Edit tour

Windows Analysis Report
bleorigin.exe

Overview

General Information

Sample name:bleorigin.exe
Analysis ID:1615022
MD5:0cd79e1837ecc2651611323ce6c009a7
SHA1:6bd16567c5b2c2724c7590f1aebc082f37066fbf
SHA256:b9aa15b40149a14595782f3138816babd5aa6a2cae761d9f6a2c1a7b52256bc7
Tags:196-251-92-64AgentTeslaexeuser-JAMESWT_MHT
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Contains functionality to log keystrokes (.Net Source)
Joe Sandbox ML detected suspicious sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Stores large binary data to the registry
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • bleorigin.exe (PID: 5168 cmdline: "C:\Users\user\Desktop\bleorigin.exe" MD5: 0CD79E1837ECC2651611323CE6C009A7)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
{
  "Exfil Mode": "SMTP",
  "Port": "587",
  "Host": "mail.worlorderbillions.top",
  "Username": "niggabguy22jan2024@worlorderbillions.top",
  "Password": "~lhTqZ3?QKP@                       "
}
SourceRuleDescriptionAuthorStrings
bleorigin.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    bleorigin.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      bleorigin.exeINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
      • 0x3351f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
      • 0x33591:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
      • 0x3361b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
      • 0x336ad:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
      • 0x33717:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
      • 0x33789:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
      • 0x3381f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
      • 0x338af:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
      SourceRuleDescriptionAuthorStrings
      00000000.00000002.3280529743.0000000002D9A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.3280529743.0000000002D6E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000000.2032829432.00000000007F2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000000.2032829432.00000000007F2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              00000000.00000002.3280529743.0000000002D21000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 4 entries
                SourceRuleDescriptionAuthorStrings
                0.0.bleorigin.exe.7f0000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.0.bleorigin.exe.7f0000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.0.bleorigin.exe.7f0000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                    • 0x3351f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                    • 0x33591:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                    • 0x3361b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                    • 0x336ad:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                    • 0x33717:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                    • 0x33789:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                    • 0x3381f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                    • 0x338af:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

                    System Summary

                    barindex
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 185.174.173.22, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\bleorigin.exe, Initiated: true, ProcessId: 5168, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704
                    No Suricata rule has matched

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: bleorigin.exeAvira: detected
                    Source: bleorigin.exeMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.worlorderbillions.top", "Username": "niggabguy22jan2024@worlorderbillions.top", "Password": "~lhTqZ3?QKP@ "}
                    Source: bleorigin.exeVirustotal: Detection: 73%Perma Link
                    Source: bleorigin.exeReversingLabs: Detection: 76%
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: bleorigin.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: bleorigin.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: global trafficTCP traffic: 192.168.2.5:49704 -> 185.174.173.22:587
                    Source: Joe Sandbox ViewIP Address: 185.174.173.22 185.174.173.22
                    Source: Joe Sandbox ViewIP Address: 185.174.173.22 185.174.173.22
                    Source: Joe Sandbox ViewASN Name: ITLDC-NLUA ITLDC-NLUA
                    Source: global trafficTCP traffic: 192.168.2.5:49704 -> 185.174.173.22:587
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: mail.worlorderbillions.top
                    Source: bleorigin.exe, 00000000.00000002.3280529743.0000000002D76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.worlorderbillions.top
                    Source: bleorigin.exe, 00000000.00000002.3280529743.0000000002D76000.00000004.00000800.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3279318601.0000000000F73000.00000004.00000020.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3279318601.0000000000F3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r11.i.lencr.org/09
                    Source: bleorigin.exe, 00000000.00000002.3280529743.0000000002D76000.00000004.00000800.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3279318601.0000000000F73000.00000004.00000020.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3279318601.0000000000F3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r11.o.lencr.org0#
                    Source: bleorigin.exe, 00000000.00000002.3280529743.0000000002D76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://worlorderbillions.top
                    Source: bleorigin.exe, 00000000.00000002.3282453835.0000000005E4C000.00000004.00000020.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3280529743.0000000002D76000.00000004.00000800.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3279318601.0000000000F73000.00000004.00000020.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3282453835.0000000005E38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: bleorigin.exe, 00000000.00000002.3282453835.0000000005E4C000.00000004.00000020.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3280529743.0000000002D76000.00000004.00000800.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3279318601.0000000000F73000.00000004.00000020.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3282453835.0000000005E38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: bleorigin.exeString found in binary or memory: https://account.dyn.com/

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Source: bleorigin.exe, POq2Ux.cs.Net Code: kHSOsUTD

                    System Summary

                    barindex
                    Source: bleorigin.exe, type: SAMPLEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.0.bleorigin.exe.7f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\bleorigin.exeCode function: 0_2_02B04AA00_2_02B04AA0
                    Source: C:\Users\user\Desktop\bleorigin.exeCode function: 0_2_02B09BFA0_2_02B09BFA
                    Source: C:\Users\user\Desktop\bleorigin.exeCode function: 0_2_02B03E880_2_02B03E88
                    Source: C:\Users\user\Desktop\bleorigin.exeCode function: 0_2_02B0CDC80_2_02B0CDC8
                    Source: C:\Users\user\Desktop\bleorigin.exeCode function: 0_2_02B041D00_2_02B041D0
                    Source: C:\Users\user\Desktop\bleorigin.exeCode function: 0_2_05EE878B0_2_05EE878B
                    Source: C:\Users\user\Desktop\bleorigin.exeCode function: 0_2_05EE27000_2_05EE2700
                    Source: C:\Users\user\Desktop\bleorigin.exeCode function: 0_2_05EE96E00_2_05EE96E0
                    Source: C:\Users\user\Desktop\bleorigin.exeCode function: 0_2_05EEB9080_2_05EEB908
                    Source: C:\Users\user\Desktop\bleorigin.exeCode function: 0_2_05EED89D0_2_05EED89D
                    Source: C:\Users\user\Desktop\bleorigin.exeCode function: 0_2_05EE00400_2_05EE0040
                    Source: C:\Users\user\Desktop\bleorigin.exeCode function: 0_2_05EE3B480_2_05EE3B48
                    Source: C:\Users\user\Desktop\bleorigin.exeCode function: 0_2_05EE52E00_2_05EE52E0
                    Source: C:\Users\user\Desktop\bleorigin.exeCode function: 0_2_05EE4C000_2_05EE4C00
                    Source: C:\Users\user\Desktop\bleorigin.exeCode function: 0_2_05EE2E330_2_05EE2E33
                    Source: C:\Users\user\Desktop\bleorigin.exeCode function: 0_2_0602CD310_2_0602CD31
                    Source: C:\Users\user\Desktop\bleorigin.exeCode function: 0_2_060296B80_2_060296B8
                    Source: C:\Users\user\Desktop\bleorigin.exeCode function: 0_2_0602B1980_2_0602B198
                    Source: C:\Users\user\Desktop\bleorigin.exeCode function: 0_2_060299D40_2_060299D4
                    Source: bleorigin.exe, 00000000.00000000.2032829432.00000000007F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamee8ae4cc3-dac5-429a-ad46-d51bb0595a38.exe4 vs bleorigin.exe
                    Source: bleorigin.exe, 00000000.00000002.3279318601.0000000000EAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs bleorigin.exe
                    Source: bleorigin.exe, 00000000.00000002.3279172343.00000000009B8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs bleorigin.exe
                    Source: bleorigin.exeBinary or memory string: OriginalFilenamee8ae4cc3-dac5-429a-ad46-d51bb0595a38.exe4 vs bleorigin.exe
                    Source: bleorigin.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: bleorigin.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.0.bleorigin.exe.7f0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: bleorigin.exe, ZTFEpdjP8zw.csCryptographic APIs: 'TransformFinalBlock'
                    Source: bleorigin.exe, WnRNxU.csCryptographic APIs: 'TransformFinalBlock'
                    Source: bleorigin.exe, 2njIk.csCryptographic APIs: 'TransformFinalBlock'
                    Source: bleorigin.exe, I5ElxL.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: bleorigin.exe, QQSiOsa4hPS.csCryptographic APIs: 'CreateDecryptor'
                    Source: bleorigin.exe, FdHU4eb83Z7.csCryptographic APIs: 'TransformFinalBlock'
                    Source: bleorigin.exe, 3VzYbXLJt4.csCryptographic APIs: 'TransformFinalBlock'
                    Source: bleorigin.exe, 3VzYbXLJt4.csCryptographic APIs: 'TransformFinalBlock'
                    Source: bleorigin.exe, 3VzYbXLJt4.csCryptographic APIs: 'TransformFinalBlock'
                    Source: bleorigin.exe, 3VzYbXLJt4.csCryptographic APIs: 'TransformFinalBlock'
                    Source: bleorigin.exeBinary string: ID: 0x{0:X}qSize of the SerializedPropertyStore is less than 8 ({0})/StoreSize: {0} (0x{0X})3\Device\LanmanRedirector\[Failed to retrieve system handle information.W
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@1/1
                    Source: C:\Users\user\Desktop\bleorigin.exeMutant created: NULL
                    Source: bleorigin.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: bleorigin.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\bleorigin.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\bleorigin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\bleorigin.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: bleorigin.exeVirustotal: Detection: 73%
                    Source: bleorigin.exeReversingLabs: Detection: 76%
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: bleorigin.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: bleorigin.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\bleorigin.exeCode function: 0_2_060230B7 push AC0675DAh; retf 0_2_0602310D
                    Source: C:\Users\user\Desktop\bleorigin.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 BlobJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Source: C:\Users\user\Desktop\bleorigin.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\bleorigin.exeMemory allocated: 2A60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeMemory allocated: 2D20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeMemory allocated: 2A60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeWindow / User API: threadDelayed 1230Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeWindow / User API: threadDelayed 5422Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -21213755684765971s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 6660Thread sleep count: 1230 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -99870s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 6660Thread sleep count: 5422 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -99748s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -99640s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -99528s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -99422s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -99312s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -99203s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -99077s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -98967s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -98859s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -98746s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -98640s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -98531s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -98422s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -98313s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -98188s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -98063s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -97953s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -97844s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -97719s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -97609s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -97500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -97388s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -97281s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -97172s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -97062s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -96953s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -96844s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -96719s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -96609s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -96500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -96391s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exe TID: 5876Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\bleorigin.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\bleorigin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 99870Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 99748Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 99640Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 99528Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 99422Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 99312Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 99203Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 99077Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 98967Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 98859Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 98746Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 98640Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 98531Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 98422Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 98313Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 98188Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 98063Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 97953Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 97844Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 97719Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 97609Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 97500Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 97388Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 97281Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 97172Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 97062Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 96953Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 96844Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 96719Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 96609Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 96500Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 96391Jump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: bleorigin.exe, 00000000.00000002.3282358973.0000000005DD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeQueries volume information: C:\Users\user\Desktop\bleorigin.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 BlobJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: bleorigin.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.bleorigin.exe.7f0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.3280529743.0000000002D9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3280529743.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.2032829432.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3280529743.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3280529743.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: bleorigin.exe PID: 5168, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\bleorigin.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\bleorigin.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: bleorigin.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.bleorigin.exe.7f0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.2032829432.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3280529743.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: bleorigin.exe PID: 5168, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: bleorigin.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.bleorigin.exe.7f0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.3280529743.0000000002D9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3280529743.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.2032829432.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3280529743.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3280529743.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: bleorigin.exe PID: 5168, type: MEMORYSTR
                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation
                    1
                    DLL Side-Loading
                    1
                    DLL Side-Loading
                    1
                    Modify Registry
                    2
                    OS Credential Dumping
                    1
                    Query Registry
                    Remote Services1
                    Email Collection
                    1
                    Encrypted Channel
                    Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts11
                    Disable or Modify Tools
                    1
                    Input Capture
                    111
                    Security Software Discovery
                    Remote Desktop Protocol1
                    Input Capture
                    1
                    Non-Standard Port
                    Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)141
                    Virtualization/Sandbox Evasion
                    1
                    Credentials in Registry
                    1
                    Process Discovery
                    SMB/Windows Admin Shares11
                    Archive Collected Data
                    1
                    Non-Application Layer Protocol
                    Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Deobfuscate/Decode Files or Information
                    NTDS141
                    Virtualization/Sandbox Evasion
                    Distributed Component Object Model2
                    Data from Local System
                    11
                    Application Layer Protocol
                    Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Obfuscated Files or Information
                    LSA Secrets1
                    Application Window Discovery
                    SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading
                    Cached Domain Credentials1
                    File and Directory Discovery
                    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync24
                    System Information Discovery
                    Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    bleorigin.exe74%VirustotalBrowse
                    bleorigin.exe76%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    bleorigin.exe100%AviraTR/Spy.Gen8
                    No Antivirus matches
                    No Antivirus matches
                    No Antivirus matches
                    SourceDetectionScannerLabelLink
                    http://mail.worlorderbillions.top0%Avira URL Cloudsafe
                    http://worlorderbillions.top0%Avira URL Cloudsafe

