d659b3c709fbef2
                                              • Instruction Fuzzy Hash: 67D1AF71A002058FDB14CF68D8847AEBBBAFF89310F24856AE409DB395D734DD45CB92
                                              Function 00934A98 Relevance: .3, Instructions: 266COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3243193544.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_930000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 869ec8bec85bcd6f06ae6e183f3cbb0fe459146450b164c072735e45f88a376f
                                              • Instruction ID: 5b387d5556682b8bd4d3a6a422fdf04de0d546da5ab563eccb3ee1e13963fa25
                                              • Opcode Fuzzy Hash: 869ec8bec85bcd6f06ae6e183f3cbb0fe459146450b164c072735e45f88a376f
                                              • Instruction Fuzzy Hash: 21B13D70E002098FDF10CFA9D9857EDBBF6AF88314F158529D859E7294EB74A885CF81
                                              Function 061EACC8 Relevance: 12.9, Strings: 10, Instructions: 397COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 526 61eacc8-61eace6 527 61eace8-61eaceb 526->527 528 61eaee5-61eaeee 527->528 529 61eacf1-61eacf4 527->529 531 61eacf6-61eacff 528->531 532 61eaef4-61eaefe 528->532 530 61ead0e-61ead11 529->530 529->531 535 61ead34-61ead37 530->535 536 61ead13-61ead2f 530->536 533 61eaeff-61eaf09 531->533 534 61ead05-61ead09 531->534 546 61eaf0b-61eaf1e 533->546 547 61eaf21-61eaf36 533->547 534->530 537 61ead4b-61ead4e 535->537 538 61ead39-61ead46 535->538 536->535 539 61ead58-61ead5b 537->539 540 61ead50-61ead55 537->540 538->537 544 61ead5d-61ead70 539->544 545 61ead75-61ead78 539->545 540->539 544->545 548 61ead7a-61ead83 545->548 549 61ead88-61ead8b 545->549 546->547 551 61eaf38-61eaf3b 547->551 548->549 554 61ead9c-61ead9e 549->554 555 61ead8d-61ead91 549->555 557 61eaf3d-61eaf47 551->557 558 61eaf48-61eaf4b 551->558 562 61eada5-61eada8 554->562 563 61eada0 554->563 555->532 561 61ead97 555->561 559 61eaf6e-61eaf71 558->559 560 61eaf4d-61eaf69 558->560 565 61eaf7e-61eaf81 559->565 566 61eaf73-61eaf77 559->566 560->559 561->554 562->527 564 61eadae-61eadd2 562->564 563->562 583 61eadd8-61eade7 564->583 584 61eaee2 564->584 570 61eaf83 565->570 571 61eaf90-61eaf93 565->571 568 61eaf99-61eafd4 566->568 569 61eaf79 566->569 579 61eafda-61eafe6 568->579 580 61eb1c7-61eb1da 568->580 569->565 653 61eaf83 call 61eb230 570->653 654 61eaf83 call 61eb220 570->654 571->568 572 61eb1fc-61eb1fe 571->572 576 61eb205-61eb208 572->576 577 61eb200 572->577 576->551 582 61eb20e-61eb218 576->582 577->576 578 61eaf89-61eaf8b 578->571 587 61eafe8-61eb001 579->587 588 61eb006-61eb04a 579->588 585 61eb1dc 580->585 590 61eadff-61eae3a call 61e6598 583->590 591 61eade9-61eadef 583->591 584->528 585->572 587->585 604 61eb04c-61eb05e 588->604 605 61eb066-61eb0a5 588->605 607 61eae3c-61eae42 590->607 608 61eae52-61eae69 590->608 593 61eadf3-61eadf5 591->593 594 61eadf1 591->594 593->590 594->590 604->605 614 61eb18c-61eb1a1 605->614 615 61eb0ab-61eb186 call 61e6598 605->615 610 61eae46-61eae48 607->610 611 61eae44 607->611 620 61eae6b-61eae71 608->620 621 61eae81-61eae92 608->621 610->608 611->608 614->580 615->614 623 61eae75-61eae77 620->623 624 61eae73 620->624 627 61eaeaa-61eaedb 621->627 628 61eae94-61eae9a 621->628 623->621 624->621 627->584 630 61eae9e-61eaea0 628->630 631 61eae9c 628->631 630->627 631->627 653->578 654->578
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: XMm$XMm$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                              • API String ID: 0-3681692842
                                              • Opcode ID: e4c4b562bfde2cd23b935e659117734d987a06e0572f1b5e5808cea31c97a276
                                              • Instruction ID: 5e42a2a539622d5cb00ed7de7ae3347ea15437487303f7f68b232d964abfa466
                                              • Opcode Fuzzy Hash: e4c4b562bfde2cd23b935e659117734d987a06e0572f1b5e5808cea31c97a276
                                              • Instruction Fuzzy Hash: A2E18230E106098FCB69DFA9D5906AEB7B6FF85310F10892AE809DB354DB35DC46CB91
                                              Function 061DB228 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 200COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1385 61db228-61db237 1386 61db239-61db246 call 61da17c 1385->1386 1387 61db263-61db267 1385->1387 1393 61db25c 1386->1393 1394 61db248-61db256 call 61db4b1 1386->1394 1389 61db269-61db273 1387->1389 1390 61db27b-61db2bc 1387->1390 1389->1390 1396 61db2be-61db2c6 1390->1396 1397 61db2c9-61db2d7 1390->1397 1393->1387 1394->1393 1403 61db398-61db458 1394->1403 1396->1397 1398 61db2d9-61db2de 1397->1398 1399 61db2fb-61db2fd 1397->1399 1401 61db2e9 1398->1401 1402 61db2e0-61db2e7 call 61da188 1398->1402 1404 61db300-61db307 1399->1404 1408 61db2eb-61db2f9 1401->1408 1402->1408 1436 61db45a-61db45d 1403->1436 1437 61db460-61db48b GetModuleHandleW 1403->1437 1406 61db309-61db311 1404->1406 1407 61db314-61db31b 1404->1407 1406->1407 1411 61db31d-61db325 1407->1411 1412 61db328-61db331 call 61d399c 1407->1412 1408->1404 1411->1412 1416 61db33e-61db343 1412->1416 1417 61db333-61db33b 1412->1417 1418 61db345-61db34c 1416->1418 1419 61db361-61db36e 1416->1419 1417->1416 1418->1419 1421 61db34e-61db35e call 61d9ff8 call 61da198 1418->1421 1426 61db391-61db397 1419->1426 1427 61db370-61db38e 1419->1427 1421->1419 1427->1426 1436->1437 1438 61db48d-61db493 1437->1438 1439 61db494-61db4a8 1437->1439 1438->1439
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245620628.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61d0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID: Sn$Sn
                                              • API String ID: 4139908857-2618209287
                                              • Opcode ID: dca40d8987f317beb3718638b71d10868489fd1976a2b10a1ecbaf02ef4c5567
                                              • Instruction ID: 86c98a7a0d2b8e00904e41217287f8e8e736839bd281203952f9d2296a79efca
                                              • Opcode Fuzzy Hash: dca40d8987f317beb3718638b71d10868489fd1976a2b10a1ecbaf02ef4c5567
                                              • Instruction Fuzzy Hash: AC7132B0A00B059FDBA4DF6AD44475ABBF5FF88704F00892ED48A97A50DB74E909CB90
                                              Function 061E9148 Relevance: 5.2, Strings: 4, Instructions: 231COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1442 61e9148-61e916d 1443 61e916f-61e9172 1442->1443 1444 61e9198-61e919b 1443->1444 1445 61e9174-61e9193 1443->1445 1446 61e9a5b-61e9a5d 1444->1446 1447 61e91a1-61e91b6 1444->1447 1445->1444 1449 61e9a5f 1446->1449 1450 61e9a64-61e9a67 1446->1450 1454 61e91ce-61e91e4 1447->1454 1455 61e91b8-61e91be 1447->1455 1449->1450 1450->1443 1452 61e9a6d-61e9a77 1450->1452 1459 61e91ef-61e91f1 1454->1459 1456 61e91c2-61e91c4 1455->1456 1457 61e91c0 1455->1457 1456->1454 1457->1454 1460 61e9209-61e927a 1459->1460 1461 61e91f3-61e91f9 1459->1461 1472 61e927c-61e929f 1460->1472 1473 61e92a6-61e92c2 1460->1473 1462 61e91fd-61e91ff 1461->1462 1463 61e91fb 1461->1463 1462->1460 1463->1460 1472->1473 1478 61e92ee-61e9309 1473->1478 1479 61e92c4-61e92e7 1473->1479 1484 61e930b-61e932d 1478->1484 1485 61e9334-61e934f 1478->1485 1479->1478 1484->1485 1490 61e937a-61e9384 1485->1490 1491 61e9351-61e9373 1485->1491 1492 61e9386-61e938f 1490->1492 1493 61e9394-61e940e 1490->1493 1491->1490 1492->1452 1499 61e945b-61e9470 1493->1499 1500 61e9410-61e942e 1493->1500 1499->1446 1504 61e944a-61e9459 1500->1504 1505 61e9430-61e943f 1500->1505 1504->1499 1504->1500 1505->1504
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $]q$$]q$$]q$$]q
                                              • API String ID: 0-858218434
                                              • Opcode ID: 70f02c71fac8cdd473458b6e3a548c3df8edcffc5703b25424dbd487b60720cc
