Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PAGO 041011.exe

Overview

General Information

Sample Name:PAGO 041011.exe
Analysis ID:635309
MD5:944523351da5539c11f2556797423ca7
SHA1:729c0a97f2398b6fdf34db8268d20d545ebc8d23
SHA256:d285dd9606cf62e393b6203a843a9a0392da885f2f427106885bff3ebafef759
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • PAGO 041011.exe (PID: 5336 cmdline: "C:\Users\user\Desktop\PAGO 041011.exe" MD5: 944523351DA5539C11F2556797423CA7)
    • PAGO 041011.exe (PID: 5060 cmdline: C:\Users\user\Desktop\PAGO 041011.exe MD5: 944523351DA5539C11F2556797423CA7)
    • PAGO 041011.exe (PID: 5248 cmdline: C:\Users\user\Desktop\PAGO 041011.exe MD5: 944523351DA5539C11F2556797423CA7)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "logistics@jkmedical.co.in", "Password": "Logistics@1234", "Host": "us2.smtp.mailhostbox.com"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000000.294242175.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000009.00000000.294242175.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000000.00000002.298346633.00000000025CD000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000009.00000002.510778915.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000009.00000002.510778915.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.0.PAGO 041011.exe.400000.10.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              9.0.PAGO 041011.exe.400000.10.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                9.0.PAGO 041011.exe.400000.10.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x32b05:$s10: logins
                • 0x3256c:$s11: credential
                • 0x2eb6f:$g1: get_Clipboard
                • 0x2eb7d:$g2: get_Keyboard
                • 0x2eb8a:$g3: get_Password
                • 0x2fe77:$g4: get_CtrlKeyDown
                • 0x2fe87:$g5: get_ShiftKeyDown
                • 0x2fe98:$g6: get_AltKeyDown
                9.2.PAGO 041011.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  9.2.PAGO 041011.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 34 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 9.0.PAGO 041011.exe.400000.12.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "logistics@jkmedical.co.in", "Password": "Logistics@1234", "Host": "us2.smtp.mailhostbox.com"}
                    Machine Learning detection for sample
                    Source: PAGO 041011.exeJoe Sandbox ML: detected
                    Source: 9.0.PAGO 041011.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 9.0.PAGO 041011.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 9.2.PAGO 041011.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 9.0.PAGO 041011.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 9.0.PAGO 041011.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 9.0.PAGO 041011.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: PAGO 041011.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                    Source: PAGO 041011.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Binary string: EnvoyTerminatorS.pdb source: PAGO 041011.exe
                    Source: Binary string: EnvoyTerminatorS.pdbx source: PAGO 041011.exe
                    Source: Joe Sandbox ViewIP Address: 208.91.198.46 208.91.198.46
                    Source: global trafficTCP traffic: 192.168.2.4:49766 -> 208.91.198.46:587
                    Source: global trafficTCP traffic: 192.168.2.4:49766 -> 208.91.198.46:587
                    Source: PAGO 041011.exe, 00000009.00000002.514040799.0000000002B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: PAGO 041011.exe, 00000009.00000002.514040799.0000000002B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                    Source: PAGO 041011.exe, 00000009.00000002.516422219.0000000002EB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: PAGO 041011.exe, 00000009.00000002.518246359.0000000006A40000.00000004.00000800.00020000.00000000.sdmp, PAGO 041011.exe, 00000009.00000002.516422219.0000000002EB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: PAGO 041011.exe, 00000009.00000002.516422219.0000000002EB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                    Source: PAGO 041011.exe, 00000009.00000002.514040799.0000000002B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cwMRtK.com
                    Source: PAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: PAGO 041011.exe, 00000009.00000002.516422219.0000000002EB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: PAGO 041011.exe, 00000009.00000002.516422219.0000000002EB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0A
                    Source: PAGO 041011.exe, 00000009.00000002.516422219.0000000002EB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                    Source: PAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: PAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: PAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: PAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: PAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: PAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: PAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: PAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: PAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: PAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: PAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: PAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: PAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: PAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: PAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: PAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: PAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: PAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: PAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: PAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: PAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: PAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: PAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: PAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: PAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: PAGO 041011.exe, 00000009.00000002.516506318.0000000002ED8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://MnDXg1BlFqyy5v6ef.com
                    Source: PAGO 041011.exe, 00000009.00000002.516422219.0000000002EB5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                    Source: PAGO 041011.exe, 00000009.00000002.514040799.0000000002B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                    Source: unknownDNS traffic detected: queries for: us2.smtp.mailhostbox.com
                    Source: PAGO 041011.exe, 00000000.00000002.297509868.00000000009CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 9.0.PAGO 041011.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 9.2.PAGO 041011.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 9.0.PAGO 041011.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 9.0.PAGO 041011.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 9.0.PAGO 041011.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.PAGO 041011.exe.7170000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.PAGO 041011.exe.359fd50.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.PAGO 041011.exe.7170000.10.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 9.0.PAGO 041011.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.PAGO 041011.exe.35d4370.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.PAGO 041011.exe.3798370.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.PAGO 041011.exe.3798370.7.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.PAGO 041011.exe.359fd50.4.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.PAGO 041011.exe.35d4370.6.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.PAGO 041011.exe.25e6c44.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
                    Source: 0.2.PAGO 041011.exe.3569930.5.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 00000000.00000002.310555924.0000000007170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects zgRAT Author: ditekSHen
                    Source: PAGO 041011.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                    Source: 9.0.PAGO 041011.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 9.2.PAGO 041011.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 9.0.PAGO 041011.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 9.0.PAGO 041011.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 9.0.PAGO 041011.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.PAGO 041011.exe.7170000.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.PAGO 041011.exe.359fd50.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.PAGO 041011.exe.7170000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 9.0.PAGO 041011.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.PAGO 041011.exe.35d4370.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.PAGO 041011.exe.3798370.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.PAGO 041011.exe.3798370.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.PAGO 041011.exe.359fd50.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.PAGO 041011.exe.35d4370.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.PAGO 041011.exe.25e6c44.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
                    Source: 0.2.PAGO 041011.exe.3569930.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 00000000.00000002.310555924.0000000007170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 0_2_023F6E280_2_023F6E28
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 0_2_023F6E180_2_023F6E18
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 0_2_023F70B70_2_023F70B7
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 0_2_023F70C80_2_023F70C8
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 0_2_04B567300_2_04B56730
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 0_2_04B567210_2_04B56721
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_02A4F3809_2_02A4F380
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_02A402C29_2_02A402C2
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_02A4F6C89_2_02A4F6C8
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_02A465609_2_02A46560
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_061532689_2_06153268
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_061546D09_2_061546D0
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_06157EF19_2_06157EF1
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_06151B1A9_2_06151B1A
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_06151B789_2_06151B78
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_06329EF09_2_06329EF0
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_0632F3789_2_0632F378
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_063278E09_2_063278E0
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_0632C8D89_2_0632C8D8
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_063216629_2_06321662
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_0632166A9_2_0632166A
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_06327E589_2_06327E58
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_0632165E9_2_0632165E
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_063216B29_2_063216B2
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_063216B69_2_063216B6
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_063216BA9_2_063216BA
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_063216BE9_2_063216BE
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_063216A69_2_063216A6
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_063216AA9_2_063216AA
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_063216AE9_2_063216AE
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_0632169A9_2_0632169A
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_0632169E9_2_0632169E
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_06329E8C9_2_06329E8C
                    Source: PAGO 041011.exe, 00000000.00000002.298346633.00000000025CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameVWXPAylPvBolXSRrOPxmzSvrCFOhMDlBxTVwfAQ.exe4 vs PAGO 041011.exe
                    Source: PAGO 041011.exe, 00000000.00000002.299057067.0000000003561000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameVWXPAylPvBolXSRrOPxmzSvrCFOhMDlBxTVwfAQ.exe4 vs PAGO 041011.exe
                    Source: PAGO 041011.exe, 00000000.00000002.297244770.0000000000320000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameEnvoyTerminatorS.exe" vs PAGO 041011.exe
                    Source: PAGO 041011.exe, 00000000.00000002.302444216.000000000377F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIVectorView.dllN vs PAGO 041011.exe
                    Source: PAGO 041011.exe, 00000000.00000002.310555924.0000000007170000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameIVectorView.dllN vs PAGO 041011.exe
                    Source: PAGO 041011.exe, 00000000.00000002.297509868.00000000009CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PAGO 041011.exe
                    Source: PAGO 041011.exe, 00000006.00000000.289433708.0000000000350000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameEnvoyTerminatorS.exe" vs PAGO 041011.exe
                    Source: PAGO 041011.exe, 00000009.00000000.293858368.0000000000830000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameEnvoyTerminatorS.exe" vs PAGO 041011.exe
                    Source: PAGO 041011.exe, 00000009.00000000.294242175.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameVWXPAylPvBolXSRrOPxmzSvrCFOhMDlBxTVwfAQ.exe4 vs PAGO 041011.exe
                    Source: PAGO 041011.exe, 00000009.00000002.512673794.00000000009C8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs PAGO 041011.exe
                    Source: PAGO 041011.exeBinary or memory string: OriginalFilenameEnvoyTerminatorS.exe" vs PAGO 041011.exe
                    Source: PAGO 041011.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: PAGO 041011.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\PAGO 041011.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\PAGO 041011.exe "C:\Users\user\Desktop\PAGO 041011.exe"
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess created: C:\Users\user\Desktop\PAGO 041011.exe C:\Users\user\Desktop\PAGO 041011.exe
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess created: C:\Users\user\Desktop\PAGO 041011.exe C:\Users\user\Desktop\PAGO 041011.exe
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess created: C:\Users\user\Desktop\PAGO 041011.exe C:\Users\user\Desktop\PAGO 041011.exeJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess created: C:\Users\user\Desktop\PAGO 041011.exe C:\Users\user\Desktop\PAGO 041011.exeJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\PAGO 041011.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\PAGO 041011.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PAGO 041011.exe.logJump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/1@1/1
                    Source: PAGO 041011.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\PAGO 041011.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: PAGO 041011.exe, SC/YQ.csCryptographic APIs: 'CreateDecryptor'
                    Source: PAGO 041011.exe, SC/YQ.csCryptographic APIs: 'CreateDecryptor'
                    Source: C:\Users\user\Desktop\PAGO 041011.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: PAGO 041011.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: PAGO 041011.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: PAGO 041011.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: EnvoyTerminatorS.pdb source: PAGO 041011.exe
                    Source: Binary string: EnvoyTerminatorS.pdbx source: PAGO 041011.exe