                    Download Network PCAP: filteredfull

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    worlorderbillions.top
                    185.174.173.22
                    truetrue
                      unknown
                      mail.worlorderbillions.top
                      unknown
                      unknowntrue
                        unknown
                        NameSourceMaliciousAntivirus DetectionReputation
                        http://r11.i.lencr.org/09bleorigin.exe, 00000000.00000002.3280529743.0000000002D76000.00000004.00000800.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3279318601.0000000000F73000.00000004.00000020.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3279318601.0000000000F3C000.00000004.00000020.00020000.00000000.sdmpfalse
                          high
                          http://mail.worlorderbillions.topbleorigin.exe, 00000000.00000002.3280529743.0000000002D76000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://account.dyn.com/bleorigin.exefalse
                            high
                            http://r11.o.lencr.org0#bleorigin.exe, 00000000.00000002.3280529743.0000000002D76000.00000004.00000800.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3279318601.0000000000F73000.00000004.00000020.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3279318601.0000000000F3C000.00000004.00000020.00020000.00000000.sdmpfalse
                              high
                              http://worlorderbillions.topbleorigin.exe, 00000000.00000002.3280529743.0000000002D76000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://x1.c.lencr.org/0bleorigin.exe, 00000000.00000002.3282453835.0000000005E4C000.00000004.00000020.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3280529743.0000000002D76000.00000004.00000800.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3279318601.0000000000F73000.00000004.00000020.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3282453835.0000000005E38000.00000004.00000020.00020000.00000000.sdmpfalse
                                high
                                http://x1.i.lencr.org/0bleorigin.exe, 00000000.00000002.3282453835.0000000005E4C000.00000004.00000020.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3280529743.0000000002D76000.00000004.00000800.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3279318601.0000000000F73000.00000004.00000020.00020000.00000000.sdmp, bleorigin.exe, 00000000.00000002.3282453835.0000000005E38000.00000004.00000020.00020000.00000000.sdmpfalse
                                  high
                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs
                                  IPDomainCountryFlagASNASN NameMalicious
                                  185.174.173.22
                                  worlorderbillions.topUkraine
                                  21100ITLDC-NLUAtrue
                                  Joe Sandbox version:42.0.0 Malachite
                                  Analysis ID:1615022
                                  Start date and time:2025-02-14 12:30:28 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 4m 24s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:4
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:bleorigin.exe
                                  Detection:MAL
                                  Classification:mal100.troj.spyw.evad.winEXE@1/0@1/1
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 61
                                  • Number of non-executed functions: 5
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                  • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.60
                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  TimeTypeDescription
                                  06:31:18API Interceptor33x Sleep call for process: bleorigin.exe modified
                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  185.174.173.22FATURA.exeGet hashmaliciousFormBookBrowse
                                  • www.rockbull.pro/0804/
                                  TAX INVOICE.exeGet hashmaliciousFormBookBrowse
                                  • www.rockbull.pro/0804/
                                  Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                  • www.rockbull.pro/4f6v/
                                  Hesap.exeGet hashmaliciousFormBookBrowse
                                  • www.rockbull.pro/0804/
                                  QNBSWIFT.exeGet hashmaliciousFormBookBrowse
                                  • www.rockbull.pro/0804/
                                  ekte.exeGet hashmaliciousFormBookBrowse
                                  • www.rockbull.pro/0804/
                                  EKTEDIR.exeGet hashmaliciousFormBookBrowse
                                  • www.rockbull.pro/0804/
                                  sse5JV1aR1.exeGet hashmaliciousFormBookBrowse
                                  • www.rockbull.pro/jdqu/
                                  9vhyFG1hNa.exeGet hashmaliciousFormBookBrowse
                                  • www.rockbull.pro/zckq/
                                  RQ#071024.exeGet hashmaliciousFormBookBrowse
                                  • www.rockbull.pro/zckq/?O47=yt+/CYY17yfZsUzW1dzpXI0PtNsveO0es5mNBWZLxvJYS159teOgxf1K62P/A3Nk2I+sCuZ6Gvq/1Opx8wxJUkw6vtEbl6N+fnEOWCFb3RhlmuBmrQ==&LT=aZbPzzPX3H
                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  ITLDC-NLUAnvtPp8Gj2Q.exeGet hashmaliciousAgentTeslaBrowse
                                  • 185.174.175.187
                                  rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeGet hashmaliciousAgentTeslaBrowse
                                  • 185.174.175.187
                                  DCV78I939025789245.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  • 185.174.173.22
                                  j66xcjuMKP.exeGet hashmaliciousAgentTeslaBrowse
                                  • 185.174.175.187
                                  54B0E7E0Mk.exeGet hashmaliciousAgentTeslaBrowse
                                  • 185.174.175.187
                                  sora.mpsl.elfGet hashmaliciousUnknownBrowse
                                  • 5.34.180.213
                                  PAYMENT RECEIPT.htmlGet hashmaliciousHTMLPhisherBrowse
                                  • 185.174.173.22
                                  Mg5bMQ2lWi.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                  • 185.237.206.129
                                  cNF6fXdjPw.dllGet hashmaliciousSocks5SystemzBrowse
                                  • 185.237.206.129
                                  KRdh0OaXqH.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                  • 185.237.206.129
                                  No context
                                  No context
                                  No created / dropped files found
                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):5.000803375749883
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                  • Windows Screen Saver (13104/52) 0.07%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  File name:bleorigin.exe
                                  File size:240'128 bytes
                                  MD5:0cd79e1837ecc2651611323ce6c009a7
                                  SHA1:6bd16567c5b2c2724c7590f1aebc082f37066fbf
                                  SHA256:b9aa15b40149a14595782f3138816babd5aa6a2cae761d9f6a2c1a7b52256bc7
                                  SHA512:dadb31dc48cb8e390c044e9de9cc67ce34896da4e1d224eb42d9ddf6b1bc8f8086f62b388fec4e379c682ed2e9fcc569eda2c77736991ad4655f9c358097df9c
                                  SSDEEP:3072:yRA0lRVpl1D2lVbTWQdVudhBEe5TyCSGqG:yRDlRVpl1D2vbTWQwSVCx
                                  TLSH:8B340F037E88EB15E1A93D3782EF6C2413B2B4C71633C60B6F49AFA518516825D7E72D
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-.e............................n.... ........@.. ....................................@................................
                                  Icon Hash:00928e8e8686b000
                                  Entrypoint:0x43bf6e
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x65AE2D9B [Mon Jan 22 08:55:55 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add al, byte ptr [eax]
                                  adc byte ptr [eax], al
                                  add byte ptr [eax], al
                                  and byte ptr [eax], al
                                  add byte ptr [eax+00000018h], al
                                  push eax
                                  add byte ptr [eax], al
                                  add byte ptr [eax], 00000000h
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add dword ptr [eax], eax
                                  add dword ptr [eax], eax
                                  add byte ptr [eax], al
                                  cmp byte ptr [eax], al
                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x3bf140x57.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x3c0000x546.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x3e0000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000x39f740x3a00032cba4e28d94814962803f813aa67e61False0.3577544113685345data5.012248399343291IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rsrc0x3c0000x5460x600346171ad3e9f4a2ca3ed5c40c281237cFalse0.3997395833333333data3.9912193590907696IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x3e0000xc0x20047722ed4378cb86afb4b1954e8c92277False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_VERSION0x3c0a00x2bcdata0.44
                                  RT_MANIFEST0x3c35c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041
                                  DLLImport
                                  mscoree.dll_CorExeMain
                                  DescriptionData
                                  Translation0x0000 0x04b0
                                  FileDescription
                                  FileVersion1.0.0.0
                                  InternalNamee8ae4cc3-dac5-429a-ad46-d51bb0595a38.exe
                                  LegalCopyright
                                  OriginalFilenamee8ae4cc3-dac5-429a-ad46-d51bb0595a38.exe
                                  ProductVersion1.0.0.0
                                  Assembly Version1.0.0.0

