Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe

Overview

General Information

Sample name:172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe
Analysis ID:1499569
MD5:0c5a0857966d223e9a72bf6273d520a0
SHA1:7d01ea6a0a512d04fea2f1a75bc26545ba9d86ca
SHA256:0f370075b9fe97932babb0bb6be981553ded7d8dcc02ed82ee9afb2964a5b282
Tags:base64-decodedexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
AI detected suspicious sample
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.zoho.eu", "Username": "logs@astonherald.com", "Password": "office12#"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
        • 0x35b0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
        • 0x35b81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
        • 0x35c0b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
        • 0x35c9d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
        • 0x35d07:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
        • 0x35d79:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
        • 0x35e0f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
        • 0x35e9f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000002.2587025373.0000000002FE1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.2587025373.0000000002FBE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000000.00000000.1328634117.0000000000C42000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              00000000.00000000.1328634117.0000000000C42000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                00000000.00000002.2587025373.0000000002F91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 3 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.0.172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe.c40000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    0.0.172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe.c40000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                      0.0.172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe.c40000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                        0.0.172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe.c40000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                        • 0x35b0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                        • 0x35b81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                        • 0x35c0b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                        • 0x35c9d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                        • 0x35d07:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                        • 0x35d79:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                        • 0x35e0f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                        • 0x35e9f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Suspicious Outbound SMTP Connections
                        Source: Network ConnectionAuthor: frack113: Data: DesusertionIp: 185.230.212.164, DesusertionIsIpv6: false, DesusertionPort: 587, EventID: 3, Image: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, Initiated: true, ProcessId: 7768, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49714

                        Suricata Signatures

                        No Suricata rule has matched

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeAvira: detected
                        Found malware configuration
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.zoho.eu", "Username": "logs@astonherald.com", "Password": "office12#"}
                        Multi AV Scanner detection for submitted file
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeVirustotal: Detection: 71%Perma Link
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeReversingLabs: Detection: 76%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for sample
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeJoe Sandbox ML: detected
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Networking

                        barindex
                        Yara detected Generic Downloader
                        Source: Yara matchFile source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe.c40000.0.unpack, type: UNPACKEDPE
                        Source: global trafficTCP traffic: 192.168.2.9:49714 -> 185.230.212.164:587
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                        Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                        Source: Joe Sandbox ViewASN Name: COMPUTERLINEComputerlineSchlierbachSwitzerlandCH COMPUTERLINEComputerlineSchlierbachSwitzerlandCH
                        Source: unknownDNS query: name: ip-api.com
                        Source: global trafficTCP traffic: 192.168.2.9:49714 -> 185.230.212.164:587
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficDNS traffic detected: DNS query: ip-api.com
                        Source: global trafficDNS traffic detected: DNS query: smtp.zoho.eu
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2587025373.0000000002FC4000.00000004.00000800.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2586514160.0000000001349000.00000004.00000020.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2589021556.000000000679B000.00000004.00000020.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2587025373.0000000003173000.00000004.00000800.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2586514160.00000000012B9000.00000004.00000020.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2589021556.00000000067AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.thawte.com/ThawteTLSRSACAG1.crt0
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2587025373.0000000002FC4000.00000004.00000800.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2586514160.0000000001349000.00000004.00000020.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2589021556.000000000679B000.00000004.00000020.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2587025373.0000000003173000.00000004.00000800.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2586514160.00000000012B9000.00000004.00000020.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2589021556.00000000067AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cdp.thawte.com/ThawteTLSRSACAG1.crl0p
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2587025373.0000000002FC4000.00000004.00000800.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2586514160.0000000001349000.00000004.00000020.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2586514160.0000000001320000.00000004.00000020.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2587025373.0000000003173000.00000004.00000800.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2586514160.00000000012B9000.00000004.00000020.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2589021556.00000000067AE000.00000004.00000020.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2588977653.0000000006720000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0=
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2587025373.0000000002F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeString found in binary or memory: http://ip-api.com/line/?fields=hosting
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2587025373.0000000002FC4000.00000004.00000800.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2586514160.0000000001349000.00000004.00000020.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2586514160.0000000001320000.00000004.00000020.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2587025373.0000000003173000.00000004.00000800.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2586514160.00000000012B9000.00000004.00000020.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2589021556.00000000067AE000.00000004.00000020.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2588977653.0000000006720000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0B
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2587025373.0000000002F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2587025373.0000000002FC4000.00000004.00000800.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2587025373.0000000003173000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.zoho.eu
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2587025373.0000000002FC4000.00000004.00000800.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2586514160.0000000001349000.00000004.00000020.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2589021556.000000000679B000.00000004.00000020.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2587025373.0000000003173000.00000004.00000800.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2586514160.00000000012B9000.00000004.00000020.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2589021556.00000000067AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://status.thawte.com0:
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2587025373.0000000002FC4000.00000004.00000800.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2586514160.0000000001349000.00000004.00000020.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2589021556.000000000679B000.00000004.00000020.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2587025373.0000000003173000.00000004.00000800.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2586514160.00000000012B9000.00000004.00000020.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2589021556.00000000067AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeString found in binary or memory: https://account.dyn.com/
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2587025373.0000000002FC4000.00000004.00000800.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2586514160.0000000001349000.00000004.00000020.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2586514160.0000000001320000.00000004.00000020.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2587025373.0000000003173000.00000004.00000800.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2586514160.00000000012B9000.00000004.00000020.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2589021556.00000000067AE000.00000004.00000020.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2588977653.0000000006720000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Contains functionality to log keystrokes (.Net Source)
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, gmBpn1ecBmQ.cs.Net Code: cTytqmH

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, type: SAMPLEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 0.0.172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe.c40000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeCode function: 0_2_01664AC00_2_01664AC0
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeCode function: 0_2_0166EE000_2_0166EE00
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeCode function: 0_2_01663EA80_2_01663EA8
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeCode function: 0_2_0166DE900_2_0166DE90
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeCode function: 0_2_016641F00_2_016641F0
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeCode function: 0_2_069D24280_2_069D2428
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeCode function: 0_2_069DE0480_2_069DE048
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeCode function: 0_2_069E66C00_2_069E66C0
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeCode function: 0_2_069EB2F20_2_069EB2F2
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeCode function: 0_2_069E52580_2_069E5258
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeCode function: 0_2_069EC2500_2_069EC250
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeCode function: 0_2_069E31200_2_069E3120
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeCode function: 0_2_069E7E500_2_069E7E50
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeCode function: 0_2_069E77700_2_069E7770
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeCode function: 0_2_069E24210_2_069E2421
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeCode function: 0_2_069EE4700_2_069EE470
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeCode function: 0_2_069E00400_2_069E0040
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeCode function: 0_2_069E00060_2_069E0006
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000000.1328669679.0000000000C80000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename7bc3a901-84f9-4a81-8277-20a61843655f.exe4 vs 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2586514160.000000000127E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2586357940.00000000010F9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeBinary or memory string: OriginalFilename7bc3a901-84f9-4a81-8277-20a61843655f.exe4 vs 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 0.0.172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe.c40000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, roEs93G.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, roEs93G.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, JQn0Aia1.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, JQn0Aia1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeBinary string: ID: 0x{0:X}qSize of the SerializedPropertyStore is less than 8 ({0})/StoreSize: {0} (0x{0X})3\Device\LanmanRedirector\[Failed to retrieve system handle information.
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@2/2
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeMutant created: NULL
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeVirustotal: Detection: 71%
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeReversingLabs: Detection: 76%
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: vaultcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeCode function: 0_2_01666BF2 push edx; iretd 0_2_01666C02
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeCode function: 0_2_069D9160 push es; ret 0_2_069D9170
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Check if machine is in data center or colocation facility
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeBinary or memory string: SBIEDLL.DLL
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeMemory allocated: 15F0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeMemory allocated: 2F60000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeMemory allocated: 4F60000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeWindow / User API: threadDelayed 7337Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeWindow / User API: threadDelayed 2466Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -24903104499507879s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -200000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7912Thread sleep count: 7337 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -99875s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -99766s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7912Thread sleep count: 2466 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -199314s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -99532s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -198844s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -99310s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -99188s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -198126s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -197876s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -98813s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -98704s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -98579s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -98454s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -98329s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -98212s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -98094s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -97766s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -97542s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -97404s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -97266s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -97141s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -97016s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -96906s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -96797s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -96688s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -96563s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -96438s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -99891s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -99313s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -98703s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -98594s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -98482s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -98288s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -98170s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -98062s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -97953s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -97844s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -97734s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -97625s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -97514s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -97406s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe TID: 7904Thread sleep time: -97297s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 100000Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 99875Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 99766Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 99657Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 99532Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 99422Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 99310Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 99188Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 99063Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 98938Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 98813Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 98704Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 98579Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 98454Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 98329Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 98212Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 98094Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 97766Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 97542Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 97404Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 97266Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 97141Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 97016Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 96906Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 96797Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 96688Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 96563Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 96438Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 99891Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 99313Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 98703Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 98594Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 98482Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 98288Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 98170Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 98062Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 97953Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 97844Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 97734Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 97625Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 97514Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 97406Jump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeThread delayed: delay time: 97297Jump to behavior
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2587025373.0000000002F91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeBinary or memory string: vmware
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeBinary or memory string: VMwareVBox
                        Source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2586514160.0000000001349000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess information queried: ProcessInformationJump to behavior

                        Anti Debugging

                        barindex
                        Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeCode function: 0_2_016670B0 CheckRemoteDebuggerPresent,0_2_016670B0
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeMemory allocated: page read and write | page guardJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeQueries volume information: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected AgentTesla
                        Source: Yara matchFile source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe.c40000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2587025373.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2587025373.0000000002FBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1328634117.0000000000C42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2587025373.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe PID: 7768, type: MEMORYSTR
                        Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqliteJump to behavior
                        Tries to harvest and steal ftp login credentials
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                        Tries to steal Mail credentials (via file / registry access)
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                        Source: C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                        Source: Yara matchFile source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe.c40000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1328634117.0000000000C42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2587025373.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe PID: 7768, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected AgentTesla
                        Source: Yara matchFile source: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe.c40000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2587025373.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2587025373.0000000002FBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.1328634117.0000000000C42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2587025373.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe PID: 7768, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		2
                        OS Credential Dumping                        		531
                        Security Software Discovery                        		Remote Services1
                        Email Collection                        		1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts261
                        Virtualization/Sandbox Evasion                        		1
                        Input Capture                        		1
                        Process Discovery                        		Remote Desktop Protocol1
                        Input Capture                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                        Deobfuscate/Decode Files or Information                        		1
                        Credentials in Registry                        		261
                        Virtualization/Sandbox Evasion                        		SMB/Windows Admin Shares11
                        Archive Collected Data                        		1
                        Ingress Tool Transfer                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                        Obfuscated Files or Information                        		NTDS1
                        Application Window Discovery                        		Distributed Component Object Model2
                        Data from Local System                        		2
                        Non-Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        DLL Side-Loading                        		LSA Secrets1
                        System Network Configuration Discovery                        		SSHKeylogging12
                        Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
                        File and Directory Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync34
                        System Information Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe71%VirustotalBrowse
                        172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe76%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                        172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe100%AviraTR/Spy.Gen8
                        172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        SourceDetectionScannerLabelLink
                        smtp.zoho.eu0%VirustotalBrowse
                        ip-api.com0%VirustotalBrowse