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: PAGO 041011.exe, SC/YQ.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 0_2_002697E3 push cs; ret 0_2_002697E4
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 6_2_002997E3 push cs; ret 6_2_002997E4
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_007797E3 push cs; ret 9_2_007797E4
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_06321662 push es; ret 9_2_063218C4
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_0632166A push es; ret 9_2_063218C4
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_0632165E push es; ret 9_2_063218C4
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_063216B2 push es; ret 9_2_063218C4
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_063216B6 push es; ret 9_2_063218C4
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_063216BA push es; ret 9_2_063218C4
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_063216BE push es; ret 9_2_063218C4
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_063216A6 push es; ret 9_2_063218C4
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_063216AA push es; ret 9_2_063218C4
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_063216AE push es; ret 9_2_063218C4
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_0632169A push es; ret 9_2_063218C4
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_0632169E push es; ret 9_2_063218C4
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.74944838218
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: 0.2.PAGO 041011.exe.25e6c44.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.298346633.00000000025CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PAGO 041011.exe PID: 5336, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: PAGO 041011.exe, 00000000.00000002.298346633.00000000025CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: PAGO 041011.exe, 00000000.00000002.298346633.00000000025CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\PAGO 041011.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\PAGO 041011.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\PAGO 041011.exe TID: 2988Thread sleep time: -43731s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exe TID: 3688Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exe TID: 6160Thread sleep time: -24903104499507879s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exe TID: 6164Thread sleep count: 3644 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exe TID: 6164Thread sleep count: 5263 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeWindow / User API: threadDelayed 3644Jump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeWindow / User API: threadDelayed 5263Jump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\PAGO 041011.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeThread delayed: delay time: 43731Jump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: PAGO 041011.exe, 00000000.00000002.298346633.00000000025CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: PAGO 041011.exe, 00000000.00000002.298346633.00000000025CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: PAGO 041011.exe, 00000000.00000002.298346633.00000000025CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: PAGO 041011.exe, 00000000.00000002.298346633.00000000025CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeCode function: 9_2_06150FF8 LdrInitializeThunk,9_2_06150FF8
                    Source: C:\Users\user\Desktop\PAGO 041011.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\PAGO 041011.exeMemory written: C:\Users\user\Desktop\PAGO 041011.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess created: C:\Users\user\Desktop\PAGO 041011.exe C:\Users\user\Desktop\PAGO 041011.exeJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeProcess created: C:\Users\user\Desktop\PAGO 041011.exe C:\Users\user\Desktop\PAGO 041011.exeJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Users\user\Desktop\PAGO 041011.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Users\user\Desktop\PAGO 041011.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 9.0.PAGO 041011.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.PAGO 041011.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.PAGO 041011.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.PAGO 041011.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.PAGO 041011.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PAGO 041011.exe.359fd50.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.PAGO 041011.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PAGO 041011.exe.35d4370.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PAGO 041011.exe.359fd50.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PAGO 041011.exe.35d4370.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PAGO 041011.exe.3569930.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000000.294242175.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.510778915.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.293620596.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.295256942.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.294747632.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.299057067.0000000003561000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.514040799.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PAGO 041011.exe PID: 5336, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: PAGO 041011.exe PID: 5248, type: MEMORYSTR
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\PAGO 041011.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\PAGO 041011.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\PAGO 041011.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\PAGO 041011.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\PAGO 041011.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: Yara matchFile source: 00000009.00000002.514040799.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PAGO 041011.exe PID: 5248, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 9.0.PAGO 041011.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.PAGO 041011.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.PAGO 041011.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.PAGO 041011.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.PAGO 041011.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PAGO 041011.exe.359fd50.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.PAGO 041011.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PAGO 041011.exe.35d4370.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PAGO 041011.exe.359fd50.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PAGO 041011.exe.35d4370.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PAGO 041011.exe.3569930.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000000.294242175.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.510778915.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.293620596.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.295256942.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.294747632.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.299057067.0000000003561000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.514040799.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PAGO 041011.exe PID: 5336, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: PAGO 041011.exe PID: 5248, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		Path Interception111
                    Process Injection                    		1
                    Masquerading                    		2
                    OS Credential Dumping                    		211
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Disable or Modify Tools                    		1
                    Input Capture                    		1
                    Process Discovery                    		Remote Desktop Protocol1
                    Input Capture                    		Exfiltration Over Bluetooth1
                    Non-Standard Port                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                    Virtualization/Sandbox Evasion                    		1
                    Credentials in Registry                    		131
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares11
                    Archive Collected Data                    		Automated Exfiltration1
                    Non-Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object Model2
                    Data from Local System                    		Scheduled Transfer11
                    Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    Remote System Discovery                    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common2
                    Obfuscated Files or Information                    		Cached Domain Credentials114
                    System Information Discovery                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items13
                    Software Packing                    		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    PAGO 041011.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    9.0.PAGO 041011.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    9.0.PAGO 041011.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                    9.2.PAGO 041011.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    9.0.PAGO 041011.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    9.0.PAGO 041011.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    9.0.PAGO 041011.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    https://sectigo.com/CPS00%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://cwMRtK.com0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    https://MnDXg1BlFqyy5v6ef.com0%Avira URL Cloudsafe
                    http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://ocsp.sectigo.com0A0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    us2.smtp.mailhostbox.com
                    		208.91.198.46
                    		truefalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#PAGO 041011.exe, 00000009.00000002.516422219.0000000002EB5000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://127.0.0.1:HTTP/1.1PAGO 041011.exe, 00000009.00000002.514040799.0000000002B61000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.apache.org/licenses/LICENSE-2.0PAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.comPAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersGPAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://sectigo.com/CPS0PAGO 041011.exe, 00000009.00000002.516422219.0000000002EB5000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/?PAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bThePAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://us2.smtp.mailhostbox.comPAGO 041011.exe, 00000009.00000002.516422219.0000000002EB5000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.com/designers?PAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwPAGO 041011.exe, 00000009.00000002.514040799.0000000002B61000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.tiro.comPAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designersPAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.goodfont.co.krPAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.comlPAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sajatypeworks.comPAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.typography.netDPAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/cabarga.htmlNPAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/cThePAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmPAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://fontfabrik.comPAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cnPAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/frere-user.htmlPAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://cwMRtK.comPAGO 041011.exe, 00000009.00000002.514040799.0000000002B61000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/PAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://MnDXg1BlFqyy5v6ef.comPAGO 041011.exe, 00000009.00000002.516506318.0000000002ED8000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://DynDns.comDynDNSnamejidpasswordPsi/PsiPAGO 041011.exe, 00000009.00000002.514040799.0000000002B61000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/DPleasePAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8PAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://ocsp.sectigo.com0APAGO 041011.exe, 00000009.00000002.516422219.0000000002EB5000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fonts.comPAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krPAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.urwpp.deDPleasePAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.zhongyicts.com.cnPAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.sakkal.comPAGO 041011.exe, 00000000.00000002.305918752.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            208.91.198.46
                                            		us2.smtp.mailhostbox.comUnited States
                                            		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                                            General Information