                                  Download Network PCAP: filteredfull

                                  • Total Packets: 22
                                  • 587 undefined
                                  • 53 (DNS)
                                  TimestampSource PortDest PortSource IPDest IP
                                  Feb 14, 2025 12:31:20.230366945 CET49704587192.168.2.5185.174.173.22
                                  Feb 14, 2025 12:31:20.235234976 CET58749704185.174.173.22192.168.2.5
                                  Feb 14, 2025 12:31:20.235338926 CET49704587192.168.2.5185.174.173.22
                                  Feb 14, 2025 12:31:21.007343054 CET58749704185.174.173.22192.168.2.5
                                  Feb 14, 2025 12:31:21.011890888 CET49704587192.168.2.5185.174.173.22
                                  Feb 14, 2025 12:31:21.018244028 CET58749704185.174.173.22192.168.2.5
                                  Feb 14, 2025 12:31:21.185740948 CET58749704185.174.173.22192.168.2.5
                                  Feb 14, 2025 12:31:21.185909033 CET49704587192.168.2.5185.174.173.22
                                  Feb 14, 2025 12:31:21.190723896 CET58749704185.174.173.22192.168.2.5
                                  Feb 14, 2025 12:31:21.360076904 CET58749704185.174.173.22192.168.2.5
                                  Feb 14, 2025 12:31:21.368634939 CET49704587192.168.2.5185.174.173.22
                                  Feb 14, 2025 12:31:21.373651028 CET58749704185.174.173.22192.168.2.5
                                  Feb 14, 2025 12:31:21.551501036 CET58749704185.174.173.22192.168.2.5
                                  Feb 14, 2025 12:31:21.551597118 CET58749704185.174.173.22192.168.2.5
                                  Feb 14, 2025 12:31:21.551610947 CET58749704185.174.173.22192.168.2.5
                                  Feb 14, 2025 12:31:21.551654100 CET49704587192.168.2.5185.174.173.22
                                  Feb 14, 2025 12:31:21.589638948 CET49704587192.168.2.5185.174.173.22
                                  Feb 14, 2025 12:31:21.595242023 CET58749704185.174.173.22192.168.2.5
                                  Feb 14, 2025 12:31:21.764240980 CET58749704185.174.173.22192.168.2.5
                                  Feb 14, 2025 12:31:21.810322046 CET49704587192.168.2.5185.174.173.22
                                  Feb 14, 2025 12:31:21.826391935 CET49704587192.168.2.5185.174.173.22
                                  Feb 14, 2025 12:31:21.832910061 CET58749704185.174.173.22192.168.2.5
                                  Feb 14, 2025 12:31:21.999372005 CET58749704185.174.173.22192.168.2.5
                                  Feb 14, 2025 12:31:22.000447035 CET49704587192.168.2.5185.174.173.22
                                  Feb 14, 2025 12:31:22.007203102 CET58749704185.174.173.22192.168.2.5
                                  Feb 14, 2025 12:31:22.175662041 CET58749704185.174.173.22192.168.2.5
                                  Feb 14, 2025 12:31:22.176665068 CET49704587192.168.2.5185.174.173.22
                                  Feb 14, 2025 12:31:22.181687117 CET58749704185.174.173.22192.168.2.5
                                  Feb 14, 2025 12:31:22.373688936 CET58749704185.174.173.22192.168.2.5
                                  Feb 14, 2025 12:31:22.374535084 CET49704587192.168.2.5185.174.173.22
                                  Feb 14, 2025 12:31:22.379440069 CET58749704185.174.173.22192.168.2.5
                                  Feb 14, 2025 12:31:22.547530890 CET58749704185.174.173.22192.168.2.5
                                  Feb 14, 2025 12:31:22.547939062 CET49704587192.168.2.5185.174.173.22
                                  Feb 14, 2025 12:31:22.552915096 CET58749704185.174.173.22192.168.2.5
                                  Feb 14, 2025 12:31:22.728388071 CET58749704185.174.173.22192.168.2.5
                                  Feb 14, 2025 12:31:22.728619099 CET49704587192.168.2.5185.174.173.22
                                  Feb 14, 2025 12:31:22.733514071 CET58749704185.174.173.22192.168.2.5
                                  Feb 14, 2025 12:31:22.901664019 CET58749704185.174.173.22192.168.2.5
                                  Feb 14, 2025 12:31:22.902321100 CET49704587192.168.2.5185.174.173.22
                                  Feb 14, 2025 12:31:22.902441978 CET49704587192.168.2.5185.174.173.22
                                  Feb 14, 2025 12:31:22.902462006 CET49704587192.168.2.5185.174.173.22
                                  Feb 14, 2025 12:31:22.902522087 CET49704587192.168.2.5185.174.173.22
                                  Feb 14, 2025 12:31:22.907105923 CET58749704185.174.173.22192.168.2.5
                                  Feb 14, 2025 12:31:22.907344103 CET58749704185.174.173.22192.168.2.5
                                  Feb 14, 2025 12:31:22.907354116 CET58749704185.174.173.22192.168.2.5
                                  Feb 14, 2025 12:31:22.907365084 CET58749704185.174.173.22192.168.2.5
                                  Feb 14, 2025 12:31:23.198755980 CET58749704185.174.173.22192.168.2.5
                                  Feb 14, 2025 12:31:23.247834921 CET49704587192.168.2.5185.174.173.22
                                  Feb 14, 2025 12:32:59.560571909 CET49704587192.168.2.5185.174.173.22
                                  Feb 14, 2025 12:32:59.565499067 CET58749704185.174.173.22192.168.2.5
                                  Feb 14, 2025 12:32:59.735508919 CET58749704185.174.173.22192.168.2.5
                                  Feb 14, 2025 12:32:59.738759041 CET49704587192.168.2.5185.174.173.22
                                  TimestampSource PortDest PortSource IPDest IP
                                  Feb 14, 2025 12:31:19.535444021 CET6127853192.168.2.51.1.1.1
                                  Feb 14, 2025 12:31:20.222647905 CET53612781.1.1.1192.168.2.5
                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Feb 14, 2025 12:31:19.535444021 CET192.168.2.51.1.1.10xdaf4Standard query (0)mail.worlorderbillions.topA (IP address)IN (0x0001)false
                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Feb 14, 2025 12:31:20.222647905 CET1.1.1.1192.168.2.50xdaf4No error (0)mail.worlorderbillions.topworlorderbillions.topCNAME (Canonical name)IN (0x0001)false
                                  Feb 14, 2025 12:31:20.222647905 CET1.1.1.1192.168.2.50xdaf4No error (0)worlorderbillions.top185.174.173.22A (IP address)IN (0x0001)false
                                  TimestampSource PortDest PortSource IPDest IPCommands
                                  Feb 14, 2025 12:31:21.007343054 CET58749704185.174.173.22192.168.2.5220-cp8nl.hyperhost.ua ESMTP Exim 4.98 #2 Fri, 14 Feb 2025 13:31:20 +0200
                                  220-We do not authorize the use of this system to transport unsolicited,
                                  220 and/or bulk e-mail.
                                  Feb 14, 2025 12:31:21.011890888 CET49704587192.168.2.5185.174.173.22EHLO 210979
                                  Feb 14, 2025 12:31:21.185740948 CET58749704185.174.173.22192.168.2.5250-cp8nl.hyperhost.ua Hello 210979 [8.46.123.189]
                                  250-SIZE 52428800
                                  250-LIMITS MAILMAX=1000 RCPTMAX=50000
                                  250-8BITMIME
                                  250-PIPELINING
                                  250-PIPECONNECT
                                  250-STARTTLS
                                  250 HELP
                                  Feb 14, 2025 12:31:21.185909033 CET49704587192.168.2.5185.174.173.22STARTTLS
                                  Feb 14, 2025 12:31:21.360076904 CET58749704185.174.173.22192.168.2.5220 TLS go ahead
                                  050100s020406080100

                                  Click to jump to process

                                  050100s0.00102030MB

                                  Click to jump to process

                                  • File
                                  • Registry
                                  • Network

                                  Click to dive into process behavior distribution

                                  Target ID:0
                                  Start time:06:31:17
                                  Start date:14/02/2025
                                  Path:C:\Users\user\Desktop\bleorigin.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\bleorigin.exe"
                                  Imagebase:0x7f0000
                                  File size:240'128 bytes
                                  MD5 hash:0CD79E1837ECC2651611323CE6C009A7
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.3280529743.0000000002D9A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.3280529743.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.2032829432.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000000.2032829432.00000000007F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3280529743.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.3280529743.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.3280529743.0000000002DA2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:false
                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                  Execution Graph

                                  Execution Coverage

                                  Dynamic/Packed Code Coverage

                                  Signature Coverage

                                  Execution Coverage:9.6%
                                  Dynamic/Decrypted Code Coverage:66.7%
                                  Signature Coverage:0%
                                  Total number of Nodes:114
                                  Total number of Limit Nodes:7
                                  Show Legend
                                  Hide Nodes/Edges
                                  execution_graph 41574 112d030 41575 112d048 41574->41575 41576 112d0a2 41575->41576 41582 602cbf7 41575->41582 41586 60299ac 41575->41586 41595 602cc58 41575->41595 41599 602cc08 41575->41599 41603 602dd58 41575->41603 41583 602cbfc 41582->41583 41584 60299ac CallWindowProcW 41583->41584 41585 602cc4f 41584->41585 41585->41576 41587 60299b7 41586->41587 41588 602ddc9 41587->41588 41590 602ddb9 41587->41590 41591 602ddc7 41588->41591 41628 602d9dc 41588->41628 41612 602dee0 41590->41612 41617 602dfbc 41590->41617 41623 602def0 41590->41623 41596 602cc47 41595->41596 41597 602cc4f 41596->41597 41598 60299ac CallWindowProcW 41596->41598 41597->41576 41598->41597 41600 602cc2e 41599->41600 41601 60299ac CallWindowProcW 41600->41601 41602 602cc4f 41601->41602 41602->41576 41606 602dd5c 41603->41606 41604 602ddc9 41605 602d9dc CallWindowProcW 41604->41605 41608 602ddc7 41604->41608 41605->41608 41606->41604 41607 602ddb9 41606->41607 41609 602dee0 CallWindowProcW 41607->41609 41610 602def0 CallWindowProcW 41607->41610 41611 602dfbc CallWindowProcW 41607->41611 41609->41608 41610->41608 41611->41608 41614 602deec 41612->41614 41613 602df90 41613->41591 41632 602dfa8 41614->41632 41636 602df98 41614->41636 41618 602df7a 41617->41618 41619 602dfca 41617->41619 41621 602df98 CallWindowProcW 41618->41621 41622 602dfa8 CallWindowProcW 41618->41622 41620 602df90 41620->41591 41621->41620 41622->41620 41624 602def2 41623->41624 41626 602df98 CallWindowProcW 41624->41626 41627 602dfa8 CallWindowProcW 41624->41627 41625 602df90 41625->41591 41626->41625 41627->41625 41629 602d9e2 41628->41629 41630 602f22a CallWindowProcW 41629->41630 41631 602f1d9 41629->41631 41630->41631 41631->41591 41633 602dfaa 41632->41633 41634 602dfb9 41633->41634 41640 602f170 41633->41640 41634->41613 41637 602df9c 41636->41637 41638 602dfb9 41637->41638 41639 602f170 CallWindowProcW 41637->41639 41638->41613 41639->41638 41641 602d9dc CallWindowProcW 41640->41641 41642 602f17a 41641->41642 41642->41634 41643 602ca50 41644 602ca56 CreateWindowExW 41643->41644 41646 602cb74 41644->41646 41647 2b00848 41649 2b0084e 41647->41649 41648 2b0091b 41649->41648 41652 2b01382 41649->41652 41657 2b01492 41649->41657 41654 2b01396 41652->41654 41653 2b01488 41653->41649 41654->41653 41655 2b01492 GlobalMemoryStatusEx 41654->41655 41663 2b07098 41654->41663 41655->41654 41658 2b0149b 41657->41658 41661 2b01396 41657->41661 41658->41649 41659 2b01488 41659->41649 41660 2b01492 GlobalMemoryStatusEx 41660->41661 41661->41659 41661->41660 41662 2b07098 GlobalMemoryStatusEx 41661->41662 41662->41661 41664 2b070a2 41663->41664 41665 2b070bc 41664->41665 41668 5eecb98 41664->41668 41687 5eecb87 41664->41687 41665->41654 41670 5eecbad 41668->41670 41669 5eecdc2 41669->41665 41670->41669 41671 5eed145 GlobalMemoryStatusEx 41670->41671 41672 5eed125 GlobalMemoryStatusEx 41670->41672 41673 5eed1e3 GlobalMemoryStatusEx 41670->41673 41674 5eed141 GlobalMemoryStatusEx 41670->41674 41675 5eed121 GlobalMemoryStatusEx 41670->41675 41676 5eed13d GlobalMemoryStatusEx 41670->41676 41677 5eed11d GlobalMemoryStatusEx 41670->41677 41678 5eed139 GlobalMemoryStatusEx 41670->41678 41679 5eed135 GlobalMemoryStatusEx 41670->41679 41680 5eed151 GlobalMemoryStatusEx 41670->41680 41681 5eed131 GlobalMemoryStatusEx 41670->41681 41682 5eed14d GlobalMemoryStatusEx 41670->41682 41683 5eed12d GlobalMemoryStatusEx 41670->41683 41684 5eed149 GlobalMemoryStatusEx 41670->41684 41685 5eed129 GlobalMemoryStatusEx 41670->41685 41686 5eed185 GlobalMemoryStatusEx 41670->41686 41671->41670 41672->41670 41673->41670 41674->41670 41675->41670 41676->41670 41677->41670 41678->41670 41679->41670 41680->41670 41681->41670 41682->41670 41683->41670 41684->41670 41685->41670 41686->41670 41689 5eecb98 41687->41689 41688 5eecdc2 41688->41665 41689->41688 41690 5eed135 GlobalMemoryStatusEx 41689->41690 41691 5eed151 GlobalMemoryStatusEx 41689->41691 41692 5eed131 GlobalMemoryStatusEx 41689->41692 41693 5eed14d GlobalMemoryStatusEx 41689->41693 41694 5eed12d GlobalMemoryStatusEx 41689->41694 41695 5eed149 GlobalMemoryStatusEx 41689->41695 41696 5eed129 GlobalMemoryStatusEx 41689->41696 41697 5eed185 GlobalMemoryStatusEx 41689->41697 41698 5eed145 GlobalMemoryStatusEx 41689->41698 41699 5eed125 GlobalMemoryStatusEx 41689->41699 41700 5eed1e3 GlobalMemoryStatusEx 41689->41700 41701 5eed141 GlobalMemoryStatusEx 41689->41701 41702 5eed121 GlobalMemoryStatusEx 41689->41702 41703 5eed13d GlobalMemoryStatusEx 41689->41703 41704 5eed11d GlobalMemoryStatusEx 41689->41704 41705 5eed139 GlobalMemoryStatusEx 41689->41705 41690->41689 41691->41689 41692->41689 41693->41689 41694->41689 41695->41689 41696->41689 41697->41689 41698->41689 41699->41689 41700->41689 41701->41689 41702->41689 41703->41689 41704->41689 41705->41689