                                              • Instruction ID: 14e52bd97b4c67bdf30c93c507893bdffa8c6f48ca609d719ecd6fc6cbd09285
                                              • Opcode Fuzzy Hash: 70f02c71fac8cdd473458b6e3a548c3df8edcffc5703b25424dbd487b60720cc
                                              • Instruction Fuzzy Hash: 73913230F0061A9FDB54DF65D850BAE77F6AFC8204F10896AD809DB394EB70DD468B91
                                              Function 061ECF30 Relevance: 4.6, Strings: 3, Instructions: 803COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1508 61ecf30-61ecf4b 1509 61ecf4d-61ecf50 1508->1509 1510 61ecf5f-61ecf62 1509->1510 1511 61ecf52-61ecf54 1509->1511 1512 61ecfab-61ecfae 1510->1512 1513 61ecf64-61ecfa6 1510->1513 1514 61ecf5a 1511->1514 1515 61ed419 1511->1515 1517 61ecff7-61ecffa 1512->1517 1518 61ecfb0-61ecfbf 1512->1518 1513->1512 1514->1510 1516 61ed41c-61ed428 1515->1516 1516->1518 1522 61ed42e-61ed71b 1516->1522 1520 61ecffc-61ed012 1517->1520 1521 61ed017-61ed01a 1517->1521 1523 61ecfce-61ecfda 1518->1523 1524 61ecfc1-61ecfc6 1518->1524 1520->1521 1527 61ed01c-61ed038 1521->1527 1528 61ed03d-61ed040 1521->1528 1720 61ed942-61ed94c 1522->1720 1721 61ed721-61ed727 1522->1721 1525 61ed94d-61ed986 1523->1525 1526 61ecfe0-61ecff2 1523->1526 1524->1523 1545 61ed988-61ed98b 1525->1545 1526->1517 1527->1528 1529 61ed089-61ed08c 1528->1529 1530 61ed042-61ed051 1528->1530 1529->1516 1537 61ed092-61ed095 1529->1537 1534 61ed053-61ed058 1530->1534 1535 61ed060-61ed06c 1530->1535 1534->1535 1535->1525 1540 61ed072-61ed084 1535->1540 1543 61ed09f-61ed0a2 1537->1543 1544 61ed097-61ed09c 1537->1544 1540->1529 1549 61ed0eb-61ed0ee 1543->1549 1550 61ed0a4-61ed0e6 1543->1550 1544->1543 1547 61ed9ae-61ed9b1 1545->1547 1548 61ed98d-61ed9a9 1545->1548 1552 61ed9e4-61ed9e7 1547->1552 1553 61ed9b3-61ed9df 1547->1553 1548->1547 1555 61ed137-61ed13a 1549->1555 1556 61ed0f0-61ed132 1549->1556 1550->1549 1559 61ed9e9 1552->1559 1560 61ed9f6-61ed9f8 1552->1560 1553->1552 1561 61ed13c-61ed13e 1555->1561 1562 61ed149-61ed14c 1555->1562 1556->1555 1767 61ed9e9 call 61edab8 1559->1767 1768 61ed9e9 call 61edaa5 1559->1768 1568 61ed9ff-61eda02 1560->1568 1569 61ed9fa 1560->1569 1566 61ed2d7-61ed2e0 1561->1566 1567 61ed144 1561->1567 1570 61ed14e-61ed190 1562->1570 1571 61ed195-61ed198 1562->1571 1577 61ed2ef-61ed2fb 1566->1577 1578 61ed2e2-61ed2e7 1566->1578 1567->1562 1568->1545 1579 61eda04-61eda13 1568->1579 1569->1568 1570->1571 1574 61ed19a-61ed1dc 1571->1574 1575 61ed1e1-61ed1e4 1571->1575 1574->1575 1587 61ed22d-61ed230 1575->1587 1588 61ed1e6-61ed228 1575->1588 1576 61ed9ef-61ed9f1 1576->1560 1583 61ed40c-61ed411 1577->1583 1584 61ed301-61ed315 1577->1584 1578->1577 1601 61eda7a-61eda8f 1579->1601 1602 61eda15-61eda78 call 61e6598 1579->1602 1583->1515 1584->1515 1606 61ed31b-61ed32d 1584->1606 1592 61ed279-61ed27c 1587->1592 1593 61ed232-61ed274 1587->1593 1588->1587 1597 61ed27e-61ed2c0 1592->1597 1598 61ed2c5-61ed2c7 1592->1598 1593->1592 1597->1598 1604 61ed2ce-61ed2d1 1598->1604 1605 61ed2c9 1598->1605 1602->1601 1604->1509 1604->1566 1605->1604 1625 61ed32f-61ed335 1606->1625 1626 61ed351-61ed353 1606->1626 1630 61ed339-61ed345 1625->1630 1631 61ed337 1625->1631 1639 61ed35d-61ed369 1626->1639 1636 61ed347-61ed34f 1630->1636 1631->1636 1636->1639 1651 61ed36b-61ed375 1639->1651 1652 61ed377 1639->1652 1656 61ed37c-61ed37e 1651->1656 1652->1656 1656->1515 1657 61ed384-61ed3a0 call 61e6598 1656->1657 1665 61ed3af-61ed3bb 1657->1665 1666 61ed3a2-61ed3a7 1657->1666 1665->1583 1669 61ed3bd-61ed40a 1665->1669 1666->1665 1669->1515 1722 61ed729-61ed72e 1721->1722 1723 61ed736-61ed73f 1721->1723 1722->1723 1723->1525 1724 61ed745-61ed758 1723->1724 1726 61ed75e-61ed764 1724->1726 1727 61ed932-61ed93c 1724->1727 1728 61ed766-61ed76b 1726->1728 1729 61ed773-61ed77c 1726->1729 1727->1720 1727->1721 1728->1729 1729->1525 1730 61ed782-61ed7a3 1729->1730 1733 61ed7a5-61ed7aa 1730->1733 1734 61ed7b2-61ed7bb 1730->1734 1733->1734 1734->1525 1735 61ed7c1-61ed7de 1734->1735 1735->1727 1738 61ed7e4-61ed7ea 1735->1738 1738->1525 1739 61ed7f0-61ed809 1738->1739 1741 61ed80f-61ed836 1739->1741 1742 61ed925-61ed92c 1739->1742 1741->1525 1745 61ed83c-61ed846 1741->1745 1742->1727 1742->1738 1745->1525 1746 61ed84c-61ed863 1745->1746 1748 61ed865-61ed870 1746->1748 1749 61ed872-61ed88d 1746->1749 1748->1749 1749->1742 1754 61ed893-61ed8ac call 61e6598 1749->1754 1758 61ed8ae-61ed8b3 1754->1758 1759 61ed8bb-61ed8c4 1754->1759 1758->1759 1759->1525 1760 61ed8ca-61ed91e 1759->1760 1760->1742 1767->1576 1768->1576
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $]q$$]q$$]q
                                              • API String ID: 0-182748909
                                              • Opcode ID: 9c89c8ee9e07f42ad758effc6f9051492efec016598f46cdd32494daf30dd640
                                              • Instruction ID: 3abae414138dcfd4f4d8a80ad9690ba6a2d3abb0c6747fcaa2f515848ed08f1d
                                              • Opcode Fuzzy Hash: 9c89c8ee9e07f42ad758effc6f9051492efec016598f46cdd32494daf30dd640
                                              • Instruction Fuzzy Hash: 23623F30A0060A8FCB55EF68E590E5EB7F6FF85304B208969D0059F369DB75ED4ACB81
                                              Function 061E4B68 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1769 61e4b68-61e4b8c 1770 61e4b8e-61e4b91 1769->1770 1771 61e4bb2-61e4bb5 1770->1771 1772 61e4b93-61e4bad 1770->1772 1773 61e4bbb-61e4cb3 1771->1773 1774 61e5294-61e5296 1771->1774 1772->1771 1792 61e4cb9-61e4d01 1773->1792 1793 61e4d36-61e4d3d 1773->1793 1776 61e529d-61e52a0 1774->1776 1777 61e5298 1774->1777 1776->1770 1778 61e52a6-61e52b3 1776->1778 1777->1776 1815 61e4d06 call 61e5410 1792->1815 1816 61e4d06 call 61e5420 1792->1816 1794 61e4d43-61e4db3 1793->1794 1795 61e4dc1-61e4dca 1793->1795 1812 61e4dbe 1794->1812 1813 61e4db5 1794->1813 1795->1778 1806 61e4d0c-61e4d28 1810 61e4d2a 1806->1810 1811 61e4d33-61e4d34 1806->1811 1810->1811 1811->1793 1812->1795 1813->1812 1815->1806 1816->1806
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: fbq$XPbq$\Obq
                                              • API String ID: 0-4057264190
                                              • Opcode ID: 211d3b0c03335df4b647642c68fdd7bef566d924cb81f8b6f57907bafec61ebc
                                              • Instruction ID: 95af29f383caa7381759b44adbb67ca79c9f7199e62edac57b6d6e1cdc5edf35
                                              • Opcode Fuzzy Hash: 211d3b0c03335df4b647642c68fdd7bef566d924cb81f8b6f57907bafec61ebc
                                              • Instruction Fuzzy Hash: 19617230E002199FEB549FA5C4547AEBBF6FB88300F20842AE109AB395DF758D458B95
                                              Function 061E9138 Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2983 61e9138-61e916d 2984 61e916f-61e9172 2983->2984 2985 61e9198-61e919b 2984->2985 2986 61e9174-61e9193 2984->2986 2987 61e9a5b-61e9a5d 2985->2987 2988 61e91a1-61e91b6 2985->2988 2986->2985 2990 61e9a5f 2987->2990 2991 61e9a64-61e9a67 2987->2991 2995 61e91ce-61e91e4 2988->2995 2996 61e91b8-61e91be 2988->2996 2990->2991 2991->2984 2993 61e9a6d-61e9a77 2991->2993 3000 61e91ef-61e91f1 2995->3000 2997 61e91c2-61e91c4 2996->2997 2998 61e91c0 2996->2998 2997->2995 2998->2995 3001 61e9209-61e927a 3000->3001 3002 61e91f3-61e91f9 3000->3002 3013 61e927c-61e929f 3001->3013 3014 61e92a6-61e92c2 3001->3014 3003 61e91fd-61e91ff 3002->3003 3004 61e91fb 3002->3004 3003->3001 3004->3001 3013->3014 3019 61e92ee-61e9309 3014->3019 3020 61e92c4-61e92e7 3014->3020 3025 61e930b-61e932d 3019->3025 3026 61e9334-61e934f 3019->3026 3020->3019 3025->3026 3031 61e937a-61e9384 3026->3031 3032 61e9351-61e9373 3026->3032 3033 61e9386-61e938f 3031->3033 3034 61e9394-61e940e 3031->3034 3032->3031 3033->2993 3040 61e945b-61e9470 3034->3040 3041 61e9410-61e942e 3034->3041 3040->2987 3045 61e944a-61e9459 3041->3045 3046 61e9430-61e943f 3041->3046 3045->3040 3045->3041 3046->3045