                                            Joe Sandbox Version:34.0.0 Boulder Opal
                                            Analysis ID:635309
                                            Start date and time: 27/05/202218:54:022022-05-27 18:54:02 +02:00
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 10m 29s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Sample file name:PAGO 041011.exe
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:26
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.spyw.evad.winEXE@5/1@1/1
                                            EGA Information:
                                            • Successful, ratio: 66.7%
                                            HDC Information:
                                            • Successful, ratio: 1.8% (good quality ratio 1.4%)
                                            • Quality average: 59.5%
                                            • Quality standard deviation: 37.9%
                                            HCA Information:
                                            • Successful, ratio: 99%
                                            • Number of executed functions: 34
                                            • Number of non-executed functions: 5
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe
                                            • Adjust boot time
                                            • Enable AMSI

                                            Warnings

                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                            • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                            • Execution Graph export aborted for target PAGO 041011.exe, PID 5060 because there are no executed function
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • VT rate limit hit for: PAGO 041011.exe

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            18:55:28API Interceptor667x Sleep call for process: PAGO 041011.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            208.91.198.46SecuriteInfo.com.W32.AIDetectNet.01.12288.exeGet hashmaliciousBrowse
                                              PO#5072.exeGet hashmaliciousBrowse
                                                SecuriteInfo.com.Trojan.PackedNET.1352.29751.exeGet hashmaliciousBrowse
                                                  PO-INQUIRY-VALE-SP-2022-60.pdf.exeGet hashmaliciousBrowse
                                                    SecuriteInfo.com.W32.AIDetectNet.01.23081.exeGet hashmaliciousBrowse
                                                      DHL STATEMENT OF ACCOUNT - 1003674090.exeGet hashmaliciousBrowse
                                                        SecuriteInfo.com.W32.AIDetectNet.01.3642.exeGet hashmaliciousBrowse
                                                          DOCX.exeGet hashmaliciousBrowse
                                                            SecuriteInfo.com.W32.AIDetectNet.01.572.exeGet hashmaliciousBrowse
                                                              EkUZ0Om7a6U3nww.exeGet hashmaliciousBrowse
                                                                lUuRVnvmvP.exeGet hashmaliciousBrowse
                                                                  Factura Proforma (C) n 31.exeGet hashmaliciousBrowse
                                                                    SWIFT COPY.exeGet hashmaliciousBrowse
                                                                      PO 18-3081.PDF.exeGet hashmaliciousBrowse
                                                                        MV SUNNY FAITHPORT & PDA INQUIRY.exeGet hashmaliciousBrowse
                                                                          MV. PACIFIC ENDEAVOR V2202 PARTICULARS I.docx.exeGet hashmaliciousBrowse
                                                                            MV. BAOSHAN SUCCESS V.MS220512_AGENT APPOINTMENT .docx.exeGet hashmaliciousBrowse
                                                                              MV ES SAKURA PDA Template.docx.exeGet hashmaliciousBrowse
                                                                                DHL_11606561674.exeGet hashmaliciousBrowse
                                                                                  ESTADO DE CUENTA DHL - 1606561674.exeGet hashmaliciousBrowse

                                                                                    Domains

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                    us2.smtp.mailhostbox.comDHL - OVERDUE ACCOUNT - 1301154822.exeGet hashmaliciousBrowse
                                                                                    • 162.222.225.16
                                                                                    DHL - OVERDUE ACCOUNT - 130115482244.exeGet hashmaliciousBrowse
                                                                                    • 208.91.198.38
                                                                                    SecuriteInfo.com.W32.AIDetectNet.01.12288.exeGet hashmaliciousBrowse
                                                                                    • 208.91.198.46
                                                                                    SecuriteInfo.com.W32.AIDetectNet.01.3171.exeGet hashmaliciousBrowse
                                                                                    • 208.91.198.38
                                                                                    SecuriteInfo.com.Trojan.PWS.StealerNET.122.28104.exeGet hashmaliciousBrowse
                                                                                    • 162.222.225.29
                                                                                    SecuriteInfo.com.W32.AIDetectNet.01.14190.exeGet hashmaliciousBrowse
                                                                                    • 162.222.225.29
                                                                                    SecuriteInfo.com.W32.AIDetectNet.01.11498.exeGet hashmaliciousBrowse
                                                                                    • 162.222.225.29
                                                                                    PO#5072.exeGet hashmaliciousBrowse
                                                                                    • 208.91.198.46
                                                                                    SecuriteInfo.com.W32.AIDetectNet.01.19565.exeGet hashmaliciousBrowse
                                                                                    • 162.222.225.16
                                                                                    SecuriteInfo.com.Trojan.PackedNET.1352.29751.exeGet hashmaliciousBrowse
                                                                                    • 208.91.198.46
                                                                                    Purchase_order_#133.exeGet hashmaliciousBrowse
                                                                                    • 208.91.198.38
                                                                                    PO-INQUIRY-VALE-SP-2022-60.pdf.exeGet hashmaliciousBrowse
                                                                                    • 208.91.198.46
                                                                                    SecuriteInfo.com.W32.AIDetectNet.01.20179.exeGet hashmaliciousBrowse
                                                                                    • 208.91.198.38
                                                                                    SecuriteInfo.com.W32.AIDetectNet.01.7467.exeGet hashmaliciousBrowse
                                                                                    • 162.222.225.29
                                                                                    SecuriteInfo.com.W32.AIDetectNet.01.30938.exeGet hashmaliciousBrowse
                                                                                    • 208.91.198.38
                                                                                    SecuriteInfo.com.W32.AIDetectNet.01.23081.exeGet hashmaliciousBrowse
                                                                                    • 208.91.198.46
                                                                                    Fattura Proforma (C) n 31.exeGet hashmaliciousBrowse
                                                                                    • 208.91.198.38
                                                                                    SecuriteInfo.com.Variant.MSILHeracles.38518.260.exeGet hashmaliciousBrowse
                                                                                    • 208.91.198.38
                                                                                    SecuriteInfo.com.W32.AIDetectNet.01.27311.exeGet hashmaliciousBrowse
                                                                                    • 162.222.225.16
                                                                                    DHL STATEMENT OF ACCOUNT - 1003674090.exeGet hashmaliciousBrowse
                                                                                    • 208.91.198.46

                                                                                    ASNs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                    PUBLIC-DOMAIN-REGISTRYUSCIQ-PO16266.jsGet hashmaliciousBrowse
                                                                                    • 207.174.214.35
                                                                                    DHL - OVERDUE ACCOUNT - 1301154822.exeGet hashmaliciousBrowse
                                                                                    • 162.222.225.16
                                                                                    DHL - OVERDUE ACCOUNT - 130115482244.exeGet hashmaliciousBrowse
                                                                                    • 208.91.198.38
                                                                                    INV00987890.exeGet hashmaliciousBrowse
                                                                                    • 162.215.253.210
                                                                                    6gIL6GLh9RGet hashmaliciousBrowse
                                                                                    • 119.18.52.5
                                                                                    SOA.exeGet hashmaliciousBrowse
                                                                                    • 111.118.215.27
                                                                                    G4tQVT2iUBOkX0S.exeGet hashmaliciousBrowse
                                                                                    • 162.215.253.210
                                                                                    Statement of Account (SOA).exeGet hashmaliciousBrowse
                                                                                    • 162.251.80.27
                                                                                    SecuriteInfo.com.W32.AIDetectNet.01.12288.exeGet hashmaliciousBrowse
                                                                                    • 208.91.198.46
                                                                                    SecuriteInfo.com.W32.AIDetectNet.01.3171.exeGet hashmaliciousBrowse
                                                                                    • 208.91.198.38
                                                                                    SecuriteInfo.com.Trojan.PWS.StealerNET.122.28104.exeGet hashmaliciousBrowse
                                                                                    • 162.222.225.29
                                                                                    SecuriteInfo.com.W32.AIDetectNet.01.14190.exeGet hashmaliciousBrowse
                                                                                    • 162.222.225.29
                                                                                    SecuriteInfo.com.W32.AIDetectNet.01.11498.exeGet hashmaliciousBrowse
                                                                                    • 162.222.225.29
                                                                                    PO#5072.exeGet hashmaliciousBrowse
                                                                                    • 208.91.198.46
                                                                                    SecuriteInfo.com.W32.AIDetectNet.01.19565.exeGet hashmaliciousBrowse
                                                                                    • 162.222.225.16
                                                                                    SecuriteInfo.com.Trojan.PackedNET.1352.29751.exeGet hashmaliciousBrowse
                                                                                    • 208.91.198.46
                                                                                    http://6nreijjndg03nhn.tuarquetipo.com./#aHR0cHM6Ly93d3cuY3ZlZ2ozajg3LnRvcC8/ZW1haWw9YW1pdGFiaGEucmF5QHNjaHJlaWJlcmZvb2RzLmNvbQ==Get hashmaliciousBrowse
                                                                                    • 208.91.198.109
                                                                                    Purchase_order_#133.exeGet hashmaliciousBrowse
                                                                                    • 208.91.198.38
                                                                                    PO-INQUIRY-VALE-SP-2022-60.pdf.exeGet hashmaliciousBrowse
                                                                                    • 208.91.198.46
                                                                                    SecuriteInfo.com.W32.AIDetectNet.01.20179.exeGet hashmaliciousBrowse
                                                                                    • 208.91.198.38