                        URLs

                        SourceDetectionScannerLabelLink
                        https://account.dyn.com/0%URL Reputationsafe
                        https://account.dyn.com/0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                        http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
                        http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
                        http://ip-api.com0%URL Reputationsafe
                        http://ip-api.com0%URL Reputationsafe
                        http://smtp.zoho.eu0%Avira URL Cloudsafe
                        http://cacerts.thawte.com/ThawteTLSRSACAG1.crt00%Avira URL Cloudsafe
                        http://status.thawte.com0:0%Avira URL Cloudsafe
                        http://cdp.thawte.com/ThawteTLSRSACAG1.crl0p0%Avira URL Cloudsafe
                        http://cdp.thawte.com/ThawteTLSRSACAG1.crl0p0%VirustotalBrowse
                        http://smtp.zoho.eu0%VirustotalBrowse
                        http://cacerts.thawte.com/ThawteTLSRSACAG1.crt00%VirustotalBrowse

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        smtp.zoho.eu
                        		185.230.212.164
                        		truetrueunknown
                        ip-api.com
                        		208.95.112.1
                        		truetrueunknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://ip-api.com/line/?fields=hostingfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://account.dyn.com/172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exefalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2587025373.0000000002F61000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://cacerts.thawte.com/ThawteTLSRSACAG1.crt0172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2587025373.0000000002FC4000.00000004.00000800.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2586514160.0000000001349000.00000004.00000020.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2589021556.000000000679B000.00000004.00000020.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2587025373.0000000003173000.00000004.00000800.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2586514160.00000000012B9000.00000004.00000020.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2589021556.00000000067AE000.00000004.00000020.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://cdp.thawte.com/ThawteTLSRSACAG1.crl0p172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2587025373.0000000002FC4000.00000004.00000800.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2586514160.0000000001349000.00000004.00000020.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2589021556.000000000679B000.00000004.00000020.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2587025373.0000000003173000.00000004.00000800.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2586514160.00000000012B9000.00000004.00000020.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2589021556.00000000067AE000.00000004.00000020.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://status.thawte.com0:172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2587025373.0000000002FC4000.00000004.00000800.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2586514160.0000000001349000.00000004.00000020.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2589021556.000000000679B000.00000004.00000020.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2587025373.0000000003173000.00000004.00000800.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2586514160.00000000012B9000.00000004.00000020.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2589021556.00000000067AE000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://smtp.zoho.eu172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2587025373.0000000002FC4000.00000004.00000800.00020000.00000000.sdmp, 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2587025373.0000000003173000.00000004.00000800.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://ip-api.com172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe, 00000000.00000002.2587025373.0000000002F61000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        208.95.112.1
                        		ip-api.comUnited States
                        		53334TUT-ASUStrue
                        185.230.212.164
                        		smtp.zoho.euNetherlands
                        		41913COMPUTERLINEComputerlineSchlierbachSwitzerlandCHtrue

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1499569
                        Start date and time:2024-08-27 08:01:05 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 4m 23s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:9
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@1/0@2/2
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 65
                        • Number of non-executed functions: 6
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe, UsoClient.exe
                        • Excluded IPs from analysis (whitelisted): 20.190.159.64, 20.190.159.4, 20.190.159.73, 20.190.159.0, 20.190.159.2, 20.190.159.68, 40.126.31.67, 40.126.31.73, 20.190.159.71, 40.126.31.71
                        • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, settings-win.data.microsoft.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        02:01:57API Interceptor55x Sleep call for process: 172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        208.95.112.1RFQ448903423_MAT_HASUE_de_Mexico.jsGet hashmaliciousAgentTeslaBrowse
                        • ip-api.com/line/?fields=hosting
                        cotizaci#U00f3n_SIS20240500007257.pdf.exeGet hashmaliciousAgentTeslaBrowse
                        • ip-api.com/line/?fields=hosting
                        Recibo de env#U00edo de DHL_Gu#U00eda de embarque Doc_PRG211003417144356060.PDF..exeGet hashmaliciousAgentTeslaBrowse
                        • ip-api.com/line/?fields=hosting
                        Image Logger Installer.exeGet hashmaliciousAsyncRAT, XWormBrowse
                        • ip-api.com/line/?fields=hosting
                        Fatality.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                        • ip-api.com/json/?fields=225545
                        smss.exeGet hashmaliciousRMSRemoteAdmin, RDPWrap Tool, xRATBrowse
                        • ip-api.com/json
                        RFQ20240513.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                        • ip-api.com/line/?fields=hosting
                        DOCUMENTOSFACTURA_pif.exeGet hashmaliciousAgentTeslaBrowse
                        • ip-api.com/line/?fields=hosting
                        Payment Confirmation 26082024.exeGet hashmaliciousAgentTeslaBrowse
                        • ip-api.com/line/?fields=hosting
                        crss.exeGet hashmaliciousAsyncRAT, XWormBrowse
                        • ip-api.com/line/?fields=hosting
                        185.230.212.164RFQ448903423_MAT_HASUE_de_Mexico.jsGet hashmaliciousAgentTeslaBrowse
                          File.com.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                            Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                              1qwF1J2Njh.exeGet hashmaliciousAgentTeslaBrowse

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                ip-api.comRFQ448903423_MAT_HASUE_de_Mexico.jsGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                cotizaci#U00f3n_SIS20240500007257.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                Recibo de env#U00edo de DHL_Gu#U00eda de embarque Doc_PRG211003417144356060.PDF..exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                Image Logger Installer.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                • 208.95.112.1
                                Fatality.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                • 208.95.112.1
                                smss.exeGet hashmaliciousRMSRemoteAdmin, RDPWrap Tool, xRATBrowse
                                • 208.95.112.1
                                https://jobs.exjudicata.com/senior-policy-manager-1a1406bf4189Get hashmaliciousUnknownBrowse
                                • 51.77.64.70
                                RFQ20240513.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                • 208.95.112.1
                                DOCUMENTOSFACTURA_pif.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                Payment Confirmation 26082024.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                smtp.zoho.euRFQ448903423_MAT_HASUE_de_Mexico.jsGet hashmaliciousAgentTeslaBrowse
                                • 185.230.212.164
                                File.com.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                • 185.230.212.164
                                Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                • 185.230.212.164
                                Orden#46789_2024_Optoflux_mexico_sderlss.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                • 185.230.214.164
                                Orden#46789_2024_Optoflux_mexico_sderlsTY.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                • 185.230.214.164
                                Orden#46789_2024_Optoflux_mexico_sderlsTYP.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                • 185.230.214.164
                                okPY77wv6E.exeGet hashmaliciousAgentTeslaBrowse
                                • 185.230.214.164
                                RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeGet hashmaliciousAgentTeslaBrowse
                                • 185.230.214.164
                                RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRYs.exeGet hashmaliciousGuLoaderBrowse
                                • 185.230.214.164
                                RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeGet hashmaliciousAgentTeslaBrowse
                                • 185.230.214.164

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                COMPUTERLINEComputerlineSchlierbachSwitzerlandCHRFQ448903423_MAT_HASUE_de_Mexico.jsGet hashmaliciousAgentTeslaBrowse
                                • 185.230.212.164
                                bat.batGet hashmaliciousAsyncRAT, DcRat, PureLog Stealer, XWorm, zgRATBrowse
                                • 185.230.212.169
                                File.com.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                • 185.230.212.164
                                https://forms.zohopublic.eu/oyika/form/OfficeAdministration/formperma/9Y9iItPBjtbizq-LjIqfCLG9lgQgDpYgginS586dnzMGet hashmaliciousUnknownBrowse
                                • 89.36.170.147
                                http://workdrive.zohoexternal.comGet hashmaliciousUnknownBrowse
                                • 89.36.170.147
                                https://workdrive.zohoexternal.com/external/writer/46fdf68b2f78265d07797e09c63aeef4064c3374cfc014062660688cb6876b9bGet hashmaliciousUnknownBrowse
                                • 89.36.170.147
                                https://diverescueintl.com/Get hashmaliciousHTMLPhisherBrowse
                                • 89.36.170.147
                                3533cdbe-ace4-ee24-ff8f-a6fbfe7cf297.emlGet hashmaliciousHTMLPhisherBrowse
                                • 89.36.170.147
                                https://news.sky.com.orientcomputer-eg.com/ck1/13ef.6f604c137186924e/54afeda0-5892-11ef-9169-52540048feb1/4a9c32796a4b334297d499ea9c8416521e40b10f/2?e=aIojADma7UHO6n8luDK%2B95xpBNzB5MYBKYeLZ8ZyOu7Aa%2B6p9nC2pijHnhlTxVAZYdVpf6NA96PWWwLveY4KCWpHNDDXbTiOTMiFzovH6LYW6dQ7e4qpdVuaSUp1wm%2By%2FblAF1x6nrjyRRXVcXQOIfo7%2BYq07nWhOzN%2FpZd%2FKYo7PgcoYOZcAKUuxCBOV5egyrKv2HeOtQXceIDZKjV7YQ%3D%3DGet hashmaliciousUnknownBrowse
                                • 185.230.212.59
                                https://survey.zohopublic.com/zs/PYD30j?zs_inviteid=866013344e2f6aaa30b0ce407809ff4bd0ed3ef0b6c505e4b8ed99944a376aa9926823bc48ddf2b3a48337595fd132fdc7dd78d5f9b555e70f8018a33749ece953593d840363543c7e497cb3df5edd8a8ce77772c184384877cf08b30c571942a82188865861cee4768abdb6a85121effaf9893caa395668bdc7d2ea3eb1ad70842f3852386887fd2152473c96af2d214aa22073b82ef4bd897283936adbc27354514f9b6787d1b60b4d554452880bf6Get hashmaliciousUnknownBrowse
                                • 185.230.212.52
                                TUT-ASUSRFQ448903423_MAT_HASUE_de_Mexico.jsGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                cotizaci#U00f3n_SIS20240500007257.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                Recibo de env#U00edo de DHL_Gu#U00eda de embarque Doc_PRG211003417144356060.PDF..exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                Image Logger Installer.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                • 208.95.112.1
                                Fatality.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                • 208.95.112.1
                                smss.exeGet hashmaliciousRMSRemoteAdmin, RDPWrap Tool, xRATBrowse
                                • 208.95.112.1
                                RFQ20240513.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                • 208.95.112.1
                                DOCUMENTOSFACTURA_pif.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                Payment Confirmation 26082024.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                crss.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                • 208.95.112.1

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                No created / dropped files found

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):5.001260447885727
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                • Windows Screen Saver (13104/52) 0.07%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                File name:172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe
                                File size:250'880 bytes
                                MD5:0c5a0857966d223e9a72bf6273d520a0
                                SHA1:7d01ea6a0a512d04fea2f1a75bc26545ba9d86ca
                                SHA256:0f370075b9fe97932babb0bb6be981553ded7d8dcc02ed82ee9afb2964a5b282
                                SHA512:d37d7777285595b0a0f1cd267e843ea08214c62b3c12fce7470c7f5cce70f5969bc758ebc410e357bdc0c2564f1f78ef7725db8ed1d05648e5d773c187ccbc73
                                SSDEEP:3072:flqf9dME0sMkhJF1+t+AxkhSaPgu5af1KWo5:fs9dME0sMkhJF1rhSvP1F
                                TLSH:9E341F037E88EB15E5A87E3782EF2C2413F2B0C70673D60B6F49AE6518516526C7E72D
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....8?f................................. ........@.. .......................@............@................................