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $]q$$]q
                                              • API String ID: 0-127220927
                                              • Opcode ID: 8b86dc52162dd622ef742762ca8a3fc7162cd3f8755c3e035fd5e26cb844c2b3
                                              • Instruction ID: bcd53deff77612d0a7bce661295510b73395a2c80896384b1c0cd09af319f4b8
                                              • Opcode Fuzzy Hash: 8b86dc52162dd622ef742762ca8a3fc7162cd3f8755c3e035fd5e26cb844c2b3
                                              • Instruction Fuzzy Hash: 76515430B005059FDB54DF74D860BAE77F6ABC8650F10886AD809D7394EB30DD46CB91
                                              Function 061E4B58 Relevance: 2.6, Strings: 2, Instructions: 139COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: fbq$XPbq
                                              • API String ID: 0-2292610095
                                              • Opcode ID: 47fa0549eefd9270d57065f4eb4843b3b690849b929636adb94d3786d1d2bcd2
                                              • Instruction ID: a52605c35f709b91be6c44528bac73c4a497a38f3e7c6bff846f00f5f9d44cd0
                                              • Opcode Fuzzy Hash: 47fa0549eefd9270d57065f4eb4843b3b690849b929636adb94d3786d1d2bcd2
                                              • Instruction Fuzzy Hash: 1B518030F002189FDB549FA5C855BAEBAF6BF88700F20852EE105AB395DB758D058B91
                                              Function 0093EB18 Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3243193544.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_930000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3cfaa192f79992530b190f0b2181db09a5128ae842115b8f20c251db9c894488
                                              • Instruction ID: 044f5e7fc44f0bca446bb674e23ee746708a7e10110cbf073282c94fa81003b7
                                              • Opcode Fuzzy Hash: 3cfaa192f79992530b190f0b2181db09a5128ae842115b8f20c251db9c894488
                                              • Instruction Fuzzy Hash: 24412372D043598FCB10DFB9D8446EEBBF5AF89310F14856AD408A7380EB389945CBE0
                                              Function 061DD804 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 061DD922
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245620628.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61d0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: 6add7ec6b902a891aa7f52ff833d96eef887871725af7df4fce72e3be0897c8a
                                              • Instruction ID: bcdecaf4c133afb3c836b182c4e6a2d22b7f73e36c0355d09535b3dbd59a8e77
                                              • Opcode Fuzzy Hash: 6add7ec6b902a891aa7f52ff833d96eef887871725af7df4fce72e3be0897c8a
                                              • Instruction Fuzzy Hash: CA51C0B1D10349AFDB14CF99D984ADEFFB5BF48310F24852AE419AB210D775A885CF90
                                              Function 061DD810 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 061DD922
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245620628.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61d0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: 810396f64b0a67efcc8b0ffe57ed9648a5b8d49b348558fad876bcc29e83e965
                                              • Instruction ID: cc83c66a2bd6410657bc96ef12cf0e280f2c57669045369f307d341bda432278
                                              • Opcode Fuzzy Hash: 810396f64b0a67efcc8b0ffe57ed9648a5b8d49b348558fad876bcc29e83e965
                                              • Instruction Fuzzy Hash: 4E41BFB1D10309DFDB14CF9AD984ADEFBB5BF48310F24812AE818AB210D775A885CF90
                                              Function 061DCD6C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                              Download Yara Rule
                                              APIs
                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 061DFE91
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245620628.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61d0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID: CallProcWindow
                                              • String ID:
                                              • API String ID: 2714655100-0
                                              • Opcode ID: cfa8d07d5eb368a965838a5d2de555678a196fe7a56750058453d2da6b792ae4
                                              • Instruction ID: 04cba3d57ad44ff838ac8cb38f9c51a2f17b97f48463f3449b424918f5e55e61
                                              • Opcode Fuzzy Hash: cfa8d07d5eb368a965838a5d2de555678a196fe7a56750058453d2da6b792ae4
                                              • Instruction Fuzzy Hash: 0B413AB4900309CFCB54CF9AC848AAAFBF5FF88314F25C859D519A7321D334A945CBA0
                                              Function 061D3048 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 061D30D7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245620628.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61d0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: d65850fde103bb8c3427a20fcc705d6645d0790f92f8954bb7ba7b6329b94f07
                                              • Instruction ID: df7b287efae30e32a627897b4a2db4c69611a958b196d90fcc57dd568377ec34
                                              • Opcode Fuzzy Hash: d65850fde103bb8c3427a20fcc705d6645d0790f92f8954bb7ba7b6329b94f07
                                              • Instruction Fuzzy Hash: 9B21E4B5D002099FDB10CFAAD584AEEFBF5FB48310F14841AE918A7350D379A940CFA1
                                              Function 061D3050 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 061D30D7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245620628.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61d0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: bae0a1ca56be401a7dced51c6177491257a508151d00608bb2270c55499722b2
                                              • Instruction ID: af33294f9ad3b91756672b4822324f2e319f4a8bd090144960cfcc041a49ea13
                                              • Opcode Fuzzy Hash: bae0a1ca56be401a7dced51c6177491257a508151d00608bb2270c55499722b2
                                              • Instruction Fuzzy Hash: 1A21C4B5D002499FDB10CF9AD984ADEFBF9FB48310F14841AE918A3350D379A944DFA5
                                              Function 061DB679 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNEL32(00000000,?,?), ref: 061DB6EA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245620628.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61d0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 2a07bbdd67f2813ad2fd07a28f563cfb96b6804dc1d7a7b050c00769f3dc052d
                                              • Instruction ID: 6590a4a6eb44717c606d9009515f9a72d13ecf3fde82265f0eec8a3c4dee94c3
                                              • Opcode Fuzzy Hash: 2a07bbdd67f2813ad2fd07a28f563cfb96b6804dc1d7a7b050c00769f3dc052d
                                              • Instruction Fuzzy Hash: 3D1114B6C042499FCB10CF9AD844ADEFBF8EB48320F10841EE419A7210C779A545CFA5
                                              Function 0093E708 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                              Download Yara Rule
                                              APIs
                                              • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,0093EB6A), ref: 0093EC57
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3243193544.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_930000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID: GlobalMemoryStatus