                                                                                    JA3 Fingerprints

                                                                                    No context

                                                                                    Dropped Files

                                                                                    No context

                                                                                    Created / dropped Files

                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PAGO 041011.exe.log

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\PAGO 041011.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):1308
                                                                                    Entropy (8bit):5.345811588615766
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                                                                    MD5:2E016B886BDB8389D2DD0867BE55F87B
                                                                                    SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                                                                    SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                                                                    SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                                                                    Malicious:true
                                                                                    Reputation:high, very likely benign file
                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Entropy (8bit):7.751112562697552
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                    • Windows Screen Saver (13104/52) 0.07%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                    File name:PAGO 041011.exe
                                                                                    File size:797696
                                                                                    MD5:944523351da5539c11f2556797423ca7
                                                                                    SHA1:729c0a97f2398b6fdf34db8268d20d545ebc8d23
                                                                                    SHA256:d285dd9606cf62e393b6203a843a9a0392da885f2f427106885bff3ebafef759
                                                                                    SHA512:c4f47c728972580d9802f1bae0ee671c83f2b73d646a3af4a588cb8cadb1ca5e9c2ef48937e0c689fa5a8615f71587e07784f927012a7b37e583b926e50f4b74
                                                                                    SSDEEP:12288:BY8mA9rtULz/q7pbH44FQSDtjBt06kqAEy+f8ZJkMm3TZl2cmBtXaqrix:awqzCdb3QU/pyeLMm32cmTxA
                                                                                    TLSH:9305E16EB692AD13C1280BF680D7840423F15647E176E7872FC721C72E0ABE54DDAB5B
                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b..............0......Z........... ........@.. ....................................@................................

                                                                                    File Icon

                                                                                    Icon Hash:4462f276dcec30e6

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0x4bef9e
                                                                                    Entrypoint Section:.text
                                                                                    Digitally signed:false
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                    Time Stamp:0x6290DD8F [Fri May 27 14:17:51 2022 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:v4.0.30319
                                                                                    OS Version Major:4
                                                                                    OS Version Minor:0
                                                                                    File Version Major:4
                                                                                    File Version Minor:0
                                                                                    Subsystem Version Major:4
                                                                                    Subsystem Version Minor:0
                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    jmp dword ptr [00402000h]
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xbef500x4b.text
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x57d0.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xc60000xc.reloc
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xbeefa0x1c.text
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    .text0x20000xbcfa40xbd000False0.883891110698data7.74944838218IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                    .rsrc0xc00000x57d00x5800False0.965110085227data7.8921242943IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .reloc0xc60000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                    Resources

                                                                                    NameRVASizeTypeLanguageCountry
                                                                                    RT_ICON0xc01300x51a3PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                    RT_GROUP_ICON0xc52d40x14data
                                                                                    RT_VERSION0xc52e80x2fcdata
                                                                                    RT_MANIFEST0xc55e40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                    Imports

                                                                                    DLLImport
                                                                                    mscoree.dll_CorExeMain

                                                                                    Version Infos

                                                                                    DescriptionData
                                                                                    Translation0x0000 0x04b0
                                                                                    LegalCopyright
                                                                                    Assembly Version1.0.0.0
                                                                                    InternalNameEnvoyTerminatorS.exe
                                                                                    FileVersion1.0.0.0
                                                                                    CompanyName
                                                                                    LegalTrademarks
                                                                                    Comments
                                                                                    ProductName
                                                                                    ProductVersion1.0.0.0
                                                                                    FileDescription
                                                                                    OriginalFilenameEnvoyTerminatorS.exe

                                                                                    Network Behavior

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    May 27, 2022 18:55:49.713362932 CEST49766587192.168.2.4208.91.198.46
                                                                                    May 27, 2022 18:55:49.922554016 CEST58749766208.91.198.46192.168.2.4
                                                                                    May 27, 2022 18:55:49.922697067 CEST49766587192.168.2.4208.91.198.46
                                                                                    May 27, 2022 18:55:51.138128996 CEST58749766208.91.198.46192.168.2.4
                                                                                    May 27, 2022 18:55:51.138690948 CEST49766587192.168.2.4208.91.198.46
                                                                                    May 27, 2022 18:55:51.347852945 CEST58749766208.91.198.46192.168.2.4
                                                                                    May 27, 2022 18:55:51.347879887 CEST58749766208.91.198.46192.168.2.4
                                                                                    May 27, 2022 18:55:51.348267078 CEST49766587192.168.2.4208.91.198.46
                                                                                    May 27, 2022 18:55:51.557518959 CEST58749766208.91.198.46192.168.2.4
                                                                                    May 27, 2022 18:55:51.607098103 CEST49766587192.168.2.4208.91.198.46
                                                                                    May 27, 2022 18:55:51.816951036 CEST58749766208.91.198.46192.168.2.4
                                                                                    May 27, 2022 18:55:51.817006111 CEST58749766208.91.198.46192.168.2.4
                                                                                    May 27, 2022 18:55:51.817037106 CEST58749766208.91.198.46192.168.2.4
                                                                                    May 27, 2022 18:55:51.817054987 CEST58749766208.91.198.46192.168.2.4
                                                                                    May 27, 2022 18:55:51.817096949 CEST49766587192.168.2.4208.91.198.46
                                                                                    May 27, 2022 18:55:51.817125082 CEST49766587192.168.2.4208.91.198.46
                                                                                    May 27, 2022 18:55:51.818969011 CEST58749766208.91.198.46192.168.2.4
                                                                                    May 27, 2022 18:55:51.872983932 CEST49766587192.168.2.4208.91.198.46
                                                                                    May 27, 2022 18:55:52.026288986 CEST58749766208.91.198.46192.168.2.4
                                                                                    May 27, 2022 18:55:52.049781084 CEST49766587192.168.2.4208.91.198.46
                                                                                    May 27, 2022 18:55:52.259737015 CEST58749766208.91.198.46192.168.2.4
                                                                                    May 27, 2022 18:55:52.310487986 CEST49766587192.168.2.4208.91.198.46
                                                                                    May 27, 2022 18:55:52.370445967 CEST49766587192.168.2.4208.91.198.46
                                                                                    May 27, 2022 18:55:52.606142044 CEST58749766208.91.198.46192.168.2.4
                                                                                    May 27, 2022 18:55:52.622620106 CEST49766587192.168.2.4208.91.198.46
                                                                                    May 27, 2022 18:55:52.833873987 CEST58749766208.91.198.46192.168.2.4
                                                                                    May 27, 2022 18:55:52.834742069 CEST49766587192.168.2.4208.91.198.46
                                                                                    May 27, 2022 18:55:53.047013998 CEST58749766208.91.198.46192.168.2.4
                                                                                    May 27, 2022 18:55:53.047961950 CEST49766587192.168.2.4208.91.198.46
                                                                                    May 27, 2022 18:55:53.259996891 CEST58749766208.91.198.46192.168.2.4
                                                                                    May 27, 2022 18:55:53.260545969 CEST49766587192.168.2.4208.91.198.46
                                                                                    May 27, 2022 18:55:53.483143091 CEST58749766208.91.198.46192.168.2.4
                                                                                    May 27, 2022 18:55:53.483684063 CEST49766587192.168.2.4208.91.198.46
                                                                                    May 27, 2022 18:55:53.696765900 CEST58749766208.91.198.46192.168.2.4
                                                                                    May 27, 2022 18:55:53.697957039 CEST49766587192.168.2.4208.91.198.46
                                                                                    May 27, 2022 18:55:53.698120117 CEST49766587192.168.2.4208.91.198.46
                                                                                    May 27, 2022 18:55:53.698879957 CEST49766587192.168.2.4208.91.198.46
                                                                                    May 27, 2022 18:55:53.698962927 CEST49766587192.168.2.4208.91.198.46
                                                                                    May 27, 2022 18:55:53.907169104 CEST58749766208.91.198.46192.168.2.4
                                                                                    May 27, 2022 18:55:53.907989025 CEST58749766208.91.198.46192.168.2.4
                                                                                    May 27, 2022 18:55:54.043982983 CEST58749766208.91.198.46192.168.2.4
                                                                                    May 27, 2022 18:55:54.091948032 CEST49766587192.168.2.4208.91.198.46