                                File Icon

                                Icon Hash:00928e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0x43e82e
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                Time Stamp:0x663F3889 [Sat May 11 09:21:13 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                Entrypoint Preview

                                Instruction
                                jmp dword ptr [00402000h]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x3e7d80x53.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x400000x546.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x420000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000x3c8340x3ca00045e3a239c669ff9d062b32436988aa6False0.35756282216494845data5.0123639514958525IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rsrc0x400000x5460x600a2802022c10bcf4fc6a619c6bc05aec4False0.3997395833333333data4.002728308980721IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x420000xc0x200e623dfb8e4b9fad79df479e88ee1050eFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_VERSION0x400a00x2bcdata0.44142857142857145
                                RT_MANIFEST0x4035c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                Imports

                                DLLImport
                                mscoree.dll_CorExeMain

                                Network Behavior

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Aug 27, 2024 08:01:56.281346083 CEST4971180192.168.2.9208.95.112.1
                                Aug 27, 2024 08:01:56.286773920 CEST8049711208.95.112.1192.168.2.9
                                Aug 27, 2024 08:01:56.286837101 CEST4971180192.168.2.9208.95.112.1
                                Aug 27, 2024 08:01:56.287821054 CEST4971180192.168.2.9208.95.112.1
                                Aug 27, 2024 08:01:56.292988062 CEST8049711208.95.112.1192.168.2.9
                                Aug 27, 2024 08:01:56.765392065 CEST8049711208.95.112.1192.168.2.9
                                Aug 27, 2024 08:01:56.819317102 CEST4971180192.168.2.9208.95.112.1
                                Aug 27, 2024 08:01:57.472018003 CEST49714587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:01:57.479127884 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:01:57.479195118 CEST49714587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:01:58.065874100 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:01:58.066152096 CEST49714587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:01:58.071069956 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:01:58.465743065 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:01:58.506791115 CEST49714587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:01:58.597659111 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:01:58.597877026 CEST49714587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:01:58.603697062 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:01:58.777204990 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:01:58.789537907 CEST49714587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:01:58.794358015 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:01:58.969286919 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:01:58.969299078 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:01:58.969310045 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:01:58.969321012 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:01:58.969366074 CEST49714587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:01:58.969410896 CEST49714587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:01:58.972224951 CEST49714587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:01:58.977072954 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:01:59.153434992 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:01:59.190762997 CEST49714587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:01:59.195945024 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:01:59.369256973 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:01:59.370420933 CEST49714587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:01:59.375852108 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:01:59.549410105 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:01:59.563057899 CEST49714587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:01:59.572128057 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:01:59.758326054 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:01:59.783526897 CEST49714587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:01:59.788352966 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:01:59.961997032 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:01:59.967814922 CEST49714587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:01:59.972799063 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:00.148310900 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:00.151751041 CEST49714587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:02:00.156927109 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:00.330704927 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:00.331381083 CEST49714587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:02:00.331451893 CEST49714587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:02:00.331509113 CEST49714587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:02:00.331533909 CEST49714587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:02:00.337297916 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:00.337308884 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:00.337366104 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:00.337376118 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:01.050133944 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:01.050204039 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:01.050251961 CEST49714587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:02:01.140005112 CEST49714587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:02:01.144870996 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:01.318278074 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:01.318428993 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:01.318692923 CEST58749714185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:01.318716049 CEST49714587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:02:01.318747044 CEST49714587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:02:01.322158098 CEST49714587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:02:01.323203087 CEST49717587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:02:01.328078985 CEST58749717185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:01.328142881 CEST49717587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:02:01.903390884 CEST58749717185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:01.909234047 CEST49717587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:02:01.914088011 CEST58749717185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:02.087750912 CEST58749717185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:02.087960958 CEST49717587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:02:02.092873096 CEST58749717185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:02.264161110 CEST58749717185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:02.270981073 CEST49717587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:02:02.275866032 CEST58749717185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:02.448168993 CEST58749717185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:02.448195934 CEST58749717185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:02.448208094 CEST58749717185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:02.448281050 CEST49717587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:02:02.450624943 CEST49717587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:02:02.455451012 CEST58749717185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:02.626956940 CEST58749717185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:02.639014006 CEST49717587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:02:02.644695997 CEST58749717185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:02.815757990 CEST58749717185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:02.818384886 CEST49717587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:02:02.823555946 CEST58749717185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:02.994764090 CEST58749717185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:02.995131016 CEST49717587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:02:02.999847889 CEST58749717185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:03.182254076 CEST58749717185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:03.182451963 CEST49717587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:02:03.187383890 CEST58749717185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:03.361043930 CEST58749717185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:03.361270905 CEST49717587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:02:03.366925001 CEST58749717185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:03.538156986 CEST58749717185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:03.538407087 CEST49717587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:02:03.543765068 CEST58749717185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:03.714961052 CEST58749717185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:03.720491886 CEST49717587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:02:03.720572948 CEST49717587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:02:03.720624924 CEST49717587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:02:03.720655918 CEST49717587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:02:03.720736027 CEST49717587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:02:03.720766068 CEST49717587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:02:03.720792055 CEST49717587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:02:03.720900059 CEST49717587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:02:03.720946074 CEST49717587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:02:03.720974922 CEST49717587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:02:03.725563049 CEST58749717185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:03.725667953 CEST58749717185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:03.725680113 CEST58749717185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:03.725779057 CEST58749717185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:03.725816011 CEST58749717185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:04.201456070 CEST58749717185.230.212.164192.168.2.9
                                Aug 27, 2024 08:02:04.241178989 CEST49717587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:02:47.460402966 CEST4971180192.168.2.9208.95.112.1
                                Aug 27, 2024 08:02:47.465679884 CEST8049711208.95.112.1192.168.2.9
                                Aug 27, 2024 08:02:47.465780020 CEST4971180192.168.2.9208.95.112.1
                                Aug 27, 2024 08:03:37.475914955 CEST49717587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:03:37.481949091 CEST58749717185.230.212.164192.168.2.9
                                Aug 27, 2024 08:03:37.655179977 CEST58749717185.230.212.164192.168.2.9
                                Aug 27, 2024 08:03:37.655196905 CEST58749717185.230.212.164192.168.2.9
                                Aug 27, 2024 08:03:37.655294895 CEST58749717185.230.212.164192.168.2.9
                                Aug 27, 2024 08:03:37.655417919 CEST49717587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:03:37.655530930 CEST49717587192.168.2.9185.230.212.164
                                Aug 27, 2024 08:03:37.656609058 CEST49717587192.168.2.9185.230.212.164

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Aug 27, 2024 08:01:56.223882914 CEST4944853192.168.2.91.1.1.1
                                Aug 27, 2024 08:01:56.273240089 CEST53494481.1.1.1192.168.2.9
                                Aug 27, 2024 08:01:57.451611042 CEST6211353192.168.2.91.1.1.1
                                Aug 27, 2024 08:01:57.471352100 CEST53621131.1.1.1192.168.2.9

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Aug 27, 2024 08:01:56.223882914 CEST192.168.2.91.1.1.10x8598Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                Aug 27, 2024 08:01:57.451611042 CEST192.168.2.91.1.1.10x998bStandard query (0)smtp.zoho.euA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Aug 27, 2024 08:01:56.273240089 CEST1.1.1.1192.168.2.90x8598No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                Aug 27, 2024 08:01:57.471352100 CEST1.1.1.1192.168.2.90x998bNo error (0)smtp.zoho.eu185.230.212.164A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • ip-api.com

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.949711208.95.112.1807768C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe
                                TimestampBytes transferredDirectionData
                                Aug 27, 2024 08:01:56.287821054 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                Host: ip-api.com
                                Connection: Keep-Alive
                                Aug 27, 2024 08:01:56.765392065 CEST175INHTTP/1.1 200 OK
                                Date: Tue, 27 Aug 2024 06:01:56 GMT
                                Content-Type: text/plain; charset=utf-8
                                Content-Length: 6
                                Access-Control-Allow-Origin: *
                                X-Ttl: 60
                                X-Rl: 44
                                Data Raw: 66 61 6c 73 65 0a
                                Data Ascii: false


                                SMTP Packets

                                TimestampSource PortDest PortSource IPDest IPCommands
                                Aug 27, 2024 08:01:58.065874100 CEST58749714185.230.212.164192.168.2.9220 mx.zoho.eu SMTP Server ready August 27, 2024 8:01:57 AM CEST
                                Aug 27, 2024 08:01:58.066152096 CEST49714587192.168.2.9185.230.212.164EHLO 216041
                                Aug 27, 2024 08:01:58.465743065 CEST58749714185.230.212.164192.168.2.9250-mx.zoho.eu Hello 216041 (8.46.123.33 (8.46.123.33))
                                Aug 27, 2024 08:01:58.597659111 CEST58749714185.230.212.164192.168.2.9250-STARTTLS
                                250 SIZE 53477376
                                Aug 27, 2024 08:01:58.597877026 CEST49714587192.168.2.9185.230.212.164STARTTLS
                                Aug 27, 2024 08:01:58.777204990 CEST58749714185.230.212.164192.168.2.9220 Ready to start TLS.
                                Aug 27, 2024 08:02:01.903390884 CEST58749717185.230.212.164192.168.2.9220 mx.zoho.eu SMTP Server ready August 27, 2024 8:02:01 AM CEST
                                Aug 27, 2024 08:02:01.909234047 CEST49717587192.168.2.9185.230.212.164EHLO 216041
                                Aug 27, 2024 08:02:02.087750912 CEST58749717185.230.212.164192.168.2.9250-mx.zoho.eu Hello 216041 (8.46.123.33 (8.46.123.33))
                                250-STARTTLS
                                250 SIZE 53477376
                                Aug 27, 2024 08:02:02.087960958 CEST49717587192.168.2.9185.230.212.164STARTTLS
                                Aug 27, 2024 08:02:02.264161110 CEST58749717185.230.212.164192.168.2.9220 Ready to start TLS.

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                System Behavior

                                General

                                Target ID:0
                                Start time:02:01:55
                                Start date:27/08/2024
                                Path:C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f3741352.dat-decoded.exe"
                                Imagebase:0xc40000
                                File size:250'880 bytes
                                MD5 hash:0C5A0857966D223E9A72BF6273D520A0
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2587025373.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2587025373.0000000002FBE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.1328634117.0000000000C42000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000000.1328634117.0000000000C42000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2587025373.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2587025373.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:false