                                              • String ID:
                                              • API String ID: 1890195054-0
                                              • Opcode ID: 0bc8e92b84ffa11b02004129b7cfc1015dcb9a5ee8a9ac04bb74fb42c6a5c02a
                                              • Instruction ID: f0dac20bb0411219e030ba9dbf0d2b8781f31afb5dfe4b398b686f16e35ce7c5
                                              • Opcode Fuzzy Hash: 0bc8e92b84ffa11b02004129b7cfc1015dcb9a5ee8a9ac04bb74fb42c6a5c02a
                                              • Instruction Fuzzy Hash: B01100B1C0065A9BCB10DF9AC544BAEFBF4EF48320F14816AE918B7240D778A940CFE5
                                              Function 0093EBE8 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                              Download Yara Rule
                                              APIs
                                              • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,0093EB6A), ref: 0093EC57
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3243193544.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_930000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID: GlobalMemoryStatus
                                              • String ID:
                                              • API String ID: 1890195054-0
                                              • Opcode ID: f6319255ec51915cbf509cdaa50948d300e2a5d023848fcd40496df5a922588b
                                              • Instruction ID: 3a92a39c24478ac321dab7242b6d7c398670f4b0656d7528c4e323441a8059a1
                                              • Opcode Fuzzy Hash: f6319255ec51915cbf509cdaa50948d300e2a5d023848fcd40496df5a922588b
                                              • Instruction Fuzzy Hash: 9F1123B1C006599BCB10DFAAC544BDEFBF5BF48320F14816AD428B7240D378A944CFA1
                                              Function 061DB680 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNEL32(00000000,?,?), ref: 061DB6EA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245620628.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61d0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 27289a69784f5d80759a5f656449a2d92bb11e135f549fbb6e8b9609905e9322
                                              • Instruction ID: 2e96f2e994eac3da17627fb320e3d248435498d0ce385b1287684e4906c37ac3
                                              • Opcode Fuzzy Hash: 27289a69784f5d80759a5f656449a2d92bb11e135f549fbb6e8b9609905e9322
                                              • Instruction Fuzzy Hash: 2311F3B6C042499FDB10DF9AD944ADEFBF8EB48320F10842ED519A7210C379A545CFA5
                                              Function 061DA17C Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,?,061DB244), ref: 061DB47E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245620628.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61d0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 72f656310d315646b8b2461d5245a0029303c3d713cdf5a4bec26230f4c689cd
                                              • Instruction ID: 30d47a92eb8baae086f4934cfd6621486eb78ba7b25ed7bf5fb03e3a52539f9c
                                              • Opcode Fuzzy Hash: 72f656310d315646b8b2461d5245a0029303c3d713cdf5a4bec26230f4c689cd
                                              • Instruction Fuzzy Hash: 96110FB5C043498FCB20DF9AC544ADEFBF4EF88624F11842AD91AA7210D379A545CFA1
                                              Function 061EDAB8 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: PH]q
                                              • API String ID: 0-3168235125
                                              • Opcode ID: d431314767d23e4f6610b4508879927ddf1a0753c8c595058681db7fbf385cf9
                                              • Instruction ID: 39644b11bf8d9329f8413d177f540e69be7cb8b187dbb19057de91c0792d831a
                                              • Opcode Fuzzy Hash: d431314767d23e4f6610b4508879927ddf1a0753c8c595058681db7fbf385cf9
                                              • Instruction Fuzzy Hash: 4841AF30E00609DFDB64DF65E8506AEBBB6FF85300F208929E406E7350EB70D946CB81
                                              Function 061EDAA5 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: PH]q
                                              • API String ID: 0-3168235125
                                              • Opcode ID: fec8e479cc1273658fadc74bc532154a8af08bab06d626435cef8f09de3cfe5b
                                              • Instruction ID: ebd7ed5a62414bbf0e638bea90afbc2569849cbabe506ff9f72b565c2ba494a8
                                              • Opcode Fuzzy Hash: fec8e479cc1273658fadc74bc532154a8af08bab06d626435cef8f09de3cfe5b
                                              • Instruction Fuzzy Hash: 2A41C230E006499FDB65DF65E88069EBBB6FF86300F208529E405DB350EB70D946CB91
                                              Function 061E21BD Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: PH]q
                                              • API String ID: 0-3168235125
                                              • Opcode ID: 59ed09438f50e49a69d1fe6b1c50eb0cc946c1152c63f9b831b7c70d243b9e8b
                                              • Instruction ID: fc8622a7de6c7009225a7f6a9fc5ed8152197b9941ff475718ed5dbd15e441d1
                                              • Opcode Fuzzy Hash: 59ed09438f50e49a69d1fe6b1c50eb0cc946c1152c63f9b831b7c70d243b9e8b
                                              • Instruction Fuzzy Hash: C731E030B102029FDB489F74C864A6E7BEBAF89240F144479D406DB395DF35DE46CBA5
                                              Function 061E21D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: PH]q
                                              • API String ID: 0-3168235125
                                              • Opcode ID: 3d648a8c08c9ee907006bb49eebb8fd596b4bc670ddb60179f84d6b843c3f142
                                              • Instruction ID: c149ebbc87d5d367e40ce9a0f256929284c06ac145c2e6c8001a20d53fd0c0b6
                                              • Opcode Fuzzy Hash: 3d648a8c08c9ee907006bb49eebb8fd596b4bc670ddb60179f84d6b843c3f142
                                              • Instruction Fuzzy Hash: 5431F230B102028FDB489B74D924A6E3AEBAF89300F20443DD406DB395DF35DE06CBA5
                                              Function 061E82C8 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $]q
                                              • API String ID: 0-1007455737
                                              • Opcode ID: 5e73e88032fd22e44547c5124503b275a0a282992bc58e625dd32880fb2efbee
                                              • Instruction ID: fa91046d10013f9ef222548d41810ff607d9bcf9569c6d45fecd2a1929f4b200
                                              • Opcode Fuzzy Hash: 5e73e88032fd22e44547c5124503b275a0a282992bc58e625dd32880fb2efbee
                                              • Instruction Fuzzy Hash: 51F0FF31F00604CFDFE9DE58E991A6C73A5EB44210F09486AD908CB354D731D90ACB91
                                              Function 061EB220 Relevance: .3, Instructions: 292COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ccf545d8cb6185950d8c39f55327d7fc5bf146dc479c67374a558c02d15fbfb4
                                              • Instruction ID: 1af43b246f8744eeca90a7d4c11a88f49600b7b26cd9f34256e098d172ce0ed3
                                              • Opcode Fuzzy Hash: ccf545d8cb6185950d8c39f55327d7fc5bf146dc479c67374a558c02d15fbfb4
                                              • Instruction Fuzzy Hash: 45A18570F045098FDF64DBA9D690BAE77A6EF89310F20482AE409E7395CB38DD45C752
                                              Function 061E61E8 Relevance: .2, Instructions: 229COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 67c99e7ff66f94cf0aa9198d4ae9e57d8d863dcd0ae8ae1a3dcfe6ab41974ed0