                                  Executed Functions

                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3282629716.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5ee0000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                  • API String ID: 0-3723351465
                                  • Opcode ID: 38808f8a838292b060afcf745794225ef4cb505d0daa0f68179f07cd2618b673
                                  • Instruction ID: 9f2cee4739e8295ac6c06865eaefc9745dd139cf6b8665a966838ca2cd1d686c
                                  • Opcode Fuzzy Hash: 38808f8a838292b060afcf745794225ef4cb505d0daa0f68179f07cd2618b673
                                  • Instruction Fuzzy Hash: FE825B30A10709CFDB24DF64C598A9DB7B2FF85304F54D6A9D449AB264EB70ED86CB80

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 876 5eeb908-5eeb921 877 5eeb923-5eeb926 876->877 878 5eeb928 877->878 879 5eeb936-5eeb939 877->879 882 5eeb92e-5eeb931 878->882 880 5eeb93b-5eeb944 879->880 881 5eeb956-5eeb959 879->881 883 5eebbac-5eebbc0 880->883 884 5eeb94a-5eeb951 880->884 885 5eeb97c-5eeb97f 881->885 886 5eeb95b-5eeb977 881->886 882->879 894 5eebbc9-5eebbe3 883->894 895 5eebbc2-5eebbc8 883->895 884->881 887 5eeb985-5eeb988 885->887 888 5eebb92-5eebb9b 885->888 886->885 892 5eeb98a-5eeb98f 887->892 893 5eeb992-5eeb994 887->893 888->880 889 5eebba1-5eebbab 888->889 892->893 896 5eeb99b-5eeb99e 893->896 897 5eeb996 893->897 900 5eebbe5-5eebbe8 894->900 895->894 896->877 898 5eeb9a0-5eeba54 896->898 897->896 1018 5eeba5a-5eeba65 898->1018 1019 5eebb50-5eebb74 898->1019 901 5eebbea-5eebbed 900->901 902 5eebbf2-5eebbf5 900->902 901->902 904 5eebbf7-5eebbfa 902->904 905 5eebc05-5eebc08 902->905 908 5eebd06-5eebd09 904->908 909 5eebc00 904->909 906 5eebc0a-5eebc0d 905->906 907 5eebc12-5eebc15 905->907 906->907 910 5eebc1b-5eebc1e 907->910 911 5eebd20-5eebd29 907->911 913 5eebd0f-5eebd16 908->913 914 5eebddb-5eebe16 908->914 909->905 915 5eebc42-5eebc45 910->915 916 5eebc20-5eebc3b 910->916 918 5eebd2b 911->918 919 5eebda3-5eebdac 911->919 917 5eebd1b-5eebd1e 913->917 940 5eebe18-5eebe1b 914->940 922 5eebc47-5eebc4d 915->922 923 5eebc52-5eebc55 915->923 916->901 956 5eebc3d 916->956 917->911 924 5eebd30-5eebd33 917->924 918->924 919->914 920 5eebdae-5eebdb2 919->920 928 5eebdb7-5eebdb9 920->928 922->923 930 5eebc6e-5eebc71 923->930 931 5eebc57-5eebc69 923->931 926 5eebd4b-5eebd4e 924->926 927 5eebd35-5eebd44 924->927 935 5eebd6e-5eebd71 926->935 936 5eebd50-5eebd69 926->936 953 5eebcd9-5eebcda 927->953 954 5eebd46 927->954 937 5eebdbb 928->937 938 5eebdc0-5eebdc3 928->938 933 5eebc78-5eebc7b 930->933 934 5eebc73-5eebc75 930->934 931->930 942 5eebc7d-5eebca0 933->942 943 5eebca5-5eebca8 933->943 934->933 948 5eebd9e-5eebda1 935->948 949 5eebd73-5eebd99 935->949 936->935 937->938 938->900 944 5eebdc9-5eebdda 938->944 946 5eebe1d-5eebe36 940->946 947 5eebe3b-5eebe3e 940->947 942->943 943->904 958 5eebcae-5eebcb1 943->958 946->947 951 5eebe4b-5eebe4e 947->951 952 5eebe40-5eebe4a 947->952 948->919 948->928 949->948 959 5eebe65-5eebe68 951->959 960 5eebe50-5eebe5e 951->960 961 5eebcdf-5eebce2 953->961 954->926 956->915 964 5eebcd4-5eebcd7 958->964 965 5eebcb3-5eebccf 958->965 970 5eebe6a-5eebe86 959->970 971 5eebe8b-5eebe8d 959->971 983 5eebe9d-5eebeca 960->983 984 5eebe60 960->984 968 5eebcec-5eebcef 961->968 969 5eebce4-5eebce9 961->969 964->953 964->961 965->964 975 5eebd01-5eebd04 968->975 976 5eebcf1-5eebcfc 968->976 969->968 970->971 978 5eebe8f 971->978 979 5eebe94-5eebe97 971->979 975->908 975->917 976->975 978->979 979->940 979->983 998 5eec059-5eec05e 983->998 999 5eebed0-5eebef2 983->999 984->959 1005 5eec063-5eec06d 998->1005 1004 5eebef8-5eebf01 999->1004 999->1005 1004->998 1006 5eebf07-5eebf0f 1004->1006 1008 5eec045-5eec051 1006->1008 1009 5eebf15-5eebf2e 1006->1009 1008->1004 1010 5eec057 1008->1010 1015 5eec03b-5eec040 1009->1015 1016 5eebf34-5eebf5b 1009->1016 1010->1005 1015->1008 1016->1015 1027 5eebf61-5eebf89 1016->1027 1025 5eeba7d-5eebb4a call 5ee3af8 1018->1025 1026 5eeba67-5eeba6d 1018->1026 1029 5eebb7e 1019->1029 1030 5eebb76 1019->1030 1025->1018 1025->1019 1031 5eeba6f 1026->1031 1032 5eeba71-5eeba73 1026->1032 1027->1015 1038 5eebf8f-5eebfa9 1027->1038 1029->888 1030->1029 1031->1025 1032->1025 1038->1015 1042 5eebfaf-5eebfcb 1038->1042 1042->1015 1047 5eebfcd-5eebfec 1042->1047 1047->1015 1052 5eebfee-5eec039 call 5ee3af8 1047->1052 1052->1008
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3282629716.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5ee0000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 0os$Dqs$PH]q
                                  • API String ID: 0-4021589656
                                  • Opcode ID: 1ffe4592b112cb1e68979ac473cc1ced47d169ec81cf4c7d2d7863ca02ef0bf0
                                  • Instruction ID: b429c5cbb8d10cf9811ed9f9096d92c00f9f37424832f94861022d1dbbb98a98
                                  • Opcode Fuzzy Hash: 1ffe4592b112cb1e68979ac473cc1ced47d169ec81cf4c7d2d7863ca02ef0bf0
                                  • Instruction Fuzzy Hash: 0B22AC30B101058FDB24DF68D494AAEB7EAFF88318F208469D44ADB365DB35EC46CB91

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1312 5ee52e0-5ee52fe 1313 5ee5300-5ee5303 1312->1313 1314 5ee5305-5ee530f 1313->1314 1315 5ee5310-5ee5313 1313->1315 1316 5ee5334-5ee5337 1315->1316 1317 5ee5315-5ee532f 1315->1317 1318 5ee534e-5ee5351 1316->1318 1319 5ee5339-5ee5347 1316->1319 1317->1316 1321 5ee5374-5ee5376 1318->1321 1322 5ee5353-5ee536f 1318->1322 1326 5ee5386-5ee539c 1319->1326 1328 5ee5349 1319->1328 1323 5ee537d-5ee5380 1321->1323 1324 5ee5378 1321->1324 1322->1321 1323->1313 1323->1326 1324->1323 1332 5ee55b7-5ee55c1 1326->1332 1333 5ee53a2-5ee53ab 1326->1333 1328->1318 1334 5ee55c2-5ee55f7 1333->1334 1335 5ee53b1-5ee53ce 1333->1335 1338 5ee55f9-5ee55fc 1334->1338 1344 5ee55a4-5ee55b1 1335->1344 1345 5ee53d4-5ee53fc 1335->1345 1339 5ee55fe-5ee561a 1338->1339 1340 5ee561f-5ee5622 1338->1340 1339->1340 1342 5ee56cf-5ee56d2 1340->1342 1343 5ee5628-5ee5634 1340->1343 1347 5ee56d8-5ee56e7 1342->1347 1348 5ee5907-5ee5909 1342->1348 1350 5ee563f-5ee5641 1343->1350 1344->1332 1344->1333 1345->1344 1366 5ee5402-5ee540b 1345->1366 1358 5ee56e9-5ee5704 1347->1358 1359 5ee5706-5ee574a 1347->1359 1351 5ee590b 1348->1351 1352 5ee5910-5ee5913 1348->1352 1356 5ee5659-5ee565d 1350->1356 1357 5ee5643-5ee5649 1350->1357 1351->1352 1352->1338 1354 5ee5919-5ee5922 1352->1354 1363 5ee565f-5ee5669 1356->1363 1364 5ee566b 1356->1364 1361 5ee564d-5ee564f 1357->1361 1362 5ee564b 1357->1362 1358->1359 1372 5ee58db-5ee58f0 1359->1372 1373 5ee5750-5ee5761 1359->1373 1361->1356 1362->1356 1365 5ee5670-5ee5672 1363->1365 1364->1365 1367 5ee5689-5ee56c2 1365->1367 1368 5ee5674-5ee5677 1365->1368 1366->1334 1370 5ee5411-5ee542d 1366->1370 1367->1347 1392 5ee56c4-5ee56ce 1367->1392 1368->1354 1378 5ee5592-5ee559e 1370->1378 1379 5ee5433-5ee545d 1370->1379 1372->1348 1382 5ee58c6-5ee58d5 1373->1382 1383 5ee5767-5ee5784 1373->1383 1378->1344 1378->1366 1394 5ee5588-5ee558d 1379->1394 1395 5ee5463-5ee548b 1379->1395 1382->1372 1382->1373 1383->1382 1391 5ee578a-5ee5880 call 5ee3af8 1383->1391 1444 5ee588e 1391->1444 1445 5ee5882-5ee588c 1391->1445 1394->1378 1395->1394 1401 5ee5491-5ee54bf 1395->1401 1401->1394 1407 5ee54c5-5ee54ce 1401->1407 1407->1394 1408 5ee54d4-5ee5506 1407->1408 1416 5ee5508-5ee550c 1408->1416 1417 5ee5511-5ee552d 1408->1417 1416->1394 1418 5ee550e 1416->1418 1417->1378 1419 5ee552f-5ee5586 call 5ee3af8 1417->1419 1418->1417 1419->1378 1446 5ee5893-5ee5895 1444->1446 1445->1446 1446->1382 1447 5ee5897-5ee589c 1446->1447 1448 5ee589e-5ee58a8 1447->1448 1449 5ee58aa 1447->1449 1450 5ee58af-5ee58b1 1448->1450 1449->1450 1450->1382 1451 5ee58b3-5ee58bf 1450->1451 1451->1382
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3282629716.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5ee0000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $]q$$]q
                                  • API String ID: 0-127220927
                                  • Opcode ID: 7395f2c5ed3ff89e1f74ade9a0ff30b8feb3083aa3fd4c9ea68487f1d797304a
                                  • Instruction ID: 5074104d211fcbf00d70cf9f6cdca3c84e9ac15292b073d57797ec033446243b
                                  • Opcode Fuzzy Hash: 7395f2c5ed3ff89e1f74ade9a0ff30b8feb3083aa3fd4c9ea68487f1d797304a
                                  • Instruction Fuzzy Hash: 15028D31B102059FDB18DB68D580AAEB7E3FF84318F14856AD44ADB398DB75EC46CB81