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:11.4%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:2.7%
                                  Total number of Nodes:113
                                  Total number of Limit Nodes:14
                                  execution_graph 38426 69d6e18 38427 69d6e5e GetCurrentProcess 38426->38427 38429 69d6eb0 GetCurrentThread 38427->38429 38433 69d6ea9 38427->38433 38430 69d6eed GetCurrentProcess 38429->38430 38431 69d6ee6 38429->38431 38432 69d6f23 38430->38432 38431->38430 38434 69d6f4b GetCurrentThreadId 38432->38434 38433->38429 38435 69d6f7c 38434->38435 38558 16670b0 38559 16670f4 CheckRemoteDebuggerPresent 38558->38559 38560 1667136 38559->38560 38561 69d7120 38562 69d70cb DuplicateHandle 38561->38562 38563 69d70f6 38562->38563 38436 1660848 38438 166084e 38436->38438 38437 166091b 38438->38437 38443 69d5d48 38438->38443 38448 69d5d10 38438->38448 38452 69d5d0a 38438->38452 38456 1661382 38438->38456 38444 69d5d2c 38443->38444 38445 69d5d52 38443->38445 38446 69d5d40 38444->38446 38462 69d54c4 38444->38462 38446->38438 38449 69d5d1f 38448->38449 38450 69d54c4 2 API calls 38449->38450 38451 69d5d40 38450->38451 38451->38438 38453 69d5d10 38452->38453 38454 69d54c4 2 API calls 38453->38454 38455 69d5d40 38454->38455 38455->38438 38458 166138b 38456->38458 38457 16614aa 38457->38438 38458->38457 38530 1668140 38458->38530 38534 1668268 38458->38534 38541 1668150 38458->38541 38463 69d54cf 38462->38463 38466 69d6c2c 38463->38466 38465 69d76c6 38465->38465 38467 69d6c37 38466->38467 38468 69d7dec 38467->38468 38471 69d9a68 38467->38471 38476 69d9a57 38467->38476 38468->38465 38472 69d9a89 38471->38472 38473 69d9aad 38472->38473 38481 69d9c18 38472->38481 38485 69d9c12 38472->38485 38473->38468 38477 69d9a89 38476->38477 38478 69d9aad 38477->38478 38479 69d9c18 2 API calls 38477->38479 38480 69d9c12 2 API calls 38477->38480 38478->38468 38479->38478 38480->38478 38482 69d9c25 38481->38482 38484 69d9c5e 38482->38484 38489 69d895c 38482->38489 38484->38473 38486 69d9c18 38485->38486 38487 69d9c5e 38486->38487 38488 69d895c 2 API calls 38486->38488 38487->38473 38488->38487 38490 69d8967 38489->38490 38492 69d9cd0 38490->38492 38493 69d8990 38490->38493 38492->38492 38494 69d899b 38493->38494 38500 69d89a0 38494->38500 38496 69d9d3f 38504 69def48 38496->38504 38509 69def60 38496->38509 38497 69d9d79 38497->38492 38501 69d89ab 38500->38501 38502 69daee0 38501->38502 38503 69d9a68 2 API calls 38501->38503 38502->38496 38503->38502 38505 69def55 38504->38505 38506 69def9d 38505->38506 38515 69df1c9 38505->38515 38519 69df1d8 38505->38519 38506->38497 38511 69def91 38509->38511 38512 69defdd 38509->38512 38510 69def9d 38510->38497 38511->38510 38513 69df1c9 2 API calls 38511->38513 38514 69df1d8 2 API calls 38511->38514 38512->38497 38513->38512 38514->38512 38516 69df1d8 38515->38516 38522 69df218 38516->38522 38517 69df1e2 38517->38506 38521 69df218 2 API calls 38519->38521 38520 69df1e2 38520->38506 38521->38520 38523 69df239 38522->38523 38524 69df25c 38522->38524 38523->38524 38528 69df4b0 LoadLibraryExW 38523->38528 38529 69df4c0 LoadLibraryExW 38523->38529 38524->38517 38525 69df254 38525->38524 38526 69df460 GetModuleHandleW 38525->38526 38527 69df48d 38526->38527 38527->38517 38528->38525 38529->38525 38532 1668150 38530->38532 38531 16682d2 38531->38458 38532->38531 38545 166fb8f 38532->38545 38535 1668272 38534->38535 38536 166828c 38535->38536 38538 69ef710 2 API calls 38535->38538 38539 69ef700 2 API calls 38535->38539 38537 16682d2 38536->38537 38540 166fb8f 2 API calls 38536->38540 38537->38458 38538->38536 38539->38536 38540->38537 38543 1668166 38541->38543 38542 16682d2 38542->38458 38543->38542 38544 166fb8f 2 API calls 38543->38544 38544->38542 38546 166fb9a 38545->38546 38550 69ef710 38546->38550 38554 69ef700 38546->38554 38547 166fba1 38547->38531 38552 69ef725 38550->38552 38551 69ef93a 38551->38547 38552->38551 38553 69efd58 GlobalMemoryStatusEx GlobalMemoryStatusEx 38552->38553 38553->38552 38556 69ef725 38554->38556 38555 69ef93a 38555->38547 38556->38555 38557 69efd58 GlobalMemoryStatusEx GlobalMemoryStatusEx 38556->38557 38557->38556