                                              • Instruction ID: 25e3d5b8aa34ebc291c1ee7a17e2f974a12bc18eb9f11174109a75c4f8767c75
                                              • Opcode Fuzzy Hash: 67c99e7ff66f94cf0aa9198d4ae9e57d8d863dcd0ae8ae1a3dcfe6ab41974ed0
                                              • Instruction Fuzzy Hash: 1E61C171F005124FDB549A7EC88095FBADBAFE4220B554439D80EDB364DFA9DD0287D2
                                              Function 061E4299 Relevance: .2, Instructions: 227COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5a76deafb2a65c6ed1590a48a2f7964bc44abe0ee1212f31450caaab2e71f1f7
                                              • Instruction ID: e034884b7f3a9a55802391f7e2e7b7c342ac1b856f8fdb51f276fdfd9cabc17b
                                              • Opcode Fuzzy Hash: 5a76deafb2a65c6ed1590a48a2f7964bc44abe0ee1212f31450caaab2e71f1f7
                                              • Instruction Fuzzy Hash: 36813E30B1060A8FDF94DFB9D4546AEB7F2AF89304F118529E40ADB394DB34DC468B92
                                              Function 061E42A8 Relevance: .2, Instructions: 218COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a22ecf62ab5551803bbaf255ef4c2a480e9f5824efa7d6b4e8d106d7e23c97e2
                                              • Instruction ID: b27aefc6a7138d904e9805a2e19d9ca1037ee07dfc806b1c6631a2d1a14312c2
                                              • Opcode Fuzzy Hash: a22ecf62ab5551803bbaf255ef4c2a480e9f5824efa7d6b4e8d106d7e23c97e2
                                              • Instruction Fuzzy Hash: A5812D30B1060A8FDF94DFB9D45469EB7F2AF89304F118529D40ADB394DB74DC468B92
                                              Function 061E45BC Relevance: .2, Instructions: 218COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6c89ee9a52b93341debb143b198eed826443db45f93d517ad81004822cd0fbde
                                              • Instruction ID: acdf10fe5f180a939edf6271a9c7f81e48d750b64c18ddb0683229eda724234f
                                              • Opcode Fuzzy Hash: 6c89ee9a52b93341debb143b198eed826443db45f93d517ad81004822cd0fbde
                                              • Instruction Fuzzy Hash: D3914D34E006198FDF60DF68C890B9DB7B1FF89300F208699D549AB355DB70AA85CF91
                                              Function 061E45D0 Relevance: .2, Instructions: 210COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5cda0fdb01050be4d7fa8336be2b504104449cd80996a4b6cb589e19a386727d
                                              • Instruction ID: a95c0296e173098bca64fac44b8f9983982a7ef714f79899f42cc4db28245990
                                              • Opcode Fuzzy Hash: 5cda0fdb01050be4d7fa8336be2b504104449cd80996a4b6cb589e19a386727d
                                              • Instruction Fuzzy Hash: DC913C30E106198BDF60DFA8C890B9DB7B1FF89304F208699D549AB355DB70AA85CF91
                                              Function 061EEAF8 Relevance: .2, Instructions: 209COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d504507709191ea8fffda249874cc4baf91018f985c27d7e6f9bf65f74a86154
                                              • Instruction ID: 224829ddf2f3366148ad92fd0825e6a2a5a44d0a4a1a37414315b137ff45a09a
                                              • Opcode Fuzzy Hash: d504507709191ea8fffda249874cc4baf91018f985c27d7e6f9bf65f74a86154
                                              • Instruction Fuzzy Hash: 1B813A70E006099FDB54DFA9D990A9DBBF6FF88310F24842AE405EB355DB30E946CB51
                                              Function 061EEB08 Relevance: .2, Instructions: 201COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: df28324f122804c268acf0cb011c9e7ce0b45c4dbaf984a61cd063f4cde2877a
                                              • Instruction ID: 8bcc4827a8d16b85d6d35c5f25ccb08bf91786e2666a8e07c14fe26756e63bba
                                              • Opcode Fuzzy Hash: df28324f122804c268acf0cb011c9e7ce0b45c4dbaf984a61cd063f4cde2877a
                                              • Instruction Fuzzy Hash: 01710770E006099FDB54DFA9D990A9EBBF6FF88310F14842AE405EB365DB30E946CB51
                                              Function 061EFA1A Relevance: .2, Instructions: 172COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 50de8ae9f4e39cf3c5aff4d23835af1b7823c7b49b033029e915c94fb21b9cc0
                                              • Instruction ID: e48a86c87958e8cfb2714df6924ccb487c0545c6a6370efaad7994cc65b4dac2
                                              • Opcode Fuzzy Hash: 50de8ae9f4e39cf3c5aff4d23835af1b7823c7b49b033029e915c94fb21b9cc0
                                              • Instruction Fuzzy Hash: 4051F870B502049FEF6456ACE854B7F765EDB89310F204526E80AC73A9CB6CCC4B93E2
                                              Function 061EFC78 Relevance: .2, Instructions: 171COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 51e8758c60221853d515579cad31a01d9b1118bd2b823321ff1fcc0b2e45fc76
                                              • Instruction ID: a3b3815c728d829d66c49e9e821140285a5477c9e45a218711d6cbddea26e1d3
                                              • Opcode Fuzzy Hash: 51e8758c60221853d515579cad31a01d9b1118bd2b823321ff1fcc0b2e45fc76
                                              • Instruction Fuzzy Hash: 24510135E00909CFDB14EB79E8446ADBBB2FB84311F208869E90AD7251DB35D846CB81
                                              Function 061EFA28 Relevance: .2, Instructions: 163COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9bfe47bf53b189b3c361db0ca64e910d3e77eb85b0810c58e46519a8e12e20df
                                              • Instruction ID: df247c0fa805d2472e203e8c6b30ef2d1259ac1903a077075ec55eb6018c31e0
                                              • Opcode Fuzzy Hash: 9bfe47bf53b189b3c361db0ca64e910d3e77eb85b0810c58e46519a8e12e20df
                                              • Instruction Fuzzy Hash: 7E51B770F506049FEF64566CE954B2F765EDB89310F204826E80AC73A9CB6DCC4B97D2
                                              Function 061E5420 Relevance: .1, Instructions: 126COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 961ae0b7d644737a36038cfc678a8c50a178abf310611ed5aea5ccf7845f33cf
                                              • Instruction ID: eba013de1661156515675d7cdf5e12bcf65205d80bc336080e548623d115137f
                                              • Opcode Fuzzy Hash: 961ae0b7d644737a36038cfc678a8c50a178abf310611ed5aea5ccf7845f33cf
                                              • Instruction Fuzzy Hash: 0D415171E00A099FDF70CEA9D8C0AAFFBB2EB84314F10492AE116D7650D731E9558B91
                                              Function 061E2081 Relevance: .1, Instructions: 101COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 18ad4592791ad4fd79bd5616fb8407be037367c9e0d164e516acd294450ff578
                                              • Instruction ID: 61b212ac9505c1df20cbb9c0fd56d5095cef795df8eef5e721e74a07e7f29e6f
                                              • Opcode Fuzzy Hash: 18ad4592791ad4fd79bd5616fb8407be037367c9e0d164e516acd294450ff578
                                              • Instruction Fuzzy Hash: C5418331E106059BCB55DFA4D8A4A9EBBF6EF89310F148929E805E7350DB71EE46CB40
                                              Function 061E2090 Relevance: .1, Instructions: 91COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e43e4d2ecced3c6395350192d1289dd199b59562fe81520e4823fd6eb4accaa5
                                              • Instruction ID: 5fbd5d704d8e8ef2b2ad69908254505375019f4d4066442c4bbf8fbc3e85a5db
                                              • Opcode Fuzzy Hash: e43e4d2ecced3c6395350192d1289dd199b59562fe81520e4823fd6eb4accaa5
                                              • Instruction Fuzzy Hash: 26316231E106099BCB55CFA5D864A9EF7F6BF89300F108929E806E7350DB71ED46CB51