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1583 5eed89d-5eed8a0 1584 5eed8a2-5eed8ac 1583->1584 1585 5eed8ae 1584->1585 1586 5eed8e1 1584->1586 1587 5eed91a-5eed92a 1585->1587 1586->1584 1588 5eed8e4 1586->1588 1591 5eed98e-5eed995 1587->1591 1592 5eed92c-5eed959 call 5eed168 call 5eecf8c 1587->1592 1589 5eed86f-5eed87a 1588->1589 1590 5eed8e6-5eed8e7 1588->1590 1589->1590 1590->1587 1599 5eed95e-5eed96b 1592->1599 1601 5eed96d-5eed986 1599->1601 1602 5eed996-5eed9fd 1599->1602 1601->1591 1612 5eed9ff-5eeda01 1602->1612 1613 5eeda06-5eeda16 1602->1613 1614 5eedca5-5eedcac 1612->1614 1615 5eeda1d-5eeda2d 1613->1615 1616 5eeda18 1613->1616 1618 5eedc8c-5eedc9a 1615->1618 1619 5eeda33-5eeda41 1615->1619 1616->1614 1622 5eedcad-5eedd26 1618->1622 1624 5eedc9c-5eedc9e 1618->1624 1619->1622 1623 5eeda47 1619->1623 1623->1622 1625 5eeda4e-5eeda60 1623->1625 1626 5eedb4a-5eedb72 1623->1626 1627 5eeda8b-5eedaad 1623->1627 1628 5eedbe6-5eedc0c 1623->1628 1629 5eedb24-5eedb45 1623->1629 1630 5eedba4-5eedbe1 1623->1630 1631 5eeda65-5eeda86 1623->1631 1632 5eedc80-5eedc8a 1623->1632 1633 5eedafe-5eedb1f 1623->1633 1634 5eedc3f-5eedc5a 1623->1634 1635 5eedc5c-5eedc7e 1623->1635 1636 5eedad8-5eedaf9 1623->1636 1637 5eedb77-5eedb9f 1623->1637 1638 5eedab2-5eedad3 1623->1638 1639 5eedc11-5eedc3d 1623->1639 1624->1614 1625->1614 1626->1614 1627->1614 1628->1614 1629->1614 1630->1614 1631->1614 1632->1614 1633->1614 1634->1614 1635->1614 1636->1614 1637->1614 1638->1614 1639->1614
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3282629716.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5ee0000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Xaq$$]q
                                  • API String ID: 0-1280934391
                                  • Opcode ID: 282ea3d47f430afca37bcfd57ed7146294b3f30cc710ffb7dfb4d6ee62c1cefc
                                  • Instruction ID: d43318b24f00eac7df1caf4cdf3ebc0f0fc669db3c7bdba70db58f475a0b5c04
                                  • Opcode Fuzzy Hash: 282ea3d47f430afca37bcfd57ed7146294b3f30cc710ffb7dfb4d6ee62c1cefc
                                  • Instruction Fuzzy Hash: 1DB1C230B142188BDB1CEB7899542BEBBA7BFC8750B14856DE447E7388DE34CC428796
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0a07984bcf2a7489731b71e6068bd1a137ef78165d2af1c4b506e84deb1004dd
                                  • Instruction ID: 6cf0f1fe164430c6de730980a32de73cf07091e85032dd9ca4ecc7c11c983fac
                                  • Opcode Fuzzy Hash: 0a07984bcf2a7489731b71e6068bd1a137ef78165d2af1c4b506e84deb1004dd
                                  • Instruction Fuzzy Hash: FD53EA31C10B1A8ACB51EF68C8905A9FBB1FF99300F11D79AE45877121FB70AAD5CB81
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5e936ed8811aad1b4f4f2f7627d8bfb4314762a4510a3f741387444e983211a2
                                  • Instruction ID: 687c0cebccf125dbf5d83ca51559b375d1b21909e87bfb1713cf2f67b3a52d21
                                  • Opcode Fuzzy Hash: 5e936ed8811aad1b4f4f2f7627d8bfb4314762a4510a3f741387444e983211a2
                                  • Instruction Fuzzy Hash: 9E332D31D107198ECB11EF68C8906ADFBB1FF89300F15D79AD459A7261EB70AAC5CB81

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2784 5ee2700-5ee271d 2785 5ee271f-5ee2722 2784->2785 2786 5ee2724-5ee272a 2785->2786 2787 5ee2731-5ee2734 2785->2787 2788 5ee272c 2786->2788 2789 5ee2791-5ee279b 2786->2789 2790 5ee2736-5ee273f 2787->2790 2791 5ee2740-5ee2743 2787->2791 2788->2787 2794 5ee27a2-5ee27a4 2789->2794 2792 5ee275f-5ee2762 2791->2792 2793 5ee2745-5ee275a 2791->2793 2795 5ee2769-5ee276c 2792->2795 2796 5ee2764-5ee2766 2792->2796 2793->2792 2797 5ee27a9-5ee27ac 2794->2797 2799 5ee276e-5ee2771 2795->2799 2800 5ee2776-5ee2779 2795->2800 2796->2795 2801 5ee27ae-5ee27bd 2797->2801 2802 5ee27c2-5ee27c5 2797->2802 2799->2800 2803 5ee278c-5ee278f 2800->2803 2804 5ee277b-5ee2781 2800->2804 2801->2802 2807 5ee27d9-5ee27dc 2802->2807 2808 5ee27c7-5ee27d4 2802->2808 2803->2789 2803->2797 2805 5ee2787 2804->2805 2806 5ee2865-5ee286b 2804->2806 2805->2803 2809 5ee28cc-5ee28e0 2806->2809 2810 5ee286d-5ee2875 2806->2810 2807->2804 2812 5ee27de-5ee27e1 2807->2812 2808->2807 2821 5ee28fc-5ee28fe 2809->2821 2822 5ee28e2-5ee28fb 2809->2822 2810->2809 2813 5ee2877-5ee2884 2810->2813 2815 5ee27e9-5ee27ec 2812->2815 2816 5ee27e3-5ee27e4 2812->2816 2813->2809 2820 5ee2886-5ee288a 2813->2820 2818 5ee27ee-5ee2804 2815->2818 2819 5ee2809-5ee280c 2815->2819 2816->2815 2818->2819 2823 5ee280e-5ee2814 2819->2823 2824 5ee281f-5ee2822 2819->2824 2825 5ee288f-5ee2892 2820->2825 2832 5ee2905-5ee2908 2821->2832 2822->2821 2827 5ee281a 2823->2827 2828 5ee28a4-5ee28a7 2823->2828 2824->2786 2831 5ee2828-5ee282b 2824->2831 2829 5ee289f-5ee28a2 2825->2829 2830 5ee2894-5ee2898 2825->2830 2827->2824 2835 5ee28ac-5ee28ae 2828->2835 2829->2828 2829->2835 2833 5ee28be-5ee28cb 2830->2833 2834 5ee289a 2830->2834 2836 5ee282d-5ee2834 2831->2836 2837 5ee2839-5ee283c 2831->2837 2838 5ee290a-5ee2911 2832->2838 2839 5ee2912-5ee2915 2832->2839 2834->2829 2840 5ee28b5-5ee28b8 2835->2840 2841 5ee28b0 2835->2841 2836->2837 2842 5ee283e-5ee285b 2837->2842 2843 5ee2860-5ee2863 2837->2843 2844 5ee2937-5ee293a 2839->2844 2845 5ee2917-5ee291b 2839->2845 2840->2785 2840->2833 2841->2840 2842->2843 2843->2806 2843->2825 2848 5ee295c-5ee295f 2844->2848 2849 5ee293c-5ee2940 2844->2849 2846 5ee29f2-5ee2a2c 2845->2846 2847 5ee2921-5ee2929 2845->2847 2865 5ee2a2e-5ee2a31 2846->2865 2847->2846 2851 5ee292f-5ee2932 2847->2851 2853 5ee2970-5ee2973 2848->2853 2854 5ee2961-5ee296b 2848->2854 2849->2846 2852 5ee2946-5ee294e 2849->2852 2851->2844 2852->2846 2858 5ee2954-5ee2957 2852->2858 2855 5ee2975-5ee297c 2853->2855 2856 5ee2983-5ee2986 2853->2856 2854->2853 2861 5ee297e 2855->2861 2862 5ee29ea-5ee29f1 2855->2862 2863 5ee2988-5ee298c 2856->2863 2864 5ee29a0-5ee29a3 2856->2864 2858->2848 2861->2856 2863->2846 2866 5ee298e-5ee2996 2863->2866 2869 5ee29bb-5ee29be 2864->2869 2870 5ee29a5-5ee29b6 2864->2870 2867 5ee2a7e-5ee2c12 2865->2867 2868 5ee2a33-5ee2a36 2865->2868 2866->2846 2871 5ee2998-5ee299b 2866->2871 2935 5ee2d4b-5ee2d5e 2867->2935 2936 5ee2c18-5ee2c1f 2867->2936 2872 5ee2a38-5ee2a49 2868->2872 2873 5ee2a54-5ee2a57 2868->2873 2874 5ee29d8-5ee29da 2869->2874 2875 5ee29c0-5ee29c4 2869->2875 2870->2869 2871->2864 2890 5ee2a4f 2872->2890 2891 5ee2d84-5ee2d8b 2872->2891 2880 5ee2a59-5ee2a6a 2873->2880 2881 5ee2a75-5ee2a78 2873->2881 2876 5ee29dc 2874->2876 2877 5ee29e1-5ee29e4 2874->2877 2875->2846 2882 5ee29c6-5ee29ce 2875->2882 2876->2877 2877->2832 2877->2862 2892 5ee2d95-5ee2da8 2880->2892 2893 5ee2a70 2880->2893 2881->2867 2884 5ee2d61-5ee2d64 2881->2884 2882->2846 2883 5ee29d0-5ee29d3 2882->2883 2883->2874 2887 5ee2d66-5ee2d6d 2884->2887 2888 5ee2d72-5ee2d75 2884->2888 2887->2888 2894 5ee2d7f-5ee2d82 2888->2894 2895 5ee2d77-5ee2d7c 2888->2895 2890->2873 2896 5ee2d90-5ee2d93 2891->2896 2893->2881 2894->2891 2894->2896 2895->2894 2896->2892 2897 5ee2dab-5ee2dae 2896->2897 2900 5ee2dc8-5ee2dcb 2897->2900 2901 5ee2db0-5ee2dc1 2897->2901 2902 5ee2dcd-5ee2dde 2900->2902 2903 5ee2de5-5ee2de8 2900->2903 2901->2902 2910 5ee2dc3 2901->2910 2902->2891 2912 5ee2de0 2902->2912 2903->2867 2905 5ee2dee-5ee2df1 2903->2905 2908 5ee2e0f-5ee2e11 2905->2908 2909 5ee2df3-5ee2e04 2905->2909 2913 5ee2e18-5ee2e1b 2908->2913 2914 5ee2e13 2908->2914 2909->2891 2918 5ee2e0a 2909->2918 2910->2900 2912->2903 2913->2865 2917 5ee2e21-5ee2e2a 2913->2917 2914->2913 2918->2908 2937 5ee2c25-5ee2c48 2936->2937 2938 5ee2cd3-5ee2cda 2936->2938 2947 5ee2c50-5ee2c58 2937->2947 2938->2935 2939 5ee2cdc-5ee2d0f 2938->2939 2951 5ee2d14-5ee2d41 2939->2951 2952 5ee2d11 2939->2952 2949 5ee2c5d-5ee2c9e 2947->2949 2950 5ee2c5a 2947->2950 2960 5ee2cb6-5ee2cc7 2949->2960 2961 5ee2ca0-5ee2cb1 2949->2961 2950->2949 2951->2917 2952->2951 2960->2917 2961->2917
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3282629716.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5ee0000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $
                                  • API String ID: 0-3993045852
                                  • Opcode ID: 3c492336f13ece89d04784d4f4a6fd22f12f654a231716620702511303c7d7b5
                                  • Instruction ID: 3e8335bbc2eab203cc7c2ed0647405bc171819f61cf518254ef064f1056b0655
                                  • Opcode Fuzzy Hash: 3c492336f13ece89d04784d4f4a6fd22f12f654a231716620702511303c7d7b5
                                  • Instruction Fuzzy Hash: E022F339E102158FEF24DFA4C480AAEB7B6FF84314F209469D699AB344DB35DC42CB91
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3282629716.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5ee0000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7c2d9a93ca5540b460007439d60c904775acdc08975cd88f19b54b6116abe509
                                  • Instruction ID: 926b995ed1e74d7e3f70b190d7886e3ff4776a80028e8e131370505030d955a7
                                  • Opcode Fuzzy Hash: 7c2d9a93ca5540b460007439d60c904775acdc08975cd88f19b54b6116abe509
                                  • Instruction Fuzzy Hash: 8E62AC34B102049FEB14DB68D584AADBBF2FF88314F149869E446EB394DB35EC46CB90
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3282629716.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5ee0000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a0a6573791b48452014e69caf49b7053734e3e87e94a43dfcce09777a0fb28f4
                                  • Instruction ID: 6ba9078517b06d458c70032ec2c1278f90782f64feb1699491aa8bd6b8854b5f
                                  • Opcode Fuzzy Hash: a0a6573791b48452014e69caf49b7053734e3e87e94a43dfcce09777a0fb28f4
                                  • Instruction Fuzzy Hash: 2A32AE31A102098FDB14DF68D980BAEB7F6FB88314F109529E449D7396DB35EC46CB91
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3282629716.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5ee0000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6abc579d9b1b1c7cb56a416482c6f59d81c577100d82039b165b0dc34af4de05
                                  • Instruction ID: da440f63e776ffb2a5ac5a00d6bc2c04fc639a35cab1de2b8bd8cf205215ee6d
                                  • Opcode Fuzzy Hash: 6abc579d9b1b1c7cb56a416482c6f59d81c577100d82039b165b0dc34af4de05
                                  • Instruction Fuzzy Hash: B4227070E142098FEF24DBA8D880BADB7B6FB45314F649825E489EB395CB35DC81CB51
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3282856188.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6020000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fa92b00235a439a9ed91a0df7c077faf4d606201b9301a25f95ff9f7b14b0bba
                                  • Instruction ID: dd334b30daf7eeb2068bfdb9c0efc32adf21b2fbfdb80508dfff24d4e6b5a116
                                  • Opcode Fuzzy Hash: fa92b00235a439a9ed91a0df7c077faf4d606201b9301a25f95ff9f7b14b0bba
                                  • Instruction Fuzzy Hash: 5BB19E35E4031A8FCB45DFB0D894ADDBBBAFF8A310F148615E419AF2A5DB309846CB51
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 39eaea69dd084808700eccc79426e8aad715fde02884c0f355f808e438ad7ef9
                                  • Instruction ID: 8223088727118c057e49f2bac819d7786693775bf873610182a05eb8be0c696d
                                  • Opcode Fuzzy Hash: 39eaea69dd084808700eccc79426e8aad715fde02884c0f355f808e438ad7ef9
                                  • Instruction Fuzzy Hash: ACB18CB0E00209DFDB11DFA9D9817ADBFF2EF88318F148669D515E7294EB749881CB81
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c88428b2f3a61b7ae8f11b8db8756d764da63cec7a8bf8d900e27e7bd4eb6277
                                  • Instruction ID: 5dc06d46bf1f3120e77114aea54406a08966f57bf8e32c0c8dbcbb3b6de9b436
                                  • Opcode Fuzzy Hash: c88428b2f3a61b7ae8f11b8db8756d764da63cec7a8bf8d900e27e7bd4eb6277
                                  • Instruction Fuzzy Hash: 86915AB0E00209DFDF11DFA9C98579DBFF2EF88314F148569E415A7294EB749886CB81
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3282856188.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6020000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cd98417a34e0e45978ca70117adda19e9c6a1b7aa10852bf0cc75f2da0740f8f
                                  • Instruction ID: 3611b199fd5e3dbcb9b138d02b9ad2d813dc27b7b41af6c7c6cf6f3ff356640e
                                  • Opcode Fuzzy Hash: cd98417a34e0e45978ca70117adda19e9c6a1b7aa10852bf0cc75f2da0740f8f
                                  • Instruction Fuzzy Hash: 58918D75E4031A9FCB44DFB0D8849DDFBBAFF89310F148615E41AAB2A4DB30A985CB51