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    May 27, 2022 18:55:49.633374929 CEST5607653192.168.2.48.8.8.8
                                                                                    May 27, 2022 18:55:49.656034946 CEST53560768.8.8.8192.168.2.4

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                    May 27, 2022 18:55:49.633374929 CEST192.168.2.48.8.8.80x87f7Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                    May 27, 2022 18:55:49.656034946 CEST8.8.8.8192.168.2.40x87f7No error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)
                                                                                    May 27, 2022 18:55:49.656034946 CEST8.8.8.8192.168.2.40x87f7No error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                                                                    May 27, 2022 18:55:49.656034946 CEST8.8.8.8192.168.2.40x87f7No error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)
                                                                                    May 27, 2022 18:55:49.656034946 CEST8.8.8.8192.168.2.40x87f7No error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)

                                                                                    SMTP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                                                    May 27, 2022 18:55:51.138128996 CEST58749766208.91.198.46192.168.2.4220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                    May 27, 2022 18:55:51.138690948 CEST49766587192.168.2.4208.91.198.46EHLO 562258
                                                                                    May 27, 2022 18:55:51.347879887 CEST58749766208.91.198.46192.168.2.4250-us2.outbound.mailhostbox.com
                                                                                    250-PIPELINING
                                                                                    250-SIZE 41648128
                                                                                    250-VRFY
                                                                                    250-ETRN
                                                                                    250-STARTTLS
                                                                                    250-AUTH PLAIN LOGIN
                                                                                    250-AUTH=PLAIN LOGIN
                                                                                    250-ENHANCEDSTATUSCODES
                                                                                    250-8BITMIME
                                                                                    250-DSN
                                                                                    250 CHUNKING
                                                                                    May 27, 2022 18:55:51.348267078 CEST49766587192.168.2.4208.91.198.46STARTTLS
                                                                                    May 27, 2022 18:55:51.557518959 CEST58749766208.91.198.46192.168.2.4220 2.0.0 Ready to start TLS

                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    General

                                                                                    Target ID:0
                                                                                    Start time:18:55:11
                                                                                    Start date:27/05/2022
                                                                                    Path:C:\Users\user\Desktop\PAGO 041011.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\Desktop\PAGO 041011.exe"
                                                                                    Imagebase:0x260000
                                                                                    File size:797696 bytes
                                                                                    MD5 hash:944523351DA5539C11F2556797423CA7
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:.Net C# or VB.NET
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.298346633.00000000025CD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 00000000.00000002.310555924.0000000007170000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.299057067.0000000003561000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.299057067.0000000003561000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    Reputation:low

                                                                                    General

                                                                                    Target ID:6
                                                                                    Start time:18:55:31
                                                                                    Start date:27/05/2022
                                                                                    Path:C:\Users\user\Desktop\PAGO 041011.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Users\user\Desktop\PAGO 041011.exe
                                                                                    Imagebase:0x290000
                                                                                    File size:797696 bytes
                                                                                    MD5 hash:944523351DA5539C11F2556797423CA7
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:low

                                                                                    General

                                                                                    Target ID:9
                                                                                    Start time:18:55:32
                                                                                    Start date:27/05/2022
                                                                                    Path:C:\Users\user\Desktop\PAGO 041011.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Users\user\Desktop\PAGO 041011.exe
                                                                                    Imagebase:0x770000
                                                                                    File size:797696 bytes
                                                                                    MD5 hash:944523351DA5539C11F2556797423CA7
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:.Net C# or VB.NET
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.294242175.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000000.294242175.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.510778915.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000002.510778915.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.514040799.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.514040799.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.293620596.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000000.293620596.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.295256942.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000000.295256942.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.294747632.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000000.294747632.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                    Reputation:low

                                                                                    Disassembly

                                                                                    Reset < >

                                                                                      Execution Graph

                                                                                      Execution Coverage:13.1%
                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                      Signature Coverage:0%
                                                                                      Total number of Nodes:122
                                                                                      Total number of Limit Nodes:8
                                                                                      execution_graph 14902 4b5a441 14903 4b5a4b2 14902->14903 14904 4b5a55c 14902->14904 14906 4b5a50a CallWindowProcW 14903->14906 14907 4b5a4b9 14903->14907 14905 4b55fb4 CallWindowProcW 14904->14905 14905->14907 14906->14907 14760 4b51370 14764 4b51460 14760->14764 14770 4b51468 14760->14770 14761 4b5137f 14776 4b51648 14764->14776 14780 4b51643 14764->14780 14765 4b5147b 14766 4b5148b 14765->14766 14784 4b51af0 14765->14784 14766->14761 14771 4b5147b 14770->14771 14773 4b51643 GetModuleHandleW 14770->14773 14774 4b51648 GetModuleHandleW 14770->14774 14772 4b5148b 14771->14772 14775 4b51af0 LoadLibraryExW 14771->14775 14772->14761 14773->14771 14774->14771 14775->14772 14777 4b51690 GetModuleHandleW 14776->14777 14778 4b5168a 14776->14778 14779 4b516bd 14777->14779 14778->14777 14779->14765 14781 4b51690 GetModuleHandleW 14780->14781 14782 4b5168a 14780->14782 14783 4b516bd 14781->14783 14782->14781 14783->14765 14785 4b51b04 14784->14785 14786 4b51b29 14785->14786 14788 4b516ec 14785->14788 14786->14766 14789 4b51cd0 LoadLibraryExW 14788->14789 14791 4b51d49 14789->14791 14791->14786 14818 4b53850 GetCurrentProcess 14819 4b538c3 14818->14819 14820 4b538ca GetCurrentThread 14818->14820 14819->14820 14821 4b53907 GetCurrentProcess 14820->14821 14822 4b53900 14820->14822 14823 4b5393d 14821->14823 14822->14821 14824 4b53965 GetCurrentThreadId 14823->14824 14825 4b53996 14824->14825 14908 4b58100 SetWindowLongW 14909 4b5816c 14908->14909 14826 23ad01c 14827 23ad034 14826->14827 14828 23ad08e 14827->14828 14832 4b55fb4 14827->14832 14836 4b58060 14827->14836 14840 4b58070 14827->14840 14834 4b55fbf 14832->14834 14835 4b58db9 14834->14835 14844 4b560dc 14834->14844 14837 4b58096 14836->14837 14838 4b55fb4 CallWindowProcW 14837->14838 14839 4b580b7 14838->14839 14839->14828 14841 4b58096 14840->14841 14842 4b55fb4 CallWindowProcW 14841->14842 14843 4b580b7 14842->14843 14843->14828 14845 4b560e7 14844->14845 14846 4b5a50a CallWindowProcW 14845->14846 14847 4b5a4b9 14845->14847 14846->14847 14847->14835 14792 4b57eb8 14793 4b57f20 CreateWindowExW 14792->14793 14795 4b57fdc 14793->14795 14796 4b53a78 DuplicateHandle 14797 4b53b0e 14796->14797 14798 4b54428 14800 4b54450 14798->14800 14799 4b54478 14800->14799 14802 4b54014 14800->14802 14803 4b5401f 14802->14803 14806 4b56268 14803->14806 14804 4b54520 14804->14799 14808 4b56299 14806->14808 14809 4b562e5 14806->14809 14807 4b562a5 14807->14804 14808->14807 14812 4b566e8 14808->14812 14815 4b566d8 14808->14815 14809->14804 14813 4b51468 3 API calls 14812->14813 14814 4b566f1 14813->14814 14814->14809 14816 4b51468 3 API calls 14815->14816 14817 4b566f1 14815->14817 14816->14817 14817->14809 14848 4b5e418 14851 23fdde4 14848->14851 14849 4b5e42b 14852 23fddef 14851->14852 14853 23ff23e 14852->14853 14855 4b5eb90 14852->14855 14853->14849 14856 4b51468 3 API calls 14855->14856 14857 4b5eb9e 14856->14857 14857->14853 14858 4b5ef18 14859 4b5ef71 14858->14859 14860 4b5efaa 14859->14860 14861 23fdde4 3 API calls 14859->14861 14861->14860 14862 23f4450 14863 23f446d 14862->14863 14864 23f4497 14863->14864 14868 23f45b8 14863->14868 14874 23f3c0c 14864->14874 14866 23f447a 14869 23f45c2 14868->14869 14871 23f4617 14868->14871 14878 23f46b8 14869->14878 14882 23f46a8 14869->14882 14871->14864 14875 23f3c17 14874->14875 14890 23fdd64 14875->14890 14877 23fe6d2 14877->14866 14880 23f46df 14878->14880 14879 23f47bc 14880->14879 14886 23f4210 14880->14886 14884 23f46df 14882->14884 14883 23f47bc 14883->14883 14884->14883 14885 23f4210 CreateActCtxA 14884->14885 14885->14883 14887 23f5748 CreateActCtxA 14886->14887 14889 23f580b 14887->14889 14891 23fdd6f 14890->14891 14894 23fdd84 14891->14894 14893 23fe955 14893->14877 14895 23fdd8f 14894->14895 14898 23fddb4 14895->14898 14897 23fea3a 14897->14893 14899 23fddbf 14898->14899 14900 23fdde4 3 API calls 14899->14900 14901 23feb2a 14900->14901 14901->14897