                                  Executed Functions

                                  Function 069E5258 Relevance: 1.8, Strings: 1, Instructions: 592COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 141 69e5258-69e5276 142 69e5278-69e527b 141->142 143 69e528e-69e5291 142->143 144 69e527d-69e5283 142->144 147 69e52b7-69e52ba 143->147 148 69e5293-69e52b2 143->148 145 69e53ab-69e53ae 144->145 146 69e5289 144->146 149 69e53b3-69e53b6 145->149 146->143 150 69e52bc-69e52c2 147->150 151 69e52cd-69e52d0 147->151 148->147 153 69e53b8-69e53bb 149->153 154 69e53c0-69e53c3 149->154 155 69e53ee-69e5401 150->155 156 69e52c8 150->156 157 69e530e-69e5311 151->157 158 69e52d2-69e52db 151->158 153->154 161 69e53d9-69e53dc 154->161 162 69e53c5-69e53ce 154->162 173 69e5406-69e5409 155->173 156->151 159 69e532e-69e5331 157->159 160 69e5313-69e5329 157->160 163 69e5442-69e546b 158->163 164 69e52e1-69e52e9 158->164 166 69e5345-69e5348 159->166 167 69e5333-69e5340 159->167 160->159 170 69e53de-69e53e2 161->170 171 69e53e9-69e53ec 161->171 162->158 169 69e53d4 162->169 186 69e5475-69e5478 163->186 164->163 172 69e52ef-69e52ff 164->172 175 69e534a-69e535c 166->175 176 69e5361-69e5364 166->176 167->166 169->161 178 69e5434-69e5441 170->178 179 69e53e4 170->179 171->155 171->173 172->163 180 69e5305-69e5309 172->180 181 69e540b-69e5414 173->181 182 69e5415-69e5418 173->182 175->176 184 69e537a-69e537d 176->184 185 69e5366-69e5375 176->185 179->171 180->157 188 69e541a-69e541d 182->188 189 69e5422-69e5424 182->189 184->150 187 69e5383-69e5386 184->187 185->184 191 69e548c-69e548f 186->191 192 69e547a-69e5481 186->192 193 69e5388-69e538d 187->193 194 69e5390-69e5393 187->194 188->189 195 69e542b-69e542e 189->195 196 69e5426 189->196 200 69e54a0-69e54a3 191->200 201 69e5491-69e549b 191->201 198 69e555a-69e5561 192->198 199 69e5487 192->199 193->194 202 69e5395-69e539c 194->202 203 69e53a1-69e53a4 194->203 195->142 195->178 196->195 199->191 205 69e54c5-69e54c8 200->205 206 69e54a5-69e54a9 200->206 201->200 202->203 203->162 204 69e53a6-69e53a9 203->204 204->145 204->149 210 69e54ca-69e54d1 205->210 211 69e54d2-69e54d5 205->211 208 69e54af-69e54b7 206->208 209 69e5562-69e559c 206->209 208->209 212 69e54bd-69e54c0 208->212 221 69e559e-69e55a1 209->221 213 69e54d7-69e54db 211->213 214 69e54f3-69e54f6 211->214 212->205 213->209 218 69e54e1-69e54e9 213->218 215 69e54f8-69e54fc 214->215 216 69e5510-69e5513 214->216 215->209 220 69e54fe-69e5506 215->220 222 69e552d-69e5530 216->222 223 69e5515-69e5519 216->223 218->209 219 69e54eb-69e54ee 218->219 219->214 220->209 224 69e5508-69e550b 220->224 225 69e55af-69e55b2 221->225 226 69e55a3-69e55aa 221->226 228 69e5548-69e554a 222->228 229 69e5532-69e5543 222->229 223->209 227 69e551b-69e5523 223->227 224->216 230 69e55b4-69e55bb 225->230 231 69e55c0-69e55c3 225->231 226->225 227->209 232 69e5525-69e5528 227->232 233 69e554c 228->233 234 69e5551-69e5554 228->234 229->228 230->231 235 69e58ac-69e58af 231->235 236 69e55c9-69e575d 231->236 232->222 233->234 234->186 234->198 238 69e58b9-69e58bc 235->238 239 69e58b1-69e58b6 235->239 290 69e5896-69e58a9 236->290 291 69e5763-69e576a 236->291 238->236 240 69e58c2-69e58c5 238->240 239->238 242 69e58df-69e58e2 240->242 243 69e58c7-69e58d8 240->243 245 69e58e4-69e58f5 242->245 246 69e5900-69e5903 242->246 248 69e5905-69e5918 243->248 252 69e58da 243->252 245->230 254 69e58fb 245->254 247 69e591b-69e591e 246->247 246->248 247->236 251 69e5924-69e5927 247->251 256 69e5929-69e593a 251->256 257 69e5945-69e5948 251->257 252->242 254->246 256->230 267 69e5940 256->267 259 69e594a-69e595b 257->259 260 69e5966-69e5969 257->260 259->230 269 69e5961 259->269 261 69e596b-69e597c 260->261 262 69e5987-69e5989 260->262 261->245 273 69e5982 261->273 265 69e598b 262->265 266 69e5990-69e5993 262->266 265->266 266->221 271 69e5999-69e59a2 266->271 267->257 269->260 273->262 292 69e581e-69e5825 291->292 293 69e5770-69e5793 291->293 292->290 294 69e5827-69e585a 292->294 302 69e579b-69e57a3 293->302 306 69e585f-69e588c 294->306 307 69e585c 294->307 303 69e57a8-69e57e9 302->303 304 69e57a5 302->304 315 69e57eb-69e57fc 303->315 316 69e5801-69e5812 303->316 304->303 306->271 307->306 315->271 316->271
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $
                                  • API String ID: 0-3993045852
                                  • Opcode ID: 6fb5ec11a74671c10db77a7d9c63c4a60bd2c995b0c539395517e9b5b9494ca3
                                  • Instruction ID: 011df3e58e48759fcdb9deadc97a555605599470724665b02646f6aef00a59a9
                                  • Opcode Fuzzy Hash: 6fb5ec11a74671c10db77a7d9c63c4a60bd2c995b0c539395517e9b5b9494ca3
                                  • Instruction Fuzzy Hash: 4A22C075E102188FDF61DBA8C5806AEBBB6FF88324F25856AD415EB744DB32DC41CB90
                                  Function 016670B0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 524 16670b0-1667134 CheckRemoteDebuggerPresent 526 1667136-166713c 524->526 527 166713d-1667178 524->527 526->527
                                  APIs
                                  • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 01667127
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2586913970.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1660000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID: CheckDebuggerPresentRemote
                                  • String ID:
                                  • API String ID: 3662101638-0
                                  • Opcode ID: 4efebc272c1cc8a70cd7e2e13d52041a0c519231eec44a7ff98afa629250188c
                                  • Instruction ID: 2335d5d375209d6bff549433114eac92f427a41c89edef68bc7a3f33c03d9017
                                  • Opcode Fuzzy Hash: 4efebc272c1cc8a70cd7e2e13d52041a0c519231eec44a7ff98afa629250188c
                                  • Instruction Fuzzy Hash: 772139B1800259CFDB10CF9AD844BEEFBF4AF49210F14846AE455B7350D778A944CF65
                                  Function 01663EA8 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2586913970.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1660000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: \VRm
                                  • API String ID: 0-1931484983
                                  • Opcode ID: 845588ddd9336711b668e949f5e7078a912ddd9b70a44f06145a5c21a84ef271
                                  • Instruction ID: 21397f64ea75a54f7bce0197dc35a5cfa2da266d385a4f7e62f3dc8b3d87e0d5
                                  • Opcode Fuzzy Hash: 845588ddd9336711b668e949f5e7078a912ddd9b70a44f06145a5c21a84ef271
                                  • Instruction Fuzzy Hash: 52915970E00209DFDB24CFA9CC817AEBBF6AF98714F148129E419A7394DB749885CB91
                                  Function 069E2421 Relevance: 1.0, Instructions: 1008COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b4a995eada4d75379c331e3248fc54c88061e412b53e379157a9169808d831d4
                                  • Instruction ID: 544ecfb66b628b195369428385a3a23992301ac4735bd00e4b04f80e1cee12d8
                                  • Opcode Fuzzy Hash: b4a995eada4d75379c331e3248fc54c88061e412b53e379157a9169808d831d4
                                  • Instruction Fuzzy Hash: 42925634E002048FDB65CB68C584A6DBBFAFF49314F6488AAD419EB751DB35ED85CB80
                                  Function 069E66C0 Relevance: .8, Instructions: 817COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c15677dda1634dad68f671e3c876d4b2b44d3ee035377ee407db03c9951c0913
                                  • Instruction ID: 2eb27c779c93aa6460a72363f909d9e9b54611a60cd5877fbecc909520b46be9
                                  • Opcode Fuzzy Hash: c15677dda1634dad68f671e3c876d4b2b44d3ee035377ee407db03c9951c0913
                                  • Instruction Fuzzy Hash: DF628C34B102088FDB55DBA8D994AADBBF6FF88314F248429E405DB791DB35EC46CB90
                                  Function 069EC250 Relevance: .6, Instructions: 645COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0578f1c88fe9107e33bad6b8861a34271834df5acaa2d8c01ac6d434071110d2
                                  • Instruction ID: 0c8b96eb9be333c223cf720e73a03f7eec7cdf3c584212a6ad6c1ff4611a621d
                                  • Opcode Fuzzy Hash: 0578f1c88fe9107e33bad6b8861a34271834df5acaa2d8c01ac6d434071110d2
                                  • Instruction Fuzzy Hash: A7327130B10209DFDF55DB68D9A0BAEB7B6FB88310F208529E465E7755DB31EC428B90
                                  Function 0166DE90 Relevance: .6, Instructions: 602COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2586913970.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1660000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cc51f0d82536a1ed4ef1b57b4b6fa0100e9f9166e4225481a591fc66012a0365
                                  • Instruction ID: 033c9dfa480e59d9566ac19456721a7c0523ae8dd524a42d67ae4349e3302228
                                  • Opcode Fuzzy Hash: cc51f0d82536a1ed4ef1b57b4b6fa0100e9f9166e4225481a591fc66012a0365
                                  • Instruction Fuzzy Hash: C012B176B002159FDB15CB68CC807AEB7BAFB84310F19856AD459EB386D736EC42C790
                                  Function 069EB2F2 Relevance: .6, Instructions: 593COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d11cb38376559577de0ed081001388ebeda36b3eec9ecd62a6ffef01bc5f9cd7
                                  • Instruction ID: d4d4f19ba57c0b8e568085a9d29c9402ad4fd2b517409a9a84dc7104eb0553fc
                                  • Opcode Fuzzy Hash: d11cb38376559577de0ed081001388ebeda36b3eec9ecd62a6ffef01bc5f9cd7
                                  • Instruction Fuzzy Hash: D0228470E102098FEF65DBA8D6907AEB7B5FB49310F208426D415EBB99DA34DC81CB91
                                  Function 069E3120 Relevance: .5, Instructions: 545COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 969befcb832269d3e51710354b27afeae6587eaaff660c042b3676d217d3ce78
                                  • Instruction ID: b076b3f86b55d2ae7701ddb152a4ebd2e9b8a2a32cd72df3c6cb65e9641a7a53
                                  • Opcode Fuzzy Hash: 969befcb832269d3e51710354b27afeae6587eaaff660c042b3676d217d3ce78
                                  • Instruction Fuzzy Hash: 4A322E31E10719CFDB15EBB9C89069DB7B6FFC9300F60C66AD409A7254EB70A985CB90
                                  Function 069E7E50 Relevance: .5, Instructions: 472COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c469303bb1ad4b098dae5b316e8991c6951577d801662cffd12882db24cc6e7d
                                  • Instruction ID: 3b88ecbbdd85fcb7a0fd805d0d8aa88a91a842dc15b2d3dd0ab87bca45da3c64
                                  • Opcode Fuzzy Hash: c469303bb1ad4b098dae5b316e8991c6951577d801662cffd12882db24cc6e7d
                                  • Instruction Fuzzy Hash: 9702AF30B102098FDB55DBA8D9946AEBBF6FF84300F248929D415DB794DB31EC46CB91
                                  Function 0166EE00 Relevance: .3, Instructions: 342COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2586913970.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1660000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 02284dc3c64ecdc079f1fc5b0ed6ffe14cd32b480ee92b12a5988d8d3201dbad
                                  • Instruction ID: f09d66fa505ac776ad5be87b7c0992999bf28604caa02202582d5dffeb053ae1
                                  • Opcode Fuzzy Hash: 02284dc3c64ecdc079f1fc5b0ed6ffe14cd32b480ee92b12a5988d8d3201dbad
                                  • Instruction Fuzzy Hash: 55B1D435B04214DBDB19EB78AC6427EBBF7BFC9240B15846EE416DB388CE348C069791
                                  Function 01664AC0 Relevance: .3, Instructions: 266COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2586913970.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1660000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3ddeb01729e8f1cea510cc83adde10c9e2973896697d0cda578d1c6fc6f600a4
                                  • Instruction ID: 3ee0fd6c493798377086b30b92597149a8eca0bbb295536df22f1babca8a30ca
                                  • Opcode Fuzzy Hash: 3ddeb01729e8f1cea510cc83adde10c9e2973896697d0cda578d1c6fc6f600a4
                                  • Instruction Fuzzy Hash: 6DB17C71E00209CFDB14CFA9DC917AEBBF6AF88714F188529D815A7394EF749885CB81
                                  Function 069D6E08 Relevance: 6.1, APIs: 4, Instructions: 139threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 069D6E96
                                  • GetCurrentThread.KERNEL32 ref: 069D6ED3
                                  • GetCurrentProcess.KERNEL32 ref: 069D6F10
                                  • GetCurrentThreadId.KERNEL32 ref: 069D6F69
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589343100.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69d0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 6ca6220363c592b582015754b3c523d172d0b098c3f72774a6db45b09ceb3d1d
                                  • Instruction ID: 3580cc50e70fac0b0c76c0a8830993642a74fdd4daf18d7c641297ff32d40e8d
                                  • Opcode Fuzzy Hash: 6ca6220363c592b582015754b3c523d172d0b098c3f72774a6db45b09ceb3d1d
                                  • Instruction Fuzzy Hash: 2B5167B09017098FDB54CFAAD948BEEBBF1AF48310F20846AE00AA7750D7746944CF65
                                  Function 069D6E18 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 069D6E96
                                  • GetCurrentThread.KERNEL32 ref: 069D6ED3
                                  • GetCurrentProcess.KERNEL32 ref: 069D6F10
                                  • GetCurrentThreadId.KERNEL32 ref: 069D6F69
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589343100.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69d0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: d4df01a471bd9a414b1edfbb6b4f6ee5b3841db47704f6a8dcc6f7f07d65827d
                                  • Instruction ID: ed0f3efba1492d2be9646856a6632cd38053e77e0c06bd3d54a07f62b4f1c1a8
                                  • Opcode Fuzzy Hash: d4df01a471bd9a414b1edfbb6b4f6ee5b3841db47704f6a8dcc6f7f07d65827d
                                  • Instruction Fuzzy Hash: 8D5147B0D007098FDB54DFAAD948BAEBBF1EF48314F20846AE40AA7750D7746944CF65
                                  Function 069DF218 Relevance: 1.7, APIs: 1, Instructions: 208COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 319 69df218-69df237 320 69df239-69df246 call 69de15c 319->320 321 69df263-69df267 319->321 327 69df25c 320->327 328 69df248 320->328 323 69df269-69df273 321->323 324 69df27b-69df2bc 321->324 323->324 330 69df2be-69df2c6 324->330 331 69df2c9-69df2d7 324->331 327->321 377 69df24e call 69df4b0 328->377 378 69df24e call 69df4c0 328->378 330->331 332 69df2d9-69df2de 331->332 333 69df2fb-69df2fd 331->333 335 69df2e9 332->335 336 69df2e0-69df2e7 call 69de168 332->336 338 69df300-69df307 333->338 334 69df254-69df256 334->327 337 69df398-69df410 334->337 340 69df2eb-69df2f9 335->340 336->340 369 69df454-69df458 337->369 370 69df412-69df451 337->370 341 69df309-69df311 338->341 342 69df314-69df31b 338->342 340->338 341->342 343 69df31d-69df325 342->343 344 69df328-69df331 call 69d799c 342->344 343->344 350 69df33e-69df343 344->350 351 69df333-69df33b 344->351 352 69df345-69df34c 350->352 353 69df361-69df36e 350->353 351->350 352->353 355 69df34e-69df35e call 69ddfd8 call 69de178 352->355 360 69df391-69df397 353->360 361 69df370-69df38e 353->361 355->353 361->360 372 69df45a-69df45d 369->372 373 69df460-69df48b GetModuleHandleW 369->373 370->369 372->373 374 69df48d-69df493 373->374 375 69df494-69df4a8 373->375 374->375 377->334 378->334
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000), ref: 069DF47E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589343100.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69d0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: f6ed9e1e89dc20e827f6c13bac7f9abbf36e406741223ea5b6ad4e932711adaa
                                  • Instruction ID: 1f6fd02613c2df7ac08f0c0b0f1f70371efa4b6c758a74bce8be1991a4fb7abd