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2258 2b06edf-2b06f4a call 2b06c48 2267 2b06f66-2b06f94 2258->2267 2268 2b06f4c-2b06f65 call 2b06774 2258->2268 2272 2b06f96-2b06f99 2267->2272 2273 2b06f9b-2b06fa2 2272->2273 2274 2b06fad-2b06fb0 2272->2274 2276 2b070f3-2b070f9 2273->2276 2277 2b06fa8 2273->2277 2278 2b06fc0-2b06fc3 2274->2278 2279 2b06fb2 call 2b07910 2274->2279 2277->2274 2280 2b06fc5-2b06ffa 2278->2280 2281 2b06fff-2b07002 2278->2281 2282 2b06fb8-2b06fbb 2279->2282 2280->2281 2283 2b07004-2b07018 2281->2283 2284 2b07035-2b07037 2281->2284 2282->2278 2289 2b0701a-2b0701c 2283->2289 2290 2b0701e 2283->2290 2285 2b07039 2284->2285 2286 2b0703e-2b07041 2284->2286 2285->2286 2286->2272 2287 2b07047-2b07056 2286->2287 2293 2b07080-2b07096 2287->2293 2294 2b07058-2b0705b 2287->2294 2291 2b07021-2b07030 2289->2291 2290->2291 2291->2284 2293->2276 2297 2b07063-2b0707e 2294->2297 2297->2293 2297->2294
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: LR]q$LR]q
                                  • API String ID: 0-3917262905
                                  • Opcode ID: 70ad17f6076826b5dafc4e3e4122523c7ffbd115fee5b2c6f14d6ac3c0c9cdb3
                                  • Instruction ID: 5fadf1810c7a885febda08f0e63641c85c0a94a1cbed82d58bb21b2e2ba9227c
                                  • Opcode Fuzzy Hash: 70ad17f6076826b5dafc4e3e4122523c7ffbd115fee5b2c6f14d6ac3c0c9cdb3
                                  • Instruction Fuzzy Hash: 2B51D731A102458FDB16DF78C4907AEBFB6FF86304F1085AAE445EB290EB71A847CB51

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2964 5eedda0-5eeddbb 2965 5eeddbd-5eedde4 call 5eed178 2964->2965 2966 5eedde5-5eede04 call 5eed184 2964->2966 2972 5eede0a-5eede69 2966->2972 2973 5eede06-5eede09 2966->2973 2980 5eede6f-5eedefc GlobalMemoryStatusEx 2972->2980 2981 5eede6b-5eede6e 2972->2981 2984 5eedefe-5eedf04 2980->2984 2985 5eedf05-5eedf2d 2980->2985 2984->2985
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3282629716.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5ee0000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f9916c9512dac32b7e8e48e01b1bdfcb382b9b53c4716ddc3ad8d1212bf1b261
                                  • Instruction ID: c821968e5dd1a90d573fea2870e22f738e3dbda3ee0fad1867760bd15edbc5d1
                                  • Opcode Fuzzy Hash: f9916c9512dac32b7e8e48e01b1bdfcb382b9b53c4716ddc3ad8d1212bf1b261
                                  • Instruction Fuzzy Hash: 82412472D143998FCB04DFB9D9043AEBBF5AF89210F158A6AD444A7291DB789841CBE0