                                                                                      Executed Functions

                                                                                      Function 023F6E18 Relevance: .2, Instructions: 187COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.298143380.00000000023F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_23f0000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 446eb51e09d0d85d60c41149d82b63d8385a65490e7103b4960de7f7fff0d143
                                                                                      • Instruction ID: 7bc1a1e60318628feb43df0dbdd1f5900d8881183b07a37157839b310842798f
                                                                                      • Opcode Fuzzy Hash: 446eb51e09d0d85d60c41149d82b63d8385a65490e7103b4960de7f7fff0d143
                                                                                      • Instruction Fuzzy Hash: 627181B1E042048FDB49EF7AE555A9ABBF7FB95304F04C83AD1059B274EB70580A9F41
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 04B53850 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • GetCurrentProcess.KERNEL32 ref: 04B538B0
                                                                                      • GetCurrentThread.KERNEL32 ref: 04B538ED
                                                                                      • GetCurrentProcess.KERNEL32 ref: 04B5392A
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 04B53983
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.303964388.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_4b50000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID: Current$ProcessThread
                                                                                      • String ID:
                                                                                      • API String ID: 2063062207-0
                                                                                      • Opcode ID: f67f0cd25dc6bd87e55005e4a7759c99951a2e6da03a29a85451f5650578f9a3
                                                                                      • Instruction ID: c948dcf597d71b26a22fda1f58f60da84fdf1409f8d7bc4d00573a81760e2be5
                                                                                      • Opcode Fuzzy Hash: f67f0cd25dc6bd87e55005e4a7759c99951a2e6da03a29a85451f5650578f9a3
                                                                                      • Instruction Fuzzy Hash: 655146B0D00649CFEB14DFA9C54879EBBF1EB48314F108199E81AA7360D774A944CF66
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 04B57EB8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 20 4b57eb8-4b57f1e 21 4b57f20-4b57f26 20->21 22 4b57f29-4b57f30 20->22 21->22 23 4b57f32-4b57f38 22->23 24 4b57f3b-4b57fda CreateWindowExW 22->24 23->24 26 4b57fe3-4b5801b 24->26 27 4b57fdc-4b57fe2 24->27 31 4b5801d-4b58020 26->31 32 4b58028 26->32 27->26 31->32 33 4b58029 32->33 33->33
                                                                                      APIs
                                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04B57FCA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.303964388.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_4b50000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateWindow
                                                                                      • String ID:
                                                                                      • API String ID: 716092398-0
                                                                                      • Opcode ID: 6442b65780d5821f324b8d413739655d05e7a2131e4e7f5db5a34f534e168091
                                                                                      • Instruction ID: 7e5622022ede032a8503d1824669b3a2a2cd161b31a2a7efa574265e66bc591f
                                                                                      • Opcode Fuzzy Hash: 6442b65780d5821f324b8d413739655d05e7a2131e4e7f5db5a34f534e168091
                                                                                      • Instruction Fuzzy Hash: 1941B0B1D003499FDB14CFA9C884ADEFBB5FF48314F24812AE819AB210D774A845CF91
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 023F573C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 34 23f573c-23f5746 35 23f5748-23f5809 CreateActCtxA 34->35 37 23f580b-23f5811 35->37 38 23f5812-23f586c 35->38 37->38 45 23f586e-23f5871 38->45 46 23f587b-23f587f 38->46 45->46 47 23f5881-23f588d 46->47 48 23f5890 46->48 47->48 49 23f5891 48->49 49->49
                                                                                      APIs
                                                                                      • CreateActCtxA.KERNEL32(?), ref: 023F57F9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.298143380.00000000023F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_23f0000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID: Create
                                                                                      • String ID:
                                                                                      • API String ID: 2289755597-0
                                                                                      • Opcode ID: 18b9fa3bd33bb254e155f8f31ac6d80e19cec89153237f634646575c12879d7e
                                                                                      • Instruction ID: eac7864f3ad0de2cfad6c0adfeee9e933628c1a205d692d48bbdaf72bcd8488e
                                                                                      • Opcode Fuzzy Hash: 18b9fa3bd33bb254e155f8f31ac6d80e19cec89153237f634646575c12879d7e
                                                                                      • Instruction Fuzzy Hash: 38411471C00718CBDB24DFA9C984BCEFBB1BF48308F608069D509AB251DB74A94ACF91
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 04B560DC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 51 4b560dc-4b5a4ac 54 4b5a4b2-4b5a4b7 51->54 55 4b5a55c-4b5a57c call 4b55fb4 51->55 57 4b5a4b9-4b5a4f0 54->57 58 4b5a50a-4b5a542 CallWindowProcW 54->58 62 4b5a57f-4b5a58c 55->62 65 4b5a4f2-4b5a4f8 57->65 66 4b5a4f9-4b5a508 57->66 59 4b5a544-4b5a54a 58->59 60 4b5a54b-4b5a55a 58->60 59->60 60->62 65->66 66->62
                                                                                      APIs
                                                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 04B5A531
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.303964388.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_4b50000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID: CallProcWindow
                                                                                      • String ID:
                                                                                      • API String ID: 2714655100-0
                                                                                      • Opcode ID: 0eecaf86a6c6405a9d2d528b1b50fdb0fa3ebc60079711ac2e72999c206467d2
                                                                                      • Instruction ID: 3453bef78c729e722b30a5aebb5bddf9d9d3a1e6a526495cc3935ae3d56b1dc0
                                                                                      • Opcode Fuzzy Hash: 0eecaf86a6c6405a9d2d528b1b50fdb0fa3ebc60079711ac2e72999c206467d2
                                                                                      • Instruction Fuzzy Hash: A14136B5A00205DFDB10CF99C488BAAFBF5FB8C314F148599E919AB321D374E845CBA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 023F4210 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 68 23f4210-23f5809 CreateActCtxA 71 23f580b-23f5811 68->71 72 23f5812-23f586c 68->72 71->72 79 23f586e-23f5871 72->79 80 23f587b-23f587f 72->80 79->80 81 23f5881-23f588d 80->81 82 23f5890 80->82 81->82 83 23f5891 82->83 83->83
                                                                                      APIs
                                                                                      • CreateActCtxA.KERNEL32(?), ref: 023F57F9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.298143380.00000000023F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_23f0000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID: Create
                                                                                      • String ID:
                                                                                      • API String ID: 2289755597-0
                                                                                      • Opcode ID: 4b421509c39bc9698c4c84abac3a3ded0882a52b1b37e60a7472000f5f24949b
                                                                                      • Instruction ID: 203a93738926944d0a1b1f1b08ad31918ce6cc05fb1fc63e7f10c04d7f7cfd02
                                                                                      • Opcode Fuzzy Hash: 4b421509c39bc9698c4c84abac3a3ded0882a52b1b37e60a7472000f5f24949b
                                                                                      • Instruction Fuzzy Hash: A8411471D0471CCBDB20CFA9C984B8EBBF5BF48308F5080A9D508AB251DB75A94ACF91
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 04B53A78 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 85 4b53a78-4b53b0c DuplicateHandle 86 4b53b15-4b53b32 85->86 87 4b53b0e-4b53b14 85->87 87->86
                                                                                      APIs
                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04B53AFF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.303964388.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_4b50000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID: DuplicateHandle
                                                                                      • String ID:
                                                                                      • API String ID: 3793708945-0
                                                                                      • Opcode ID: 28b3d42aea08fbbb41a6c9dd21e4b13413f4e7fe0ed4e91653b1a26881c4abbc
                                                                                      • Instruction ID: c86065e4d82406ce0d8cc623f09e47eefe801d0086fb6442fe61a7f3cb903d9f
                                                                                      • Opcode Fuzzy Hash: 28b3d42aea08fbbb41a6c9dd21e4b13413f4e7fe0ed4e91653b1a26881c4abbc
                                                                                      • Instruction Fuzzy Hash: B921C4B5901218AFDB10CFA9D584ADEFBF9EB48324F14845AE914A7310D374A954CFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 04B516EC Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 90 4b516ec-4b51d10 92 4b51d12-4b51d15 90->92 93 4b51d18-4b51d47 LoadLibraryExW 90->93 92->93 94 4b51d50-4b51d6d 93->94 95 4b51d49-4b51d4f 93->95 95->94
                                                                                      APIs
                                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04B51B29,00000800,00000000,00000000), ref: 04B51D3A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.303964388.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_4b50000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad
                                                                                      • String ID:
                                                                                      • API String ID: 1029625771-0
                                                                                      • Opcode ID: 421fad701b7fb1101b7961f56836a2342fd32160cc3a1eedcf88236146f2f830
                                                                                      • Instruction ID: 53253b0b4e2a87c2520995a50e82ad254f75c69df5a39b0aac92ad36f6b20303
                                                                                      • Opcode Fuzzy Hash: 421fad701b7fb1101b7961f56836a2342fd32160cc3a1eedcf88236146f2f830
                                                                                      • Instruction Fuzzy Hash: FE1112B6D002089FDB10DF9AC444BDEFBF4EB88324F14846AE919B7210C375A945CFA5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 04B51643 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 98 4b51643-4b51688 99 4b51690-4b516bb GetModuleHandleW 98->99 100 4b5168a-4b5168d 98->100 101 4b516c4-4b516d8 99->101 102 4b516bd-4b516c3 99->102 100->99 102->101
                                                                                      APIs
                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 04B516AE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.303964388.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_4b50000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID: HandleModule
                                                                                      • String ID:
                                                                                      • API String ID: 4139908857-0
                                                                                      • Opcode ID: 7c3920cdd750c633334608b5c9a401217d2613b6282c6fff3cb32781d68e13af
                                                                                      • Instruction ID: a8ee0615fe1e3a1619a7ee1b0346c6d4404385cbc1a60a79053b71fc1ab74bbc
                                                                                      • Opcode Fuzzy Hash: 7c3920cdd750c633334608b5c9a401217d2613b6282c6fff3cb32781d68e13af