                                  • Opcode Fuzzy Hash: f6ed9e1e89dc20e827f6c13bac7f9abbf36e406741223ea5b6ad4e932711adaa
                                  • Instruction Fuzzy Hash: 36815470A00B058FDBA4DF2AD44579ABBF5FF88344F10892ED48ADBA40D774E849CB91
                                  Function 069D7058 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 511 69d7058-69d70c8 513 69d70cb-69d70f4 DuplicateHandle 511->513 514 69d70fd-69d711a 513->514 515 69d70f6-69d70fc 513->515 515->514
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 069D70E7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589343100.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69d0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 65aa320fac0a0b03e38f21079fb97ea02cd845dc471a749e692e5c4f48607fcf
                                  • Instruction ID: ff505f4082af00cf733e9bc85a0a051fc8e3e3c9709703558860e465c8e3b5ec
                                  • Opcode Fuzzy Hash: 65aa320fac0a0b03e38f21079fb97ea02cd845dc471a749e692e5c4f48607fcf
                                  • Instruction Fuzzy Hash: F121E5B5900209AFDB10CFAAD884ADEBFF9FB48310F14841AE954A7750D379A950CFA5
                                  Function 016670A8 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 518 16670a8-1667134 CheckRemoteDebuggerPresent 520 1667136-166713c 518->520 521 166713d-1667178 518->521 520->521
                                  APIs
                                  • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 01667127
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2586913970.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1660000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID: CheckDebuggerPresentRemote
                                  • String ID:
                                  • API String ID: 3662101638-0
                                  • Opcode ID: 29083772b692728d02803e71bce9bdc75937eb7e1e3cbbae7b46386ad5222b21
                                  • Instruction ID: 726ecd0013ddbafc335c4c4b239b2fe435320c8274f7ea6393991dee8b34a411
                                  • Opcode Fuzzy Hash: 29083772b692728d02803e71bce9bdc75937eb7e1e3cbbae7b46386ad5222b21
                                  • Instruction Fuzzy Hash: 60213972800259CFDB10CFAAD884BEEFBF5AF49210F24846AE455B7350C3789945CF60
                                  Function 069D7060 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 530 69d7060-69d70c8 531 69d70cb-69d70f4 DuplicateHandle 530->531 532 69d70fd-69d711a 531->532 533 69d70f6-69d70fc 531->533 533->532
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 069D70E7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589343100.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69d0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 4aa382a74b239451994629485895ce3b28278f822292752bf6e0ff9a713ac5bb
                                  • Instruction ID: e1a99d84eb01991f94dfdb1c00f2c451dfd22d213aa93aaebb703d3123ceae5e
                                  • Opcode Fuzzy Hash: 4aa382a74b239451994629485895ce3b28278f822292752bf6e0ff9a713ac5bb
                                  • Instruction Fuzzy Hash: 4521E4B59002099FDB10CF9AD884ADEFBF8EB48310F14842AE954A7350D379A950CFA5
                                  Function 0166F377 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 536 166f377-166f404 GlobalMemoryStatusEx 539 166f406-166f40c 536->539 540 166f40d-166f435 536->540 539->540
                                  APIs
                                  • GlobalMemoryStatusEx.KERNEL32 ref: 0166F3F7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2586913970.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1660000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID: GlobalMemoryStatus
                                  • String ID:
                                  • API String ID: 1890195054-0
                                  • Opcode ID: ca1f7679a8e9eb0d9e351f640e8f6cf7a70730e51b6b137aaaa909cf4d4c0edd
                                  • Instruction ID: e20c5207287d5e11ab2b5a15c88379e022de6db55d44500935ff93fcdb78d43d
                                  • Opcode Fuzzy Hash: ca1f7679a8e9eb0d9e351f640e8f6cf7a70730e51b6b137aaaa909cf4d4c0edd
                                  • Instruction Fuzzy Hash: C62167B1C002598FDB10CFAAE5447DEFBB4AF08210F14856AD414B7641D378A945CFA5
                                  Function 069DF678 Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 543 69df678-69df6c0 545 69df6c8-69df6f7 LoadLibraryExW 543->545 546 69df6c2-69df6c5 543->546 547 69df6f9-69df6ff 545->547 548 69df700-69df71d 545->548 546->545 547->548
                                  APIs
                                  • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,069DF4F9,00000800,00000000,00000000), ref: 069DF6EA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589343100.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69d0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 8326a79310f383c8956b36137959bb72f78f0fe70d7c1511f40d190e900992ec
                                  • Instruction ID: a0464330881c0034000a90ffd20f8ef956f41fb60131a4d33e009497c5044d54
                                  • Opcode Fuzzy Hash: 8326a79310f383c8956b36137959bb72f78f0fe70d7c1511f40d190e900992ec
                                  • Instruction Fuzzy Hash: C82114B6C003099FDB10CF9AD844ADEFBF8EB48720F20842AE459A7610C375A545CFA5
                                  Function 069DE1A0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 551 69de1a0-69df6c0 553 69df6c8-69df6f7 LoadLibraryExW 551->553 554 69df6c2-69df6c5 551->554 555 69df6f9-69df6ff 553->555 556 69df700-69df71d 553->556 554->553 555->556
                                  APIs
                                  • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,069DF4F9,00000800,00000000,00000000), ref: 069DF6EA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589343100.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69d0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: bfbe9be2f434b7c8f9b2bde71d8accbbddc40e8918fcd9b0b49b4dbcc70917a8
                                  • Instruction ID: b8e96d6bbb4ca086a120c819e36c5a32912e4a3e91939e01e9e3cf85b559f8aa
                                  • Opcode Fuzzy Hash: bfbe9be2f434b7c8f9b2bde71d8accbbddc40e8918fcd9b0b49b4dbcc70917a8
                                  • Instruction Fuzzy Hash: B51103B68003499FDB20CF9AD444BDEFBF8AB48310F14842AE559A7610C375A545CFA5
                                  Function 0166F390 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 559 166f390-166f404 GlobalMemoryStatusEx 561 166f406-166f40c 559->561 562 166f40d-166f435 559->562 561->562
                                  APIs
                                  • GlobalMemoryStatusEx.KERNEL32 ref: 0166F3F7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2586913970.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1660000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID: GlobalMemoryStatus
                                  • String ID:
                                  • API String ID: 1890195054-0
                                  • Opcode ID: 03b079c065b19be4ac688d89e7372dbc01fa824a24ebd0d39b1db3d0f8d58043
                                  • Instruction ID: 06e76c4bef30ce1b65befe698260da192195711e547428472d918f26458433c5
                                  • Opcode Fuzzy Hash: 03b079c065b19be4ac688d89e7372dbc01fa824a24ebd0d39b1db3d0f8d58043
                                  • Instruction Fuzzy Hash: 041123B1C0065A9BDB10CF9AD844BDEFBF8EF48220F14816AD818B7240D378A944CFE5
                                  Function 069DF418 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000), ref: 069DF47E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589343100.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69d0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 235ec62f36fce802054a83d4696c6c123792595f7c0a075a749171d9a33640cb
                                  • Instruction ID: a9a5d754f4ca9d280c13a89d120395829882bdb3a8add5d635bad33a87576eb9
                                  • Opcode Fuzzy Hash: 235ec62f36fce802054a83d4696c6c123792595f7c0a075a749171d9a33640cb
                                  • Instruction Fuzzy Hash: 1B110FB5C007498FDB10CF9AC544ADEFBF8AB88314F24842AD459A7610C379A545CFA5
                                  Function 069D7120 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 069D70E7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589343100.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69d0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 743b2a562da5961d314de1ff2cd6f15a46137c37cf96672d202743845c55d535
                                  • Instruction ID: 7f0569a641143d2f50732a83e77c80edc99bf885be726709dfe6c6a86e9cf001
                                  • Opcode Fuzzy Hash: 743b2a562da5961d314de1ff2cd6f15a46137c37cf96672d202743845c55d535
                                  • Instruction Fuzzy Hash: 39F0F0718043489FEB108BE9E8047EEFFF8AF84314F18C05AE044A7291C3BA4454CB61
                                  Function 069ED018 Relevance: .8, Instructions: 798COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0cf0d3ed83e8e51d461c228f64c68ef92c5ce378bd961071ef067d9ad8ce669d
                                  • Instruction ID: a4d176f8fd6b594bec2dca5c85bf047b1860a8e1a61b86ff17a3d0806926d293
                                  • Opcode Fuzzy Hash: 0cf0d3ed83e8e51d461c228f64c68ef92c5ce378bd961071ef067d9ad8ce669d
                                  • Instruction Fuzzy Hash: 41626C30A0030A8FDB55EF68D5A0A5EB7F2FF84304B208A68D4159F759DB71ED4ACB91
                                  Function 069EB718 Relevance: .5, Instructions: 468COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cfb349b6aa85e92550f88ba54d5f9bfe60b342537c251244974886e75fdcb3e9
                                  • Instruction ID: a1083f03c1406b3d470e2f2dac81af172bc47b1b6826805db26de0e9946dcc1c
                                  • Opcode Fuzzy Hash: cfb349b6aa85e92550f88ba54d5f9bfe60b342537c251244974886e75fdcb3e9
                                  • Instruction Fuzzy Hash: A4026A30E102098FDFA5CFA8D6906ADB7B6FB85310F24852AD415EBB59DB70DC81CB91
                                  Function 069EAD98 Relevance: .4, Instructions: 394COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d3c383af3485314b34ff1a292df3f973cb1ad2f470072d5404a6f0cc5b36612c
                                  • Instruction ID: 2b203d07e47277371729a68d59e8a5fc93a6e717fd5318e27d4d070e130b8dde
                                  • Opcode Fuzzy Hash: d3c383af3485314b34ff1a292df3f973cb1ad2f470072d5404a6f0cc5b36612c
                                  • Instruction Fuzzy Hash: 0DE17F30E103098FDF65DBA8D9906AEB7B6BF89300F208929D405AB754DB74EC46CB91
                                  Function 069E4F71 Relevance: .2, Instructions: 241COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e573dbc2d3cdf5ed8e46c85839cafbae2752e5840389e4f524fddaa666416455
                                  • Instruction ID: 5ff8df0435019ea80e11651d1b61cf4625d0a866fb0751ab95fc37f51b8d47cc
                                  • Opcode Fuzzy Hash: e573dbc2d3cdf5ed8e46c85839cafbae2752e5840389e4f524fddaa666416455
                                  • Instruction Fuzzy Hash: D781AD71E006058FDB61CFA9D880BAFB7F6FB88314F21892AE159D7A50D731E845CB91
                                  Function 069E9218 Relevance: .2, Instructions: 231COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3d4f0cb2a97497225e2215f2e3c00e42ab7a3b7d4840245a7728116bc2778a7c
                                  • Instruction ID: b85418db33b4ec1a81d72df3ebc78d986af48beba213a052425311c14b5dc7c9
                                  • Opcode Fuzzy Hash: 3d4f0cb2a97497225e2215f2e3c00e42ab7a3b7d4840245a7728116bc2778a7c
                                  • Instruction Fuzzy Hash: DA917070F506198FDB55DB69D9607AEBBB6BFC8300F108569C809EB744EB709C428B91
                                  Function 069E5EB8 Relevance: .2, Instructions: 229COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ba2641b1bdc94d4ee168995a8b50650affc8d271185944f809dad29c600d2ac0
                                  • Instruction ID: 55dded9a818851154bc8a2619ad88224d7dedc15d695d0ce5e9eb446fac84027
                                  • Opcode Fuzzy Hash: ba2641b1bdc94d4ee168995a8b50650affc8d271185944f809dad29c600d2ac0
                                  • Instruction Fuzzy Hash: 7B61C5B1F001104BDF559B7EC89466EBADBAFC4620B254439D80ADB360DFB6EC0287D1
                                  Function 069E3F59 Relevance: .2, Instructions: 223COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 123373070cac03010068a5f8b5dca6f2c05a402dd7680b307a5764a06973e0b9
                                  • Instruction ID: 9fe4eb0261459442d5db7af861ae995deac699d59baa8e6692a6b207cbb34ed6
                                  • Opcode Fuzzy Hash: 123373070cac03010068a5f8b5dca6f2c05a402dd7680b307a5764a06973e0b9
                                  • Instruction Fuzzy Hash: 42816E70B102098FDF55DBA8D5A076EBBF2BF88700F248529D40AEB784DB75DC468B91
                                  Function 069E4274 Relevance: .2, Instructions: 218COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f7f1360b443b483669b42cc410e9cbed4ea3b76d239b4490c60857c2841b10ad
                                  • Instruction ID: c5e88a79edd69aa8ac40579473c72d25001ed412f18565622fa2e1a04a5aaf7a
                                  • Opcode Fuzzy Hash: f7f1360b443b483669b42cc410e9cbed4ea3b76d239b4490c60857c2841b10ad
                                  • Instruction Fuzzy Hash: 40913D30E106198BDF61DF68C880B9DB7B1FF89310F208699D549BB785EB70A985CF91
                                  Function 069E4288 Relevance: .2, Instructions: 210COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8bc94a9d85f3a5d5cf898c36bdb67f36fcac54855246e8a1865382961dc2f3c2
                                  • Instruction ID: 7e47df7916e78890ed101c037dfdddf1c09b5745247aaa70e815b97b7e0ba9f0
                                  • Opcode Fuzzy Hash: 8bc94a9d85f3a5d5cf898c36bdb67f36fcac54855246e8a1865382961dc2f3c2
                                  • Instruction Fuzzy Hash: DC911A30E106198BDF61DF68C880B9DB7B1FF89310F208699D549BB285EB71A985CF91
                                  Function 069EEBE2 Relevance: .2, Instructions: 202COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d24b00c24c363b88cdb567a58502805dbb707e9d79e178254d66d298324cd4e2
                                  • Instruction ID: 2489fdd24e33241146df69ac63361e1b71ad5967c4b1701f9037d23a80aa8eb3
                                  • Opcode Fuzzy Hash: d24b00c24c363b88cdb567a58502805dbb707e9d79e178254d66d298324cd4e2
                                  • Instruction Fuzzy Hash: 42715A70B006099FDB45DBA8C990AAEBBF6FF88300F248429D419EB755DB30EC46CB50
                                  Function 069EEBF0 Relevance: .2, Instructions: 201COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9d3f5e0c7e5e016fb90b00de7e589f2654be2f281042dbd7d3db4016eac8c3ed
                                  • Instruction ID: c98dcb9713f1d75134d1fc5452d4226ff2ef60c5cd6642cf8b3f4d6ef835c8eb
                                  • Opcode Fuzzy Hash: 9d3f5e0c7e5e016fb90b00de7e589f2654be2f281042dbd7d3db4016eac8c3ed
                                  • Instruction Fuzzy Hash: 4E713930B006099FDB55EBA9C990AAEBBF6FF88300F248429D415EB754DB30EC46CB51
                                  Function 069E4820 Relevance: .2, Instructions: 186COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7d50a9066f8e374079adff9fe916eb25b612e39abdd264eb8863d4b6564e4873
                                  • Instruction ID: 5f82896fb79d768bc0af1d962f282ceed107ad481cc6b111df592794a261d365
                                  • Opcode Fuzzy Hash: 7d50a9066f8e374079adff9fe916eb25b612e39abdd264eb8863d4b6564e4873
                                  • Instruction Fuzzy Hash: 40617030F102089FEB559BE5C8547AEBAF6FB88710F20852AE506EB394DF758C458B90
                                  Function 069EFD58 Relevance: .2, Instructions: 177COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0718808c89a96f2ff7855f73a6d6d2f2672f8804263d1b21e6797103773ba4a9