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2988 602ca44-602ca46 2989 602ca48-602ca4c 2988->2989 2990 602ca4e 2988->2990 2989->2990 2991 602ca50-602ca55 2990->2991 2992 602ca56-602cab6 2990->2992 2991->2992 2993 602cac1-602cac8 2992->2993 2994 602cab8-602cabe 2992->2994 2995 602cad3-602cb0b 2993->2995 2996 602caca-602cad0 2993->2996 2994->2993 2997 602cb13-602cb72 CreateWindowExW 2995->2997 2996->2995 2998 602cb74-602cb7a 2997->2998 2999 602cb7b-602cbb3 2997->2999 2998->2999 3003 602cbc0 2999->3003 3004 602cbb5-602cbb8 2999->3004 3005 602cbc1 3003->3005 3004->3003 3005->3005
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0602CB62
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3282856188.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6020000_bleorigin.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: 3e0b69d5b83f02eaa917c1720b15f84501eb4d294589def1b731241e123a11be
                                  • Instruction ID: 6483c116e7306389a4a11828fc173134e634913dfa4d9a457818839faae320c9
                                  • Opcode Fuzzy Hash: 3e0b69d5b83f02eaa917c1720b15f84501eb4d294589def1b731241e123a11be
                                  • Instruction Fuzzy Hash: A151D0B1D003599FEB54CFA9C884ADEBFF5BF48314F24852AE818AB210D7749845CF90
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0602CB62
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3282856188.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6020000_bleorigin.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: fbb28f70384446848ceab1bfa22beba622255e67719a69ac2338f32ad9cb0ef0
                                  • Instruction ID: c2cd7e6c9f195076c3c5c40be560a22a1949c35f163c290e5230cefce2eeec07
                                  • Opcode Fuzzy Hash: fbb28f70384446848ceab1bfa22beba622255e67719a69ac2338f32ad9cb0ef0
                                  • Instruction Fuzzy Hash: 6641C0B1D003199FDB54CF99C884ADEBFB5BF48314F24852AE818AB210D775A885CF90
                                  APIs
                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 0602F251
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3282856188.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6020000_bleorigin.jbxd
                                  Similarity
                                  • API ID: CallProcWindow
                                  • String ID:
                                  • API String ID: 2714655100-0
                                  • Opcode ID: 84c6ad76bfd682f0eb8ca99af5445c4c8d2aa73fd044aaf57303b5a02c30cdf5
                                  • Instruction ID: 66a7c353a0dd608ded72d7b62ecf05b989fcf18795fc846651c0cefecb7898ff
                                  • Opcode Fuzzy Hash: 84c6ad76bfd682f0eb8ca99af5445c4c8d2aa73fd044aaf57303b5a02c30cdf5
                                  • Instruction Fuzzy Hash: 1F416AB994034ACFDB54CF99C448AAABBF5FF89314F24C858D519A7321D374A844CFA0
                                  APIs
                                  • GlobalMemoryStatusEx.KERNEL32(8B550510), ref: 05EEDEEF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3282629716.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5ee0000_bleorigin.jbxd
                                  Similarity
                                  • API ID: GlobalMemoryStatus
                                  • String ID:
                                  • API String ID: 1890195054-0
                                  • Opcode ID: fbf4c0ca65b4f8605c76d01977348b664f447fccb34546f77e12571ac4b02e72
                                  • Instruction ID: a2e343fabdc42861dda6d856e03a81e2b5419e3efdd884c3965aeede99726cbb
                                  • Opcode Fuzzy Hash: fbf4c0ca65b4f8605c76d01977348b664f447fccb34546f77e12571ac4b02e72
                                  • Instruction Fuzzy Hash: 41111FB1C006599BCB10DF9AC944A9EFBF8BF48320F10812AE818A7240D378A944CFA5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: PH]q
                                  • API String ID: 0-3168235125
                                  • Opcode ID: a8d30e581d6edbf1bd101f58974aaa2fa6d2b75e58c7b5b49a4efe62db102dba
                                  • Instruction ID: dd945ace053dbd3d3146e589b66706b0b98863a45e27ae56b957b96bd02d977a
                                  • Opcode Fuzzy Hash: a8d30e581d6edbf1bd101f58974aaa2fa6d2b75e58c7b5b49a4efe62db102dba
                                  • Instruction Fuzzy Hash: 0141D331B002018FDB2AAB34D5A066E7FE7EF89264B5484B8D406DB399DF34DD46CB91
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: LR]q
                                  • API String ID: 0-3081347316
                                  • Opcode ID: 0c26f9ea1427da9316a45b8e5ac21112c24bb5657ee3d27d01029cdb56d04db7
                                  • Instruction ID: b6832c12898518add109b14d88f0c3ead4d495191f89285b017d14f1df722907
                                  • Opcode Fuzzy Hash: 0c26f9ea1427da9316a45b8e5ac21112c24bb5657ee3d27d01029cdb56d04db7
                                  • Instruction Fuzzy Hash: D8316431E10209DBDB15DF64C490B9EFBB6FF85314F108669E806F7290EB71A942CB91
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: LR]q
                                  • API String ID: 0-3081347316
                                  • Opcode ID: 7970cd9353ce973f70ca778ba23fb20f3a5f43bac603c966c368fd2672a83c0b
                                  • Instruction ID: 90399f0e6a231518df321a1048a3afb95effa782ef349c8c80fb430caf4cad8e
                                  • Opcode Fuzzy Hash: 7970cd9353ce973f70ca778ba23fb20f3a5f43bac603c966c368fd2672a83c0b
                                  • Instruction Fuzzy Hash: 3911E5317492805FC3176B7884A426E7FB2EF8B310B1549EFC095CB2A6CA35584AC792
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3a1058a4fd33c03afd477597644055465c99be92741bedc14717e03a40fc1456
                                  • Instruction ID: 05e8daa66e5328c00b7d1137bb6e2163ea402e504131af5d5e8b01646be99e3e
                                  • Opcode Fuzzy Hash: 3a1058a4fd33c03afd477597644055465c99be92741bedc14717e03a40fc1456
                                  • Instruction Fuzzy Hash: 64129330710202DBCB29AB38E584719B7A6FB95324B544A7DE006CBBA8CF75EC47D790
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c705f13e7b00ce49fdd61603b861f51a589f613a42047f0a9fc80a2780e7a183
                                  • Instruction ID: 721852820f6adac02cca020c21688efc95266b8abafe48cfd14ac8c9f89308ee
                                  • Opcode Fuzzy Hash: c705f13e7b00ce49fdd61603b861f51a589f613a42047f0a9fc80a2780e7a183
                                  • Instruction Fuzzy Hash: 05C1D031A002058FDB15DF68D8C07AEBBB6FF88710F1085AAE519EB396D770E845CB91
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: facb42fef7cb98b20ad7e457287cd5f1bfe10c3bb4c787d3ff958d0a71a2f010
                                  • Instruction ID: 0c11c977724ff763ecbda35570aa7f2c9efac3ec1d85f9a8aebf4562ae5c5ace
                                  • Opcode Fuzzy Hash: facb42fef7cb98b20ad7e457287cd5f1bfe10c3bb4c787d3ff958d0a71a2f010
                                  • Instruction Fuzzy Hash: 0BC18E35B006058FDB15DFA4D584AADBBB2FF88710F2484A9E816D7395DB74EC46CB80
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2511c87a7d2c5688d4f2b23ff6d5c44769b58d5c0cd152866445cb20aa0f0aa5
                                  • Instruction ID: 9e84e8106eb3425cf4183695378e7a10e39616901d906f99b9a9f6000a44622a
                                  • Opcode Fuzzy Hash: 2511c87a7d2c5688d4f2b23ff6d5c44769b58d5c0cd152866445cb20aa0f0aa5
                                  • Instruction Fuzzy Hash: E4B19DB0E00209DFDB11CFA9D98179DBFF2EF88318F148269D915A7294EB749885CB91
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 03ee8e9ed247eefad37a03859578526251f08ace31e49d0848ad07db45325efa
                                  • Instruction ID: b633acdfe8be83edae8f7398a7932c2ef237d2574d36d8212d743256fe0446d9
                                  • Opcode Fuzzy Hash: 03ee8e9ed247eefad37a03859578526251f08ace31e49d0848ad07db45325efa
                                  • Instruction Fuzzy Hash: 7BA15AB0E00209DFDB11DFA9C9857DDBFF2EF88314F248569E415A7294EB749886CB81
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 36b904ce6c0afdf45fde3a48ef39de8c8ee274792b6fc840d47030b3a0c2df47
                                  • Instruction ID: 1398c00a8b46d991eda584b06fed144778ef394deb6f6e6ae2d6330ce1f43c73
                                  • Opcode Fuzzy Hash: 36b904ce6c0afdf45fde3a48ef39de8c8ee274792b6fc840d47030b3a0c2df47
                                  • Instruction Fuzzy Hash: F07188B0E002498FDF11DFA9C88179EBFF2FF88314F148569E519A7294DB349882CB95
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 884dd8604f118b5d654d111701e3ae3f741e98f3680e75aac70595697ba991f7
                                  • Instruction ID: d486597ec217063a7d1b599272d60616406088578f9d68925dabeace30fc9227
                                  • Opcode Fuzzy Hash: 884dd8604f118b5d654d111701e3ae3f741e98f3680e75aac70595697ba991f7
                                  • Instruction Fuzzy Hash: 287179B0E002498FDF11DFA9C98079EBFF2FF88314F148469E519A7294EB349842CB95
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7724d89f945e132a66673ca6e273f701552fe64dd65159ddae5f12a487e4b617
                                  • Instruction ID: f1c8ba335ae4d867e25fa7e9b2fc1f7b18f7beeaa499b8319d06f4bf822fd6fb
                                  • Opcode Fuzzy Hash: 7724d89f945e132a66673ca6e273f701552fe64dd65159ddae5f12a487e4b617
                                  • Instruction Fuzzy Hash: E95133B4D002188FDB19CFAAC885B9DBBF5FF48314F14816AE819AB394C774A844CF95
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 88de485c7b0986716660a965947659665bbcdf2000efd6e8b844bca4fe7eb09f
                                  • Instruction ID: fbc08f2c16940c9a42385c678b5ca2bce962430f5770a1b7deeab77ce85a5799
                                  • Opcode Fuzzy Hash: 88de485c7b0986716660a965947659665bbcdf2000efd6e8b844bca4fe7eb09f
                                  • Instruction Fuzzy Hash: D45113B4D002188FDB15CFAAC885B9DBBF5FF48314F148569E819AB390D774A844CF95
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c93dc6be77f6e97c9380f53c9d1bf3032e6ea7ac42acefc921fa83ab6b65cb76
                                  • Instruction ID: c13e8a1f66e72c6f91c34685efe3c06caf44f420079c855f7150a65daf1aae63
                                  • Opcode Fuzzy Hash: c93dc6be77f6e97c9380f53c9d1bf3032e6ea7ac42acefc921fa83ab6b65cb76
                                  • Instruction Fuzzy Hash: CF51FA32A062818FCB7AEF28F980D553F65BB7630430459BDE0854B37EDB386949DB94
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c691fd23ebcf57d163415cb9835cefbc80debb225e6afc0541f419f01756dfce
                                  • Instruction ID: e82491628a158961ac2ac3ba6e5e7b59ffc6b8cdfc8ea522b205694d41dbe8ef
                                  • Opcode Fuzzy Hash: c691fd23ebcf57d163415cb9835cefbc80debb225e6afc0541f419f01756dfce
                                  • Instruction Fuzzy Hash: C851C532A021419FCB7AEF28F980D553F69FBBA3043009979E0455B33EEB346959DB94
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 444134a46f1b27b83343f3607416044fff4996dd64e5f67384343040b84157b2
                                  • Instruction ID: 8144fbf2e031d62b85646a8d0650cbac66bc2f01dc76802eefdb73cc6220e585
                                  • Opcode Fuzzy Hash: 444134a46f1b27b83343f3607416044fff4996dd64e5f67384343040b84157b2
                                  • Instruction Fuzzy Hash: 9B316F35F102058BDB16CFA4D4946AEBBB2EF89310F108959E856E7790DF74A986CB80
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 95ec7a3e5fa7b33e04476fb436a5946aba9a14b1150d90a4a4845d4916c6a179
                                  • Instruction ID: 021657494e916bbb585dc94336997802499ef6c9f82a31b5abf14831b15c3fce
                                  • Opcode Fuzzy Hash: 95ec7a3e5fa7b33e04476fb436a5946aba9a14b1150d90a4a4845d4916c6a179
                                  • Instruction Fuzzy Hash: 864112B4D003489FDB10DFA9C584ADEBFB5FF48314F208469E809AB254DB75A94ACF90
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2505fc5e160321eca8a6c0657a73dbbe506daf553afe454a4ceebf7a0bafc703
                                  • Instruction ID: 0600e0b1b37b7a3401f8831145d56b3712a4ce7d701d028003f0fbc9700fca35
                                  • Opcode Fuzzy Hash: 2505fc5e160321eca8a6c0657a73dbbe506daf553afe454a4ceebf7a0bafc703
                                  • Instruction Fuzzy Hash: D8314B35A00214CFDB2AEB74C594AAD7BB6FF58344F5004ACD406AB794EB369C82CB91
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 205d3dfadf5a3d39902c217ed0df78e4046a2f23769d7e6916c9e71f388428b2
                                  • Instruction ID: cda47031d2e38d05662bf2adbe2d72e3a391c0c81e8efdd67f7b4ed755a60850
                                  • Opcode Fuzzy Hash: 205d3dfadf5a3d39902c217ed0df78e4046a2f23769d7e6916c9e71f388428b2
                                  • Instruction Fuzzy Hash: 8C317035F002059BDB16CFA5C4946AEBBB2FF89310F108919E856E7790DF70AC86CB80
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eb5ee19e43802335af189f7dc8b57aff69d4c5f9028eb02c4f1cbd7fe1ccfda6
                                  • Instruction ID: 4bce31fb1b33f1504260eedcfad43a832a66c3941e047253332ab6af6ec66e2d
                                  • Opcode Fuzzy Hash: eb5ee19e43802335af189f7dc8b57aff69d4c5f9028eb02c4f1cbd7fe1ccfda6
                                  • Instruction Fuzzy Hash: 5F410EB4D003489FDB10DFA9C584ADEBFB5FF48314F208469E809AB264DB75A949CB90
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a54f63c5255850151147eec8ac44b419addabe376b2cbc450fa75e0b7af3e790
                                  • Instruction ID: 2b1aeb61f26b61baf332d8aea653691024788974d1da0dbef246abde4c7265c6
                                  • Opcode Fuzzy Hash: a54f63c5255850151147eec8ac44b419addabe376b2cbc450fa75e0b7af3e790
                                  • Instruction Fuzzy Hash: A6313E34B00214CFDB2AEB74C590AAD7BF6FF58344F5004A8D406AB394EB369C82CB91
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 145e688e18562368e11870e8f425a511aa206be3378a1bfa51aeee964bd294cb
                                  • Instruction ID: 60156875734ad86b8eac14d66a14d3ea854183d8722f1071790f2bb6b91abfa2
                                  • Opcode Fuzzy Hash: 145e688e18562368e11870e8f425a511aa206be3378a1bfa51aeee964bd294cb
                                  • Instruction Fuzzy Hash: AF318F31E106069BDB06CFA4D99069EBBB2FF89300F14C65AE845AB295DB749886CB50
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b6b9cf03f0be0f7508177f8e3a6995f0c73483526b337c3c1f68d51af5427ac4
                                  • Instruction ID: 4d7324c8d1145f2508e2b24a99dfa53a10c11990fd8ce29c6bd44b61a582b3d7
                                  • Opcode Fuzzy Hash: b6b9cf03f0be0f7508177f8e3a6995f0c73483526b337c3c1f68d51af5427ac4
                                  • Instruction Fuzzy Hash: C221B2796101015FDF3BAB6CE8C4B293B69EB65304F004AA5D00EC7399DB2CE847CB92
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1db1563ac1391c2c3e3618067ba95645ae2cebc4f8d1e7653a2c6133924aedc7
                                  • Instruction ID: 4cb4aabe1f7e4dd981ffd71b8d88463765cecc3386c4ef9ba6149a58d3f3c438
                                  • Opcode Fuzzy Hash: 1db1563ac1391c2c3e3618067ba95645ae2cebc4f8d1e7653a2c6133924aedc7
                                  • Instruction Fuzzy Hash: AE219131E0060A9BDB06CFA5D88069EFBB2FF89300F14C659E815AB395DB74D886CB50
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7767bc5101b2791d0d9f44f9ded9096ae3d48d367ff5aab32f5d2228327b7cfc
                                  • Instruction ID: c78d6c7f33248f4afded05a845c67a955250b6d033396d999db716b2380e8172
                                  • Opcode Fuzzy Hash: 7767bc5101b2791d0d9f44f9ded9096ae3d48d367ff5aab32f5d2228327b7cfc
                                  • Instruction Fuzzy Hash: 8821A331E006059FCB15CFA4C4946DEBBB2EF89700F10855AE816BB391DB709942CB50
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 396cd75bf21d90cac5b75472aaadb5b6971233eb764c8a68adf0ca80b81b57a5
                                  • Instruction ID: ec7f3d27b9cde92fb226172103a12af1f815f1c32ce91770a73c80a1837ecb4e
                                  • Opcode Fuzzy Hash: 396cd75bf21d90cac5b75472aaadb5b6971233eb764c8a68adf0ca80b81b57a5
                                  • Instruction Fuzzy Hash: 9A212B35A001048FDB69EB78C599BADBBF5EF49344B1044A8E506EB3A4EB319D41CB91
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8b28e6eb1aad0302142c4c38938132dca76de0f187969f2d299fd77e321f7093
                                  • Instruction ID: a96a9c7f7abaf88ee0d3e7bb35ae2a2c87bd4ed885a359bc1a79bba677ebc784
                                  • Opcode Fuzzy Hash: 8b28e6eb1aad0302142c4c38938132dca76de0f187969f2d299fd77e321f7093
                                  • Instruction Fuzzy Hash: AC213D30A10205CFEB69EB78C594BAD7BB2EF49304F1004A9D14AEB2A4DB369D42CB55
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3279717469.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_112d000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 00e36007783126603436cd309032dd4a8194bfbde3537c50af6e6de24c2432c7
                                  • Instruction ID: 5ef2311f045a242ee68e374f895c16ae37c488c0674df0c3a1941f25c7f81d8c
                                  • Opcode Fuzzy Hash: 00e36007783126603436cd309032dd4a8194bfbde3537c50af6e6de24c2432c7
                                  • Instruction Fuzzy Hash: 79212271604204DFCF19DF98E980F26BBA5FB88314F20C56DD9094B266C33ED826CB66
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c2b8b5bd55b9dfeb7c0ad036f76372572a169576403f5f3ff347cbcdb2a1e88e
                                  • Instruction ID: adcaca75750722b727f762e1e611c0bfe5b64328fc310ed07b1e009f728d386f
                                  • Opcode Fuzzy Hash: c2b8b5bd55b9dfeb7c0ad036f76372572a169576403f5f3ff347cbcdb2a1e88e
                                  • Instruction Fuzzy Hash: 43219F30611241AFDF3A172C94C472C3F66EB16315F444AA9D44EC77E4D729C886C742
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8c6f06cec3a31988f3fb5a708716c8c845e37e744c5c197f44dc7d54ba717032
                                  • Instruction ID: 03a088cca678709c25a925694e473c7a21c3c930281084ba10948d4539962201
                                  • Opcode Fuzzy Hash: 8c6f06cec3a31988f3fb5a708716c8c845e37e744c5c197f44dc7d54ba717032
                                  • Instruction Fuzzy Hash: 5B11E775F013019FDF126B78A88476A7FA6EB84750F104A79E90DD3344EB35D8428781
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fdd6f1e6d03caa5913fccfef874ef2f1a498fe5d1d653f342637ad23cf075c32
                                  • Instruction ID: 9c963390baabbfaeb19c117cf0c673414f05c46a285356711fa9f8dba0d86dfb
                                  • Opcode Fuzzy Hash: fdd6f1e6d03caa5913fccfef874ef2f1a498fe5d1d653f342637ad23cf075c32
                                  • Instruction Fuzzy Hash: 9321A430E00609ABCB19DFA5C89469EFBB2EF89700F10C55AE815F7391DB70AD42CB51
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b7b84dec16ba63be20a621a8b209f870d85af8efac5b7078ca2cd9cbed5e3924
                                  • Instruction ID: 54f7d5a7c47263ba717b117d867166e09b5c122ac7deeee384de70b510081136
                                  • Opcode Fuzzy Hash: b7b84dec16ba63be20a621a8b209f870d85af8efac5b7078ca2cd9cbed5e3924
                                  • Instruction Fuzzy Hash: A0213134B10215CFDB29DB68C59479D7BF6EF49344F1004A8D10AEB394DB369D42CB95
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6f41a9b884b1c98f15da34d116a1f8339c00a3200301b824dd30e8801624bff6
                                  • Instruction ID: deaa3a63b6c5ab581e33156ba558420f5857323b0f7a3aa4adfd46b6b8fac4e0
                                  • Opcode Fuzzy Hash: 6f41a9b884b1c98f15da34d116a1f8339c00a3200301b824dd30e8801624bff6
                                  • Instruction Fuzzy Hash: 1E214F796101015FDB2BAB6CF9C4B193B69EB65304F104A65D00EC7399DB28E846CB92
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b9026c4ca51861e292dbf955c2be25df1ddc9e6c3519eacacd3da170e987d624
                                  • Instruction ID: 955fc08f5ccd58de39b590a8888f60f2ae047254bbf7531a65acb57f924d4933
                                  • Opcode Fuzzy Hash: b9026c4ca51861e292dbf955c2be25df1ddc9e6c3519eacacd3da170e987d624
                                  • Instruction Fuzzy Hash: D1116731A112558FCF2AABBC84D03AD7FA5EB49314F1804FAD809EB291E735D842CF61
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 740315f6547152d9fda22b73d0d3d282a7f2306621b0013d0b9052b5b8042942
                                  • Instruction ID: 40789109a09c7365e8b4d7e864857541018135c65ed6a0a805e99cb5f697dc71
                                  • Opcode Fuzzy Hash: 740315f6547152d9fda22b73d0d3d282a7f2306621b0013d0b9052b5b8042942
                                  • Instruction Fuzzy Hash: DC211934B002048FDB69EB78C598B9EBBF5FB4D340B1044A8E506EB3A4EB319D40CB91
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ed65f649ac2dee0419aeb6597ba946baf650eebeacc310cebd819a49f33633a8
                                  • Instruction ID: 6f62871558968bc1b587bc93071497ea1d58b4ba3431968f3f142c4cedd9d9f4
                                  • Opcode Fuzzy Hash: ed65f649ac2dee0419aeb6597ba946baf650eebeacc310cebd819a49f33633a8
                                  • Instruction Fuzzy Hash: EB11C130A043448FEF267675989036A7F95FB86224F144DFAD046CB2D5DB29E8818BD5
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 564ab0f763d18fab666726d47b814dda19243559c1b44a51ea487554907503f4
                                  • Instruction ID: 4e1e7b3589d2e95b971dbacd124a3a109266b36bf0a2919c5e0e391f20f9aee2
                                  • Opcode Fuzzy Hash: 564ab0f763d18fab666726d47b814dda19243559c1b44a51ea487554907503f4
                                  • Instruction Fuzzy Hash: 00119130B003048FEF667A79D88476E7A95FB85224F104DBAD006CB3D5DB25E8818BD5
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3279717469.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_112d000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                  • Instruction ID: 1bfc29488374dcf6903948946695afd594b84138ee4a5effb45ee8ae79b5bd54
                                  • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                  • Instruction Fuzzy Hash: 1111EB75504280CFCB16CF58E5C0B15BFA1FB88314F28C6AAD8494B666C33AD41ACB62
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 20e33ebd1f05c2c9e69b23cf3908da28fa8a99d79ea4cfb62c3bd53497afaada
                                  • Instruction ID: 4bd26fab589f1de3d860589a19b8d0073a78b7c637dd2df26ebe2a55a1e4027e
                                  • Opcode Fuzzy Hash: 20e33ebd1f05c2c9e69b23cf3908da28fa8a99d79ea4cfb62c3bd53497afaada
                                  • Instruction Fuzzy Hash: 06011B71A112158BCF26EFBC84902AD7AE5EB49310B1504B9D80AEB291E735E941CFA1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bb92322575be99e91030f816037a802316fc68b02750d7aeb24b854a10013c68
                                  • Instruction ID: a69c143c2262354393fc797232f4236372557c80042a5d52c58ac04c9ea7be45
                                  • Opcode Fuzzy Hash: bb92322575be99e91030f816037a802316fc68b02750d7aeb24b854a10013c68
                                  • Instruction Fuzzy Hash: 2F017C329402099FCB46EFB4F98098C7BB6EF61304B5042B5C008DB368EB396E09C741
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2b8deb7b7c74bc0adfc36ade36b09470ae992a44b061aea230981bebfc78581a
                                  • Instruction ID: ccd1656ba1b8c1036ba9820f3c015141cc64f2df84714083ec077d4871c9e4c7
                                  • Opcode Fuzzy Hash: 2b8deb7b7c74bc0adfc36ade36b09470ae992a44b061aea230981bebfc78581a
                                  • Instruction Fuzzy Hash: 28F0C439B402188FC714EB64D5A8B6DB7B2EF88725F1045A8E50ADB3A4DB35AD42CB40
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f8b6076ed4a4938fcda8ffdead82d6c8b907e092586f119edeeab55f1fbf6a6d
                                  • Instruction ID: b342a8fac6df5ac6e2c24b213e267030fb2095a206258be3001a404742815ab7
                                  • Opcode Fuzzy Hash: f8b6076ed4a4938fcda8ffdead82d6c8b907e092586f119edeeab55f1fbf6a6d
                                  • Instruction Fuzzy Hash: A1F01D35950109AFCB45EFB4F98099D7BB9EF60308F504678C0089B268DB396E09CB81