                                              Function 061E3A99 Relevance: .1, Instructions: 82COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2aa39206690c6776916a6a656130a999106c59b5b5b77919ce33af3fd1d9beee
                                              • Instruction ID: 5965a5394ec6c2e814d7885ebbd2cca23b9513edf92ba46835e7e0307867e590
                                              • Opcode Fuzzy Hash: 2aa39206690c6776916a6a656130a999106c59b5b5b77919ce33af3fd1d9beee
                                              • Instruction Fuzzy Hash: 3921BF75F016059FDF50CF68D880AEEBBF6AB88300F05802AE515E73A1D730D946CB91
                                              Function 061E3AA8 Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0d4ae41adba5d9311c859eb8fa78c73b412f0a4652348b8b2b29e4961bdd30b8
                                              • Instruction ID: 6f6f3c806326db02cf3bcacfa3310db0f856827cf3c7db33fce42b34f969d65b
                                              • Opcode Fuzzy Hash: 0d4ae41adba5d9311c859eb8fa78c73b412f0a4652348b8b2b29e4961bdd30b8
                                              • Instruction Fuzzy Hash: E221B071F006059FDF50DF69D880AAEB7F5EB48310F11802AE915E73A0E730D842CB91
                                              Function 006ED044 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3242815448.00000000006ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 006ED000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6ed000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 458ffcbebed179997433fe5d5fedc019a13a2511409617882d252e0979b32455
                                              • Instruction ID: e74f3022497b0b568a6db7128387d71c6ecc8a21b3c349439ce54048a5726a43
                                              • Opcode Fuzzy Hash: 458ffcbebed179997433fe5d5fedc019a13a2511409617882d252e0979b32455
                                              • Instruction Fuzzy Hash: EC21F271504384AFCB15DF24C9C4B26BB66FB84314F28C569E9494B392C73AD847DA62
                                              Function 061E6D10 Relevance: .1, Instructions: 68COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 334123809b015114559ae53e451910b7513b7598dc03f45087a37bc41f0382ba
                                              • Instruction ID: 1346d3b8e4e3f3f42458c660f97dcdf80b0b7e83e1ea5d5fad7225173e70e6a8
                                              • Opcode Fuzzy Hash: 334123809b015114559ae53e451910b7513b7598dc03f45087a37bc41f0382ba
                                              • Instruction Fuzzy Hash: 6F21A234F104189BDF44EB69E864A9EB7B6FB84310F648429E409DB354DB31ED468BC1
                                              Function 061E3058 Relevance: .1, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e3f98c389aa3f2c1e83a91670a3259f46c562c9ac911b258b19ce0ca5138cc20
                                              • Instruction ID: 6f974adab771d4c2fab7dc6efa369ba38040d59396e03c159a443c5961359f07
                                              • Opcode Fuzzy Hash: e3f98c389aa3f2c1e83a91670a3259f46c562c9ac911b258b19ce0ca5138cc20
                                              • Instruction Fuzzy Hash: FB119071E002189BCF58DB69D8915DEF7B6EB88310F10896AE51AE7340EB31DA41CB91
                                              Function 061E3BB8 Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 601faf364245d3a318ee9b7483aeef850c7eb18f645aeed4245f795b8d96b6d2
                                              • Instruction ID: 36d3513b8e10c82cece1e8df48d0611b6aa99fcec28783f052862da525f5a6dc
                                              • Opcode Fuzzy Hash: 601faf364245d3a318ee9b7483aeef850c7eb18f645aeed4245f795b8d96b6d2
                                              • Instruction Fuzzy Hash: 9E118E36B105294BDF549678D8146AE73AAABC8610F01853AD40AEB344DF39DC068B92
                                              Function 061E41FA Relevance: .1, Instructions: 58COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c935a9f01872d521138b4a55c63cc5094ebf1b1c0c93883830eaea55e4ac16ee
                                              • Instruction ID: e9e307ca6a7b13c27b089631947f0648446ebd3858d508d1ed3b9a0b171f50a0
                                              • Opcode Fuzzy Hash: c935a9f01872d521138b4a55c63cc5094ebf1b1c0c93883830eaea55e4ac16ee
                                              • Instruction Fuzzy Hash: 4201D435F115110FDB61867DE815B5FABEACBCA310F15843AF00ECB355EA25DD068391
                                              Function 061E3870 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4bfedd5dd91fd3e2984b1731b32f0b79d858931b09574a5d650774f5574ebbc5
                                              • Instruction ID: a76095548f73ab23cde60580cd1fee97ef37094aaee687533b3d0a472ae1d3b6
                                              • Opcode Fuzzy Hash: 4bfedd5dd91fd3e2984b1731b32f0b79d858931b09574a5d650774f5574ebbc5
                                              • Instruction Fuzzy Hash: B621E3B5D016199FCB00DF9AD984ADEFBB4FB48320F10862AE928A3240D374A554CFA4
                                              Function 061EED79 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 27f265ee8ec11c43427a75bdb8e4b38fc824fe9c8ac8b4e84ab6f031ee7eb961
                                              • Instruction ID: a90cd4fa8088662bbcb5955b226e1e556f62fa9dc5dcaf5c0f3b48a572d68bbb
                                              • Opcode Fuzzy Hash: 27f265ee8ec11c43427a75bdb8e4b38fc824fe9c8ac8b4e84ab6f031ee7eb961
                                              • Instruction Fuzzy Hash: 0901F139B005110FCB16CA6DD854B2F7BE6EBCA710B14843AE50AC7340EB29CC068796
                                              Function 061EA2F9 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0c33fb0dc8a224910f7a5758865dc0ed910c4c6bbf23877545f50b06f96375a2
                                              • Instruction ID: d6ba9a4c2d358c7ab57e9301c60ccfd4122f78554f7976a5244682af5a8970a7
                                              • Opcode Fuzzy Hash: 0c33fb0dc8a224910f7a5758865dc0ed910c4c6bbf23877545f50b06f96375a2
                                              • Instruction Fuzzy Hash: 1D01D434B005105FCB52D638E965B5F6BE6EF86310F158429F40EC7362EB24DD078791
                                              Function 006ED03F Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3242815448.00000000006ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 006ED000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6ed000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                              • Instruction ID: 562347e5dd150f34de4fcc9ab705463891bfc12c4b8caea7be40300fcfdf819a
                                              • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                              • Instruction Fuzzy Hash: 3D11BB75504384CFCB12CF10C9C4B55BBA2FB84314F28C6A9D8494B392C33AD84ACB62
                                              Function 061E3878 Relevance: .1, Instructions: 52COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 54a282da9811dad140c9d025b1cccfe8c0843c9c89488f4b2fdff59b44c69d06
                                              • Instruction ID: f85462e477f23d62d0e9fcac237aaae6c392280417a846e7091cbd236e20ef62
                                              • Opcode Fuzzy Hash: 54a282da9811dad140c9d025b1cccfe8c0843c9c89488f4b2fdff59b44c69d06
                                              • Instruction Fuzzy Hash: FF11D3B1D012599FCB00DF9AD984ADEFFB4FB48310F10812AE918A7200C374A954CFE5
                                              Function 061E4208 Relevance: .1, Instructions: 51COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b0e775f6fcd7c0b22da3cfa95ffa92990ac09baf47e48c19a5056a78d4183f5f
                                              • Instruction ID: 208cdb14c65099ca8794cecd8e6a24c6db4146a42bc8c43539063ea1ed85a27c