                                  • Instruction ID: efbeaa8a546da76fd1ce156c7b2df4309277ee942a9f5401117314439c895d65
                                  • Opcode Fuzzy Hash: 0718808c89a96f2ff7855f73a6d6d2f2672f8804263d1b21e6797103773ba4a9
                                  • Instruction Fuzzy Hash: C351E231E002099FDF15EB78E4546AEBBB6FF89311F20886AE106D7690DF359D55CB80
                                  Function 069EF700 Relevance: .2, Instructions: 175COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a5d1d993eca3ed10fb2494f1cef16b9791d06b40ddc9532459a79a65c4ef46a0
                                  • Instruction ID: 387ee33064db1ad215bf1a850aff81643441ad55afec3d58844f995cce8369c0
                                  • Opcode Fuzzy Hash: a5d1d993eca3ed10fb2494f1cef16b9791d06b40ddc9532459a79a65c4ef46a0
                                  • Instruction Fuzzy Hash: FF51A534B202155BEF66A668E8A476F376AE78D310F30442BE00BC77D5CA7ACC4593A1
                                  Function 069E9208 Relevance: .2, Instructions: 171COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 87ba1f404643e7e0f21a57c17a608ae2666743f3d9620be76efbd7202d411b63
                                  • Instruction ID: 3bdd732324dfde7e00e30b95a2683952b5e5b788f0e501bdabebb6985f581cdb
                                  • Opcode Fuzzy Hash: 87ba1f404643e7e0f21a57c17a608ae2666743f3d9620be76efbd7202d411b63
                                  • Instruction Fuzzy Hash: 72515070B515098FDB55DB78D960BAEBBF6FBC8740F508569C809DB744EB309C028BA0
                                  Function 069EF710 Relevance: .2, Instructions: 163COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 95de37e2e9b23c212e0b83f0daec607b79f7d35a35f0c89b8b1518f1d23c2ac8
                                  • Instruction ID: a8b1ca8fa8f6ac1eeac6d17ee2708c65f7b7c96018a5befdeddbd6de447dd096
                                  • Opcode Fuzzy Hash: 95de37e2e9b23c212e0b83f0daec607b79f7d35a35f0c89b8b1518f1d23c2ac8
                                  • Instruction Fuzzy Hash: A8519634B202159BFF65A668E86476F366EE78D310F30443BE40BC7B95CA7ACC4153A1
                                  Function 069E4810 Relevance: .1, Instructions: 131COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e8ca74a89ebd6b04713ccdac1726ff37f714b1d45415483e35f0536e50a917df
                                  • Instruction ID: c92b737e9e1c583085902a8c39a8d50e4eedcfebb4d7b0354c91b3954c38961b
                                  • Opcode Fuzzy Hash: e8ca74a89ebd6b04713ccdac1726ff37f714b1d45415483e35f0536e50a917df
                                  • Instruction Fuzzy Hash: AB416F70F106089FEB55DBE9C854BAEBBF6FF88700F20852AD505AB394DB748C058B90
                                  Function 069EDB85 Relevance: .1, Instructions: 125COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 70eb5ba549fcc9b9e6d3748453574a6ba27f440d410f98179e146dc8cc62564d
                                  • Instruction ID: 12424c90274b299381ec3c412421702e1fe2785bd19ce0e86d0702c9d48a2d7c
                                  • Opcode Fuzzy Hash: 70eb5ba549fcc9b9e6d3748453574a6ba27f440d410f98179e146dc8cc62564d
                                  • Instruction Fuzzy Hash: E8416D70F0074A9BDF66DF64D95079EBBB6BF85340F20492AD411EB640EBB4984ACB81
                                  Function 069E22A8 Relevance: .1, Instructions: 105COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4032f37d487c756ed57921e3b91408c87beb9ac8d4e05b2e54d7ef18274462d4
                                  • Instruction ID: fc9cdacfefe8496e4b718f7cbe4d953d1049540c41924edf9d4a32f25a656297
                                  • Opcode Fuzzy Hash: 4032f37d487c756ed57921e3b91408c87beb9ac8d4e05b2e54d7ef18274462d4
                                  • Instruction Fuzzy Hash: B331E430B002098FDB6AAB74D56466F7BABBF89650F20552CD406DB384EF35CD06CBA1
                                  Function 069E2158 Relevance: .1, Instructions: 97COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f7737d7a992b02df8e9b3813d461b8409120316eab43cfbfb4af7d1ccfd0ed46
                                  • Instruction ID: 894970d21b14d837d40c43dac34749787f6ede396f6e68690ae013699c3a2c85
                                  • Opcode Fuzzy Hash: f7737d7a992b02df8e9b3813d461b8409120316eab43cfbfb4af7d1ccfd0ed46
                                  • Instruction Fuzzy Hash: 80316D31E2060A9BCB59CFA4C89469EBBB6FF89300F108919E816E7740DB71A946CB50
                                  Function 069E2168 Relevance: .1, Instructions: 91COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 85c5f68c75fb172182a7cfcc9b1cc830f6bd47beafdad857bb398ce0baa9326f
                                  • Instruction ID: d1bc949ac96b38c9bcf59d1cafab8962f9e299cbbe6dc720e3cbae23abc75f6a
                                  • Opcode Fuzzy Hash: 85c5f68c75fb172182a7cfcc9b1cc830f6bd47beafdad857bb398ce0baa9326f
                                  • Instruction Fuzzy Hash: FD314D31E202099BCB59CFA4C894A9EF7BABF89300F108919E816E7754DB71AD46CB50
                                  Function 069E50C8 Relevance: .1, Instructions: 87COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f1dfe68289f527da41ae3edc215985c4c56dca07e85ebaff6d172d3c3e56e50b
                                  • Instruction ID: 3536c698d1ea54429aa018b6e5da4d94cb16a1948477ccaf7015dcb5cdeb9439
                                  • Opcode Fuzzy Hash: f1dfe68289f527da41ae3edc215985c4c56dca07e85ebaff6d172d3c3e56e50b
                                  • Instruction Fuzzy Hash: 3331BF31A006059BDF62CEE5CCC07AFBBB6FB89214F21492AE116D7A41C331E8468B91
                                  Function 069E3B61 Relevance: .1, Instructions: 80COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0f6706990b5e5a8aea8f5a918e58d5769169a1935236e75bdf00e4ff3282c218
                                  • Instruction ID: 21a156cb0ae24c533f2f976502e2179538c9a933a03ef511eb3ed20c0990c013
                                  • Opcode Fuzzy Hash: 0f6706990b5e5a8aea8f5a918e58d5769169a1935236e75bdf00e4ff3282c218
                                  • Instruction Fuzzy Hash: 0421B075F506149FDB01DF69EA80AAEBBF5FB48B10F148429E905E7780E730D842CBA0
                                  Function 069E3B70 Relevance: .1, Instructions: 78COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 97725bc1ac5827c36be041444ef9ac558fed04108ce94d10fde486f700284931
                                  • Instruction ID: cab988dc68bc2ff0cfee36fe75bbb5b72831a92525f1d2128730d35173dc2485
                                  • Opcode Fuzzy Hash: 97725bc1ac5827c36be041444ef9ac558fed04108ce94d10fde486f700284931
                                  • Instruction Fuzzy Hash: 06218C75F406189FDB50EFA9D990AAEBBF5FB48710F248429E905E7380E730D841CBA4
                                  Function 0126D044 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2586499480.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_126d000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 23eb657169e548196e761d6e39e655c28fab20ef4431c017f76ae435d20a6d6a
                                  • Instruction ID: acf6d77e1220a51c4857ec6bfe243af021585b881f7c756963b1098e4f1de310
                                  • Opcode Fuzzy Hash: 23eb657169e548196e761d6e39e655c28fab20ef4431c017f76ae435d20a6d6a
                                  • Instruction Fuzzy Hash: 8221227161430CEFDB11DF64C9C0B26BB69FB84314F24C5ADE9894B2C2C776D886CA62
                                  Function 069E6DE8 Relevance: .1, Instructions: 68COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 97ef3e67249edf6f1d2992230de4c8c4140a720b4d2d576aa5f41f74a4bee7d3
                                  • Instruction ID: f22d8565bd3d274202f0aa768316608be8fe8a3ddde3f6208ccbb66eb9ca689c
                                  • Opcode Fuzzy Hash: 97ef3e67249edf6f1d2992230de4c8c4140a720b4d2d576aa5f41f74a4bee7d3
                                  • Instruction Fuzzy Hash: A321B471F201189FCF55DBA8E9646AEBBF6FB88310F208529D405EB784DB30DC518B80
                                  Function 069E3C80 Relevance: .1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0c824fb959fbc35f7a368f13a947fdcbac12aa8517950e4af9f44a5c9bb590b2
                                  • Instruction ID: 9a9681240033db8612884eecfed6fdb529f55a402afd5a910aba1a8ee70c94cb
                                  • Opcode Fuzzy Hash: 0c824fb959fbc35f7a368f13a947fdcbac12aa8517950e4af9f44a5c9bb590b2
                                  • Instruction Fuzzy Hash: 9D118E35B201284FDF559678D8646AF7BFABBC9710F11853AD80AE7380EF65DC0287A0
                                  Function 069EA3D1 Relevance: .1, Instructions: 57COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6e7ad74f13f6619d3ee4619d1f204c31995173baa70eff28b26aa18f33de383d
                                  • Instruction ID: 804dc8b8db8c0fb7392ef2c193e78f0ea89de53740949424f7a109404a317ec2
                                  • Opcode Fuzzy Hash: 6e7ad74f13f6619d3ee4619d1f204c31995173baa70eff28b26aa18f33de383d
                                  • Instruction Fuzzy Hash: C001D831B105144FC762967CD964B2BBBE9EB8A750F10842AF50EC7B99DE20DC0687D1
                                  Function 069EEE61 Relevance: .1, Instructions: 54COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c310c54f410e64a64de79a031ae58e9dc0f6300dcb0bb885b7a492d0017c45f5
                                  • Instruction ID: 526ffc76a66b4ce507b2d1ce658344d9f50011579c22696582ff6c9108a58af6
                                  • Opcode Fuzzy Hash: c310c54f410e64a64de79a031ae58e9dc0f6300dcb0bb885b7a492d0017c45f5
                                  • Instruction Fuzzy Hash: 1201D831B109054BDB76DA7C94D4B3E7BDAEBC9210F20852EF50AC7794DE25DC068385
                                  Function 069E3C71 Relevance: .1, Instructions: 54COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6b6cf1cc190e715e852b737521a0169674fb040a019c623410cf07191020cb76
                                  • Instruction ID: 252fa1ac2eb89a71c8f22d01dfd39b9fe49f80a9da8a488010a3f16c68613e71
                                  • Opcode Fuzzy Hash: 6b6cf1cc190e715e852b737521a0169674fb040a019c623410cf07191020cb76
                                  • Instruction Fuzzy Hash: 2601DF76B600280BDB59A578DD256EF3BAAABC8710F018936D50AE7680EF60CC0243E1
                                  Function 069E3EB7 Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2e539f0bfdbdec348e9e1bc9574080df8e5fe08dcbbf413b007b78e869c97569
                                  • Instruction ID: cf4e0eec6d09768c8325c6156946f745088354f15836794e909b7e48ae425d8d
                                  • Opcode Fuzzy Hash: 2e539f0bfdbdec348e9e1bc9574080df8e5fe08dcbbf413b007b78e869c97569
                                  • Instruction Fuzzy Hash: A101DF35B105104FEB62D67DE46472AB7EBEBC9710F24882EF10AC7745EA69CC028391
                                  Function 0126D03F Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2586499480.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_126d000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                  • Instruction ID: ca0becaa3e28f8907fb1c61e010908ede35cc9e90c951f049895ed262a24b173
                                  • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                  • Instruction Fuzzy Hash: EA11D075604248CFCB12CF54C9C4B15BF61FB84314F24C6A9D9894B692C33AD48ACF51
                                  Function 069E3940 Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4c360a3a1e82a751e809da6c87b9996662df314b3610c2f350a7f1f14706160c
                                  • Instruction ID: 119356549e8d3f8a31552e74649d0ff96355393d3365f6f2393b5fe20beb8eb4
                                  • Opcode Fuzzy Hash: 4c360a3a1e82a751e809da6c87b9996662df314b3610c2f350a7f1f14706160c
                                  • Instruction Fuzzy Hash: 5F11D3B5D01259AFCB00DF9AD884ADEFBB8FB49310F10812AE518B7340C374A554CFA5
                                  Function 069E3EC8 Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: be4db1a7fe2db5687b1f59af8df55c6ae916aa467f629dac9ee0b5f1a07aeaa2
                                  • Instruction ID: a37a2f6b90e8b83e2816548bd8b873e5b40a9bab88744b25018f2f6f455fd682
                                  • Opcode Fuzzy Hash: be4db1a7fe2db5687b1f59af8df55c6ae916aa467f629dac9ee0b5f1a07aeaa2
                                  • Instruction Fuzzy Hash: FF01DC31B205140FEB61957EE450B2BB7EEEBC9720F20883AF10AC7784DE65DC028391
                                  Function 069E3939 Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 66abff64739c4116ab211e03b16edab347b2addc6f7d631b582fda3a143965c5
                                  • Instruction ID: 62dd631b9317b254e37f5adff3ab213518ba033b3ad33be208a8e2951eb3dc65
                                  • Opcode Fuzzy Hash: 66abff64739c4116ab211e03b16edab347b2addc6f7d631b582fda3a143965c5
                                  • Instruction Fuzzy Hash: 4021CEB6D01219EFDB00DF9AD984A9EFBB4BB48314F10852AE518B7640D378A554CFA4
                                  Function 069EEE70 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 88be2c98bee4390b8493c93ef29d45bf0293a1186c21d8fcd1e151f183ab09b6
                                  • Instruction ID: 8f05e66ba3d9a387cf00c00bed8f3866ac2de89d92ebb42ba825fa26a4839334
                                  • Opcode Fuzzy Hash: 88be2c98bee4390b8493c93ef29d45bf0293a1186c21d8fcd1e151f183ab09b6
                                  • Instruction Fuzzy Hash: F201A431B205144BDB76D52C94A4B3EB7DAE7C9710F20883EF50AC7390EE25DC064395
                                  Function 069EA3E0 Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 237389ebab8887bbfc2fa67a0690e7bc3721eed215d7cfe459aea9613f194ef4
                                  • Instruction ID: 67e317a6df269b8ce0a3978a9023ac02a352402c1fd7f040ddc61248d17c0b87
                                  • Opcode Fuzzy Hash: 237389ebab8887bbfc2fa67a0690e7bc3721eed215d7cfe459aea9613f194ef4
                                  • Instruction Fuzzy Hash: 1A01A431B201184FDB61E66CD4A4B2AB7D9EB89710F20843AE50EC7B58EE21DC0687C1
                                  Function 069EAFE8 Relevance: .0, Instructions: 44COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3a51af76d4c6cb976a832da9cf259a92bdb03b8d09ba5adac75cec34862d3d5a
                                  • Instruction ID: cd37b44170fe46c61f070b699b85b6a9f5a69900d4b27435628752e8013d4faf
                                  • Opcode Fuzzy Hash: 3a51af76d4c6cb976a832da9cf259a92bdb03b8d09ba5adac75cec34862d3d5a
                                  • Instruction Fuzzy Hash: EF01F431E1020D8BDF619A68D65079EBBB8E745321F20443AD41AD7A48DA31E80587C1
                                  Function 069EC8A8 Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c68e2fe6e16b9e187462c567c643a3dcc16b84ad21eed705d47cf8795d0ab0a0
                                  • Instruction ID: ab991aa23ff3555fd3d53b33168c49660b73672d049241f8adf103191ed6cadf
                                  • Opcode Fuzzy Hash: c68e2fe6e16b9e187462c567c643a3dcc16b84ad21eed705d47cf8795d0ab0a0
                                  • Instruction Fuzzy Hash: 61F0A032F20268EBDB15A965EC109AAB37EF784360F104439ED21E7344DB71AC0087C0
                                  Function 069E6540 Relevance: .0, Instructions: 28COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 02433fdd7f3e4afe197ea3978f6d2482bdb3e44a3c28e56993fc2215ff217966
                                  • Instruction ID: e71af9ebf078522135ee8c5114559f83ca0223ed36263f8d33fad3f2f81dd342
                                  • Opcode Fuzzy Hash: 02433fdd7f3e4afe197ea3978f6d2482bdb3e44a3c28e56993fc2215ff217966
                                  • Instruction Fuzzy Hash: 08E09231F152545FCB62CAB08A4539F3BB89B41114F3049A6D008CB543D53ACA02C780
                                  Function 069E4709 Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3c6f808451101e51bc2fa94ddea48ce40b82cf61f93ba5b53b29d6ffe92a60e0
                                  • Instruction ID: 84bc2d89ef29014aa43973311a1660c88859bbdef49ddeb346b1c0e0d800d784
                                  • Opcode Fuzzy Hash: 3c6f808451101e51bc2fa94ddea48ce40b82cf61f93ba5b53b29d6ffe92a60e0
                                  • Instruction Fuzzy Hash: E2F0DA30A20219DFDF55DF94E8597ADBBB2BF84B11F204519E402A7294CB755C45DBC0