                                                                                      • Instruction Fuzzy Hash: 7C1116B2C007498FDB10DF9AD4447DEFBF4EB48314F14855AD919A7210D374A546CFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 04B51648 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 104 4b51648-4b51688 105 4b51690-4b516bb GetModuleHandleW 104->105 106 4b5168a-4b5168d 104->106 107 4b516c4-4b516d8 105->107 108 4b516bd-4b516c3 105->108 106->105 108->107
                                                                                      APIs
                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 04B516AE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.303964388.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_4b50000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID: HandleModule
                                                                                      • String ID:
                                                                                      • API String ID: 4139908857-0
                                                                                      • Opcode ID: 833fab5537753c564ba44e4e343c0db5ef002e3e4c8fbb530e26f8ca6af84f1f
                                                                                      • Instruction ID: 932eb9b46b7ca29bfb0efa89aca3bf8f8fca92b5606ebcd0a3936f7791e91649
                                                                                      • Opcode Fuzzy Hash: 833fab5537753c564ba44e4e343c0db5ef002e3e4c8fbb530e26f8ca6af84f1f
                                                                                      • Instruction Fuzzy Hash: BD1113B2C006098FDB10DF9AC444BDEFBF4EB88324F14845AD919A7210C374A945CFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 04B580F8 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 110 4b580f8-4b5816a SetWindowLongW 111 4b58173-4b58187 110->111 112 4b5816c-4b58172 110->112 112->111
                                                                                      APIs
                                                                                      • SetWindowLongW.USER32(?,?,?), ref: 04B5815D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.303964388.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_4b50000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID: LongWindow
                                                                                      • String ID:
                                                                                      • API String ID: 1378638983-0
                                                                                      • Opcode ID: a1186dbd850600c799232fd37e9bc3bc6a19cc64943eae0e294b864fbd020d3b
                                                                                      • Instruction ID: 034c65517e363827600f738f4d68c0d0ba0e13daf6b10653e86d1cc4f2f9d1d4
                                                                                      • Opcode Fuzzy Hash: a1186dbd850600c799232fd37e9bc3bc6a19cc64943eae0e294b864fbd020d3b
                                                                                      • Instruction Fuzzy Hash: 8D1103B69002089FDB10DF99D584BDEFBF8EB48324F10845AD918A7300C3B5A955CFA2
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 04B58100 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 114 4b58100-4b5816a SetWindowLongW 115 4b58173-4b58187 114->115 116 4b5816c-4b58172 114->116 116->115
                                                                                      APIs
                                                                                      • SetWindowLongW.USER32(?,?,?), ref: 04B5815D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.303964388.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_4b50000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID: LongWindow
                                                                                      • String ID:
                                                                                      • API String ID: 1378638983-0
                                                                                      • Opcode ID: 0f5237b881b6dce18b93d6fbd3f3563bda2ed000782b69a21414ab2db9614264
                                                                                      • Instruction ID: b2e1f0df9f04c88d92cf57bd8daab048ed01393b75f84b132a92f70dc248fa00
                                                                                      • Opcode Fuzzy Hash: 0f5237b881b6dce18b93d6fbd3f3563bda2ed000782b69a21414ab2db9614264
                                                                                      • Instruction Fuzzy Hash: C511E2B5900209DFDB10EF9AD584BDEFBF8EB48324F10845AD919A7300C3B4A954CFA2
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0239D210 Relevance: .1, Instructions: 76COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.297922451.000000000239D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0239D000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_239d000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 86cf03d23329e645c612610d8a93f06f9a8e5e5d5fb7cf546db2bba33d221201
                                                                                      • Instruction ID: d48605f369156f0302a160c7481bc9c27541794aea0721a186b45f256af89282
                                                                                      • Opcode Fuzzy Hash: 86cf03d23329e645c612610d8a93f06f9a8e5e5d5fb7cf546db2bba33d221201
                                                                                      • Instruction Fuzzy Hash: DC216772508248DFDF05EF50D9C1B26BB65FB89324F20C5A9E9454B20BC33AD816CBA2
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0239D4D8 Relevance: .1, Instructions: 75COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.297922451.000000000239D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0239D000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_239d000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9cb6914a315db422c240b77198cc3dc1faa46e1ede90bfb0a2b36475639d7e22
                                                                                      • Instruction ID: eab7e0f4872393859d32e55eef775eb15cdbb68cb419c559f7b7844a4c87dd0f
                                                                                      • Opcode Fuzzy Hash: 9cb6914a315db422c240b77198cc3dc1faa46e1ede90bfb0a2b36475639d7e22
                                                                                      • Instruction Fuzzy Hash: 2B212C71504248DFDF05EF14D9C1B26BFA5FB89328F24C569E9064B207C336D856C7A2
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 023AD01C Relevance: .1, Instructions: 72COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.297947607.00000000023AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 023AD000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_23ad000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d2345b39366e42ff67002261e4ddedfc8d63261958abd70084f24a0949b6115e
                                                                                      • Instruction ID: 23e7b72a9bd3a154a6ba8d08ed5db05dc834eaab64b9c4796c24899af4a33276
                                                                                      • Opcode Fuzzy Hash: d2345b39366e42ff67002261e4ddedfc8d63261958abd70084f24a0949b6115e
                                                                                      • Instruction Fuzzy Hash: 35213771504248DFDB14DF10D9D1B26BBA5FB88314F20C579E94A4BA46C33AD847CB62
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 023AD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.297947607.00000000023AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 023AD000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_23ad000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b670d4fbc9b1eada029be83475127522fb5ec867fad4500460f9c9236c03c550
                                                                                      • Instruction ID: 04b237c2fb6360820f00b6d96670f660c93ed87693112dd6d38397b5e2d021ac
                                                                                      • Opcode Fuzzy Hash: b670d4fbc9b1eada029be83475127522fb5ec867fad4500460f9c9236c03c550
                                                                                      • Instruction Fuzzy Hash: A9214971504248DFDB05DF10D9D0B26BBA5FB88314F20C5BDE90A4BA42C33AD846CB62
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 023AD006 Relevance: .1, Instructions: 63COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.297947607.00000000023AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 023AD000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_23ad000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: bd86739f5bfa9310e76052948e3a195d5854227f56d06b96534d51a93b3ab084
                                                                                      • Instruction ID: 7cfeeab9bb179df845a30e00bb8e8a07e403f732c44f0c229521a4c1a7d26424
                                                                                      • Opcode Fuzzy Hash: bd86739f5bfa9310e76052948e3a195d5854227f56d06b96534d51a93b3ab084
                                                                                      • Instruction Fuzzy Hash: B52150755083849FCB12CF24D9A4B11BF71EB4A214F28C5EAD8858F657C33A985ACB62
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0239D20B Relevance: .1, Instructions: 57COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.297922451.000000000239D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0239D000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_239d000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ad326327ce3695d0532ade8975a43746d8ea2f8ec64f5e85c8076c2929bb7440
                                                                                      • Instruction ID: 002ecb89c8e007c7b8101ede28d39a533334ba1f96bc162840f132558d530d27
                                                                                      • Opcode Fuzzy Hash: ad326327ce3695d0532ade8975a43746d8ea2f8ec64f5e85c8076c2929bb7440
                                                                                      • Instruction Fuzzy Hash: 4221AF76404284DFCF16DF54D9C4B16BF71FB89324F24C6A9D8440B65AC33AD46ACBA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0239D4D3 Relevance: .1, Instructions: 56COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.297922451.000000000239D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0239D000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_239d000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e0ad98083cd3f6a1f327fb3791d4c51c54c40c3e449d9af064cf0938e6012292
                                                                                      • Instruction ID: a70e5b423cc95ee80611a6e5ef23a8b8d8cef1b710ec8d7a8efb56f84d0391c6
                                                                                      • Opcode Fuzzy Hash: e0ad98083cd3f6a1f327fb3791d4c51c54c40c3e449d9af064cf0938e6012292
                                                                                      • Instruction Fuzzy Hash: 3A110876404284CFCF12DF14D5C4B16BF71FB89324F24C6A9D8050B616C33AD45ACBA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 023AD1CF Relevance: .1, Instructions: 53COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.297947607.00000000023AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 023AD000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_23ad000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a1e55ec16ce5b3be691d5ca47d2e5e859d2027a6588d22104c5b4c3b3dae5ede
                                                                                      • Instruction ID: 2103bdb785d03d89a71f3692f9c7173b6afe82ca9c6fa9807df4285d1d808b2e
                                                                                      • Opcode Fuzzy Hash: a1e55ec16ce5b3be691d5ca47d2e5e859d2027a6588d22104c5b4c3b3dae5ede
                                                                                      • Instruction Fuzzy Hash: 2B119D75904284DFCB12CF10D6D4B15FBB1FB84324F28C6ADD8494BA56C33AD45ACBA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0239D745 Relevance: .0, Instructions: 45COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.297922451.000000000239D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0239D000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_239d000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 63677811ab7fb32b2fc2a23b0d8b586f97b74c57e20a3bcf20f0590f1480be1e
                                                                                      • Instruction ID: cd3d0e74f1f3e27c2adf06086ecf6fcaeb1e1b92ba5f383faa9ce4d5cc0d08fd
                                                                                      • Opcode Fuzzy Hash: 63677811ab7fb32b2fc2a23b0d8b586f97b74c57e20a3bcf20f0590f1480be1e
                                                                                      • Instruction Fuzzy Hash: F1012B71408348AEEB106E25CDC5B66FB9CEF42278F08C51AFE055B247D37AD844C6B2
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0239D744 Relevance: .0, Instructions: 36COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.297922451.000000000239D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0239D000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_239d000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d9d490e720a68ed80a54fe8b8406a7306fca59d0ffbcc1dcf396d0e1a430342f
                                                                                      • Instruction ID: 9ed76f4849ee747244f528f4b34b6c574819f585001ebd3bb9bf6caf20a98c29
                                                                                      • Opcode Fuzzy Hash: d9d490e720a68ed80a54fe8b8406a7306fca59d0ffbcc1dcf396d0e1a430342f
                                                                                      • Instruction Fuzzy Hash: A0F09672404394AFEB109E15CDC4B62FF98EB82774F18C45AFD085B286C37A9844CBB1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Non-executed Functions