                                              • Opcode Fuzzy Hash: b0e775f6fcd7c0b22da3cfa95ffa92990ac09baf47e48c19a5056a78d4183f5f
                                              • Instruction Fuzzy Hash: 5901AD31F104110BDB6496BEE415B2FA6DACBC9710F108839F50EC7344EE65DC0243D5
                                              Function 061E3BA7 Relevance: .1, Instructions: 51COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f6479179ea9b91f5782631cab30740f3a4a474ad127b41ad625d125c54b8466c
                                              • Instruction ID: 12004def4047a62f7813f05b023bc7fdd310e6bae4829edb1ac1a40c07373588
                                              • Opcode Fuzzy Hash: f6479179ea9b91f5782631cab30740f3a4a474ad127b41ad625d125c54b8466c
                                              • Instruction Fuzzy Hash: DA01DF36B104295BDF849678DC186EF76AB9BC8610F09403EE41AE7240EF65DC0A87D2
                                              Function 061EED88 Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d7291b1a4c392bac483059c2e370acb659336571eddbae622e5159316e9f9849
                                              • Instruction ID: 6dbac087136d8702229e03699e3d91212f734db806714064dfce165c15e388a8
                                              • Opcode Fuzzy Hash: d7291b1a4c392bac483059c2e370acb659336571eddbae622e5159316e9f9849
                                              • Instruction Fuzzy Hash: CA018139B105150BCB65956DD454B2F6BEADBC9720F148839E50AC7340EF65DC034385
                                              Function 061EA308 Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0110145f82480f37dcf1834c73656b031bde624769cadeb5a54edfd580f632f1
                                              • Instruction ID: 0783c6741cde2afb8719d2ae72df7162920530a52349625777279e6f1834f372
                                              • Opcode Fuzzy Hash: 0110145f82480f37dcf1834c73656b031bde624769cadeb5a54edfd580f632f1
                                              • Instruction Fuzzy Hash: 87018130B005144FCB61EA29E955B1FB7EAEB89710F108439E50EC7355EF25DC078785
                                              Function 061EC7C8 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 13fb097e8e1bfcdcf3458b07c37100dd1c6a507523723d399604bfc08aed1743
                                              • Instruction ID: 9e3314c5ac04a789eb9c6831b8a0b648196208b4c50daf7781d2ccabe1bc0fef
                                              • Opcode Fuzzy Hash: 13fb097e8e1bfcdcf3458b07c37100dd1c6a507523723d399604bfc08aed1743
                                              • Instruction Fuzzy Hash: D501A432E101289BCF58AA69ED51E9EB779FB84314F10453AE911E7345DB32E8058BD4
                                              Function 061E6469 Relevance: .0, Instructions: 25COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c4d80d0160c731ed8d8f731a24758617d9f9931f75c3b037006a7a7b78fe27e3
                                              • Instruction ID: e8bb6cd9884695adebab091c858d50638afc78991f20946f95c2e6852983ee66
                                              • Opcode Fuzzy Hash: c4d80d0160c731ed8d8f731a24758617d9f9931f75c3b037006a7a7b78fe27e3
                                              • Instruction Fuzzy Hash: D1E026B2E24549ABEF90CEB0CE0839B7B6AD751304F2848A6E408DB201F276CE0083C0
                                              Function 061E6478 Relevance: .0, Instructions: 22COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a3f40778c56a94cb1829351910999078a94cedfe7366333d70a95a28b265ea9a
                                              • Instruction ID: 6baad63b7a64735e9a59453dfc5e021fd2f7f6a4c463e473184db4e47c19035c
                                              • Opcode Fuzzy Hash: a3f40778c56a94cb1829351910999078a94cedfe7366333d70a95a28b265ea9a
                                              • Instruction Fuzzy Hash: 14E02B71E1050DABDF50DEB0C90575EB7ADD701304F6088A6D408C7201F372DE0187C0

                                              Non-executed Functions

                                              Function 061E7698 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                              • API String ID: 0-2843079600
                                              • Opcode ID: b9ccc960def6c6fab1ab473ca15e0d7922dd3ec2b1fb9448e80dc7be13fe7d1b
                                              • Instruction ID: b21ca51beea2031193950f4b934ebe5f8744dc31bf226d8d53e25c28da2d4c2a
                                              • Opcode Fuzzy Hash: b9ccc960def6c6fab1ab473ca15e0d7922dd3ec2b1fb9448e80dc7be13fe7d1b
                                              • Instruction Fuzzy Hash: A2122F30E006198FEB68DF69D894A9DB7F6BF88704F208969D4099B3A5DB30DD45CF81
                                              Function 061EE390 Relevance: 4.3, Strings: 3, Instructions: 573COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 0o@p$Dq@p$PH]q
                                              • API String ID: 0-3731290017
                                              • Opcode ID: 21a64b5d2a9a83371db7cd510cf3b75a4d63b94b7213b311f1d3a472646c0dc1
                                              • Instruction ID: 7f6a8b16d8d24f3d6b8f1cb83fb59406c04e5bf641d3cfbd22d13931ae3a7e5c
                                              • Opcode Fuzzy Hash: 21a64b5d2a9a83371db7cd510cf3b75a4d63b94b7213b311f1d3a472646c0dc1
                                              • Instruction Fuzzy Hash: 3522AF30B005058FCB54DB68D494AAEB7F6FF88310F248969E40ADB365DB35EC46CB91
                                              Function 061E5CF0 Relevance: 2.9, Strings: 2, Instructions: 417COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: XPbq$\Obq
                                              • API String ID: 0-409418754
                                              • Opcode ID: 86c6ae6c16013987735b57413a9dc7232544280525454b9e10fa6935f9555314
                                              • Instruction ID: 80865bdd811f09cae360b28a5e570f881d94755aaa134aa4a45d77661753e87f
                                              • Opcode Fuzzy Hash: 86c6ae6c16013987735b57413a9dc7232544280525454b9e10fa6935f9555314
                                              • Instruction Fuzzy Hash: B2D1E335F105148FDB949B68D894AAEBBF2FF89324F24846AE006DB351CB36DC418B91
                                              Function 00931A44 Relevance: 2.8, Strings: 2, Instructions: 263COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3243193544.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_930000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: L$PLl
                                              • API String ID: 0-3827219774
                                              • Opcode ID: 2f1925b4655eb83098ef54175869f47b8668df7b0510eb50c6d59b7ddaa7f337
                                              • Instruction ID: 35af70aaec16ee52f8f57c79089867cc5977badfb87419aa52402766bd72599b
                                              • Opcode Fuzzy Hash: 2f1925b4655eb83098ef54175869f47b8668df7b0510eb50c6d59b7ddaa7f337
                                              • Instruction Fuzzy Hash: FA91BE558AE3E16EEB036B3C19B44D67FB49D83214B0A15D3C0D0CE0B7D54C899ED7AA
                                              Function 061E0040 Relevance: 2.0, Instructions: 1968COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d132700234cdabd66cce6ac15a0219d5cff059fd251d926007b16ecf58c5c0d0
                                              • Instruction ID: 16f1d75a27bc817133d52177c9f766d16ca9edeed0a0a6b5d0b731a3f2143c0e
                                              • Opcode Fuzzy Hash: d132700234cdabd66cce6ac15a0219d5cff059fd251d926007b16ecf58c5c0d0
                                              • Instruction Fuzzy Hash: 4223FA31D10B198ACB11EF68C8946ADF7B1FF99300F15D79AE448B7221EB70AAD5CB41
                                              Function 009341C8 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3243193544.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_930000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \Vl