                                  Non-executed Functions

                                  Function 069E0040 Relevance: 2.0, Instructions: 1986COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0f409d6c6eea989ee2d64ddea49f55558ba073f7530b35275cb14743391f2cc2
                                  • Instruction ID: bf031b665ee348fe7f06f646101648df63bc73feebf994aa7c6277e52488397b
                                  • Opcode Fuzzy Hash: 0f409d6c6eea989ee2d64ddea49f55558ba073f7530b35275cb14743391f2cc2
                                  • Instruction Fuzzy Hash: 8923FA31D106198ADB11EF68C89069DF7B5FF99300F21C79AD458B7221EB70AAD4CF81
                                  Function 016641F0 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2586913970.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1660000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: \VRm
                                  • API String ID: 0-1931484983
                                  • Opcode ID: 201a3544f21edfec734872a03af20aa874c9ff4185f8e11db3f22faff41c3f7c
                                  • Instruction ID: 4f101ac7f0ab05736a41851405aaa929d7f580736977c9ee28dba213ea380c95
                                  • Opcode Fuzzy Hash: 201a3544f21edfec734872a03af20aa874c9ff4185f8e11db3f22faff41c3f7c
                                  • Instruction Fuzzy Hash: 7AB13B70E00209CFDF14DFA9DC857AEBBF6AF88714F148129E815AB394EB749845CB91
                                  Function 069EE470 Relevance: .6, Instructions: 586COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3b677c089b97d5ae56140018494f8ffcdea6ddeb968893eba151249511e76be8
                                  • Instruction ID: 3984bfa9d9f09408b5e5bbfe9b5c124e82c47aab860cc1e0e9ac09a692ce50cc
                                  • Opcode Fuzzy Hash: 3b677c089b97d5ae56140018494f8ffcdea6ddeb968893eba151249511e76be8
                                  • Instruction Fuzzy Hash: 2022D130B102098FDB95DB68D494AAEB7F6FF88310F24856AD406DB7A1DB31EC45CB91
                                  Function 069E7770 Relevance: .5, Instructions: 468COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589372070.00000000069E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69e0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6e8d51e917bad5374f401cd0363a81f95f2c3b0ac0520a8e501011730330c2c2
                                  • Instruction ID: 1a32eb2b10227839e2f607cb153eefe86c0e30588c6826651ffd15bd952c576a
                                  • Opcode Fuzzy Hash: 6e8d51e917bad5374f401cd0363a81f95f2c3b0ac0520a8e501011730330c2c2
                                  • Instruction Fuzzy Hash: E6124D34E10219CFDB65DFA4C894BAEB7B6BF89300F208569D00AAB754DB709D81CF91
                                  Function 069DE048 Relevance: .3, Instructions: 264COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589343100.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69d0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 17543f317e96dc9ffa46b6f430cedcb5350e82240040378d82fd82dc0a79b86f
                                  • Instruction ID: 79e38ddf8851c680b2b89d307d633c163ece2d7b62a010c8638341bfa787bccd
                                  • Opcode Fuzzy Hash: 17543f317e96dc9ffa46b6f430cedcb5350e82240040378d82fd82dc0a79b86f
                                  • Instruction Fuzzy Hash: 09A16B32E002098FCF49DFB5C88459EB7B6FF84310B25857AE906AF661DB75E915CB80
                                  Function 069D2428 Relevance: .2, Instructions: 227COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2589343100.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_69d0000_172473834493f9dd4c11e505629bd9b8efb5932f698a99acd495429ea8dcfe99effc6f.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f32f98fe8d828d089da562f6f5834c3f7dd3d6d0b8d5c2ec02da9028fc150c91
                                  • Instruction ID: 9c3d8be0dd6724dd4d614ad446ee8ed504b4d87cc43dba0214f1624df673a741
                                  • Opcode Fuzzy Hash: f32f98fe8d828d089da562f6f5834c3f7dd3d6d0b8d5c2ec02da9028fc150c91
                                  • Instruction Fuzzy Hash: 5E813571E102098FDF60CF99C884AEEBBB9FB48310F24846AE519E7655D334DA41CBA1