                                  Non-executed Functions

                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3282629716.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5ee0000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                  • API String ID: 0-2843079600
                                  • Opcode ID: 9030ff00760d8d17cb8b571d6875feb8cd474e94c09c54b3cfc7238f6f96074c
                                  • Instruction ID: 76da326e390bf442866a101e6189f73b7ed87829074d2cf98d46041b7d073db2
                                  • Opcode Fuzzy Hash: 9030ff00760d8d17cb8b571d6875feb8cd474e94c09c54b3cfc7238f6f96074c
                                  • Instruction Fuzzy Hash: 3D124230A10619CFDB24DF65C994A9DB7F2BF89304F20996AD44AAB354EB309D45CF41
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3282629716.0000000005EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5ee0000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: XPbq$\Obq
                                  • API String ID: 0-409418754
                                  • Opcode ID: 6fc8d6f2614dacc9f0f0d1d5adf6148f9cf200e5b25b0afdf7935dd27e043569
                                  • Instruction ID: 3e60f2a71df7c8b2b9a0853c0ee2200429d1afdbe88293c6c8ba3b40ed2fafbb
                                  • Opcode Fuzzy Hash: 6fc8d6f2614dacc9f0f0d1d5adf6148f9cf200e5b25b0afdf7935dd27e043569
                                  • Instruction Fuzzy Hash: 95E1F531B201148FDF14DF68C880AADBBF6FB89724F25886AD596DB355CA35EC01C790
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3280029883.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2b00000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f6291824f264fa3d9293c64b7a8808a4669ad374427509146980011263947604
                                  • Instruction ID: d0c65c4326ca1549f70819b412431c3558c4e53b2453087fa31e2ca401d3eb07
                                  • Opcode Fuzzy Hash: f6291824f264fa3d9293c64b7a8808a4669ad374427509146980011263947604
                                  • Instruction Fuzzy Hash: 9AB14CB0E00209CFDF11DFA9D9857AEBFF2EF88308F148569D915A7294EB749845CB81
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3282856188.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6020000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bcb511336298bfa8d61d90a7a0d17fcbc8afbe25fa2cf95a1cc5174f24c7c704
                                  • Instruction ID: 8c6015bc40bdac8c16bf715a4192a7a25472baf4858d8a88c98661da326a0efb
                                  • Opcode Fuzzy Hash: bcb511336298bfa8d61d90a7a0d17fcbc8afbe25fa2cf95a1cc5174f24c7c704
                                  • Instruction Fuzzy Hash: B6A18136F4022A8FCF49DFB5C8405DEBBB2FF85300B15416AE915AB221DB75E945CB80
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3282856188.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6020000_bleorigin.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 131e59d7fd46ff08aedd51f342631804a495b06ea8b703c14a82c29700b3d863
                                  • Instruction ID: 5f1e47b03587e1889faffa458849855c8a57806cf6bd1509a5e30960922e9e92
                                  • Opcode Fuzzy Hash: 131e59d7fd46ff08aedd51f342631804a495b06ea8b703c14a82c29700b3d863
                                  • Instruction Fuzzy Hash: A0C11DB0C82B458BD710CF64EA4C3897BB1BB89394FA04F09D161AF2E4DBB4546ACF54