                                              • API String ID: 0-682378881
                                              • Opcode ID: 47af029e31556c0416511d831fed8313f7c43986d939a0ebf77e8b1597565a7c
                                              • Instruction ID: a00e563c2db867e931dd6a452654e73c9551970a0cc4ccd3c04049bedc975853
                                              • Opcode Fuzzy Hash: 47af029e31556c0416511d831fed8313f7c43986d939a0ebf77e8b1597565a7c
                                              • Instruction Fuzzy Hash: 73B13F70E00209DFDF14CFA9C9857AEBBF6BF88314F158529E815A7294EB74A845CF81
                                              Function 009341BE Relevance: 1.5, Strings: 1, Instructions: 278COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3243193544.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_930000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \Vl
                                              • API String ID: 0-682378881
                                              • Opcode ID: e91b666d341e2a68a98cf1620d6e7b49b3ba98cf1fa0fb5011f3f07c991f79bf
                                              • Instruction ID: 40475abe1abf8295045c588b50d0f041eea4d4a616ce11f03ddb8121611fe23a
                                              • Opcode Fuzzy Hash: e91b666d341e2a68a98cf1620d6e7b49b3ba98cf1fa0fb5011f3f07c991f79bf
                                              • Instruction Fuzzy Hash: 7FB14D70E0020ADFDF10CFA9C98579EBBF5BF88314F158129E815A7254EB74A885CF91
                                              Function 00931BA1 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3243193544.0000000000930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00930000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_930000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: L
                                              • API String ID: 0-2909332022
                                              • Opcode ID: 92bb2d215252339c5935d62b0338d41ad10859a294577ab5c8269627cd7fd407
                                              • Instruction ID: 4575837a32999c9a50c10204e6763a9d095548d1562a664e20350c17b67bd475
                                              • Opcode Fuzzy Hash: 92bb2d215252339c5935d62b0338d41ad10859a294577ab5c8269627cd7fd407
                                              • Instruction Fuzzy Hash: CE31794585E3E16EDB03AB3C59B08D67FB49E43218B0E11D7C0D0CE0A7D44C989ED3AA
                                              Function 061DA068 Relevance: .3, Instructions: 264COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245620628.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61d0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3c11e89a08e1526b7443405c78499f5133410cb64fda451ea6e4b901b315a01c
                                              • Instruction ID: 270ecb9f2ce88a51a13727453d0afc1a77ce5917a18790157b166aa20ca2f755
                                              • Opcode Fuzzy Hash: 3c11e89a08e1526b7443405c78499f5133410cb64fda451ea6e4b901b315a01c
                                              • Instruction Fuzzy Hash: 79A18E32E00209CFCF45DFB4C8845EEB7B2FF84310B15856AE916AB261DB75E946CB80
                                              Function 061DBB58 Relevance: .2, Instructions: 217COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245620628.00000000061D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61d0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cd05f0636181cb079b786236337156fd3d130d46e093ffbc3ea3df265a674fd4
                                              • Instruction ID: d86be3e6ffd5cd203edfcf5c77c4fa5a6a240a8b01c0039eeab98ccde830bb1f
                                              • Opcode Fuzzy Hash: cd05f0636181cb079b786236337156fd3d130d46e093ffbc3ea3df265a674fd4
                                              • Instruction Fuzzy Hash: D7C129F0C817558AD728CF25E8481997BB9FB84324FD25A0ED1616B2E0EBB4166ECF44
                                              Function 061EA930 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                              • API String ID: 0-1273862796
                                              • Opcode ID: 67c17b895620da46e9e6ef2afca549b6251b915fdf2a73555dc97e17f1f4378a
                                              • Instruction ID: 93703581ee7286f733e4685c27613ffefb5504f9b54e51b2c2ddeb9d3791fa94
                                              • Opcode Fuzzy Hash: 67c17b895620da46e9e6ef2afca549b6251b915fdf2a73555dc97e17f1f4378a
                                              • Instruction Fuzzy Hash: BE918F30A00609DFEB68DF65DA94BAE7BF6BF84700F108929E44197364DB74DD45CB90
                                              Function 061E7098 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: .5uq$$]q$$]q$$]q$$]q$$]q$$]q
                                              • API String ID: 0-981061697
                                              • Opcode ID: 6d83bcb710e0d24f4069cf3056d1915b2b276e4b92a959e4fc97a12a1bb71625
                                              • Instruction ID: b3be96aae77a3f6f0ed244cbfa4e46237ab484c7bcc653a0603f818a31ea3a9e
                                              • Opcode Fuzzy Hash: 6d83bcb710e0d24f4069cf3056d1915b2b276e4b92a959e4fc97a12a1bb71625
                                              • Instruction Fuzzy Hash: 54F15030B00605CFEB58EFA5D594A6EB7B6BFC8300F218529D4059B3A9DB35DC46CB91
                                              Function 061E83D0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $]q$$]q$$]q$$]q
                                              • API String ID: 0-858218434
                                              • Opcode ID: 514552dd0099bcf90ec5eb65edc97b9683542ea3a18f9c74ed1adfa8d805c930
                                              • Instruction ID: 1a277df602ca1877929351888c59ada992c36577b4caeea33bcdf3a170228247
                                              • Opcode Fuzzy Hash: 514552dd0099bcf90ec5eb65edc97b9683542ea3a18f9c74ed1adfa8d805c930
                                              • Instruction Fuzzy Hash: EFB14A30F106198FDB98DFA9C594A9EB7B6FF88304F248829D4069B355DB35DC86CB81
                                              Function 061E87E8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LR]q$LR]q$$]q$$]q
                                              • API String ID: 0-3527005858
                                              • Opcode ID: a4c11c4d19171ea9ae41c165593ddba4e7499aca008889cfb49dbf88110228e1
                                              • Instruction ID: 13b71cb5ed5e6ef2bf353a45de3066139070afa59be79366c1340a48a5337e0e
                                              • Opcode Fuzzy Hash: a4c11c4d19171ea9ae41c165593ddba4e7499aca008889cfb49dbf88110228e1
                                              • Instruction Fuzzy Hash: 3C518330B006059FDB98EF68D590E6E77B6FF88300F148969E8169B3A5DB30EC45CB55
                                              Function 061EACB8 Relevance: 5.2, Strings: 4, Instructions: 165COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3245646222.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_61e0000_5302c416b0abd845fe3145f910e82440588c11219940fe89fd68722260a9b508_paylo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $]q$$]q$$]q$$]q
                                              • API String ID: 0-858218434
                                              • Opcode ID: 89b40e66b07ba21b4ad01aa6b0f4feb931fb86a66204ade4206fdfd978d4237e
                                              • Instruction ID: abcb8038f61715a9b295fbd43197d234d100b6f3fcbb85697c8ad146c54da7a1
                                              • Opcode Fuzzy Hash: 89b40e66b07ba21b4ad01aa6b0f4feb931fb86a66204ade4206fdfd978d4237e
                                              • Instruction Fuzzy Hash: 3B51CF34E10A048FDF69DB68E590AAEB7B6FF84300F25892AE805D7354DB31DC46CB91