                                                                                      Function 04B56730 Relevance: .3, Instructions: 315COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.303964388.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_4b50000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5653502da5212e359f07f1b676e54b3607a5dcd7673a3201acbef05ea700fc4a
                                                                                      • Instruction ID: c8bf38c14bca9959080840da4705eda403081bff4ea894a62873c0e4a1b22690
                                                                                      • Opcode Fuzzy Hash: 5653502da5212e359f07f1b676e54b3607a5dcd7673a3201acbef05ea700fc4a
                                                                                      • Instruction Fuzzy Hash: B01271B1C12746AAD310CFA6F99C1897BA1F76532CB904208D2711FAD1D7BC194BEF94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 04B56721 Relevance: .2, Instructions: 220COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.303964388.0000000004B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_4b50000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4bd83d98e97854d898f949cf8da676c399d8981dafbdbd053d1fe05e9e395360
                                                                                      • Instruction ID: 18ca0102d44a995ad5a8eba72c716ef8c2926c33e87556e642adb65649097fc7
                                                                                      • Opcode Fuzzy Hash: 4bd83d98e97854d898f949cf8da676c399d8981dafbdbd053d1fe05e9e395360
                                                                                      • Instruction Fuzzy Hash: F1C1FAB1C12746AAD710DFA6F8981897BA1FBA532CF914208D2712F6D0D7BC184BDF94
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 023F6E28 Relevance: .2, Instructions: 160COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.298143380.00000000023F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_23f0000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b78fbf037e1448e3d25d18a302330369bbcbba201807dc323c200a4783b8f74c
                                                                                      • Instruction ID: 035463e6f9d8740991bdccfaa771f11fe0f5a88b5b7ab2c89be79d6aaa2f0b15
                                                                                      • Opcode Fuzzy Hash: b78fbf037e1448e3d25d18a302330369bbcbba201807dc323c200a4783b8f74c
                                                                                      • Instruction Fuzzy Hash: E5614CB0E042048FDB49EFAAE555A8ABBF7AFD9304F04C839D1059B274EB71580A8F41
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 023F70B7 Relevance: .1, Instructions: 117COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.298143380.00000000023F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_23f0000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 00afd5525a6b4c652c144f33fac4cdafec1739391f8ee022e3b0e38d52878a9d
                                                                                      • Instruction ID: a79905c7b92970b02dcf7994522e035c7a495fd6659c343decf050eade6ca65b
                                                                                      • Opcode Fuzzy Hash: 00afd5525a6b4c652c144f33fac4cdafec1739391f8ee022e3b0e38d52878a9d
                                                                                      • Instruction Fuzzy Hash: C34140B1E056588BEB5CCF6B9C50689FBF7AFC8204F14C1BAD50DAB268EB3105568F01
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 023F70C8 Relevance: .1, Instructions: 109COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.298143380.00000000023F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023F0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_23f0000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4a9d0cf3c4727e711aa2249256037f5e3946072c5e7d754e8891c973a9eb51a1
                                                                                      • Instruction ID: 11215e4e91fcf1702aa1787b822d27844573435ae23ea2f32345057b643a0133
                                                                                      • Opcode Fuzzy Hash: 4a9d0cf3c4727e711aa2249256037f5e3946072c5e7d754e8891c973a9eb51a1
                                                                                      • Instruction Fuzzy Hash: D5416BB1E056588BEB68CF6BDC44789FAF7BFC8204F14C1BA950CAA255DB310996CF11
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Execution Graph

                                                                                      Execution Coverage:12%
                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                      Signature Coverage:0%
                                                                                      Total number of Nodes:137
                                                                                      Total number of Limit Nodes:8
                                                                                      execution_graph 32522 2a44560 32523 2a44574 32522->32523 32526 2a447aa 32523->32526 32524 2a4457d 32527 2a447b3 32526->32527 32532 2a449a6 32526->32532 32537 2a4498c 32526->32537 32542 2a44881 32526->32542 32547 2a44890 32526->32547 32527->32524 32533 2a449b9 32532->32533 32534 2a449cb 32532->32534 32552 2a44c88 32533->32552 32557 2a44c98 32533->32557 32538 2a4493f 32537->32538 32539 2a449cb 32538->32539 32540 2a44c88 2 API calls 32538->32540 32541 2a44c98 2 API calls 32538->32541 32540->32539 32541->32539 32543 2a448d4 32542->32543 32544 2a449cb 32543->32544 32545 2a44c88 2 API calls 32543->32545 32546 2a44c98 2 API calls 32543->32546 32545->32544 32546->32544 32548 2a448d4 32547->32548 32549 2a449cb 32548->32549 32550 2a44c88 2 API calls 32548->32550 32551 2a44c98 2 API calls 32548->32551 32550->32549 32551->32549 32553 2a44c98 32552->32553 32562 2a44ce8 32553->32562 32566 2a44cd8 32553->32566 32554 2a44cb6 32554->32534 32558 2a44ca6 32557->32558 32560 2a44ce8 RtlEncodePointer 32558->32560 32561 2a44cd8 RtlEncodePointer 32558->32561 32559 2a44cb6 32559->32534 32560->32559 32561->32559 32563 2a44d22 32562->32563 32564 2a44d4c RtlEncodePointer 32563->32564 32565 2a44d75 32563->32565 32564->32565 32565->32554 32567 2a44ce8 32566->32567 32568 2a44d4c RtlEncodePointer 32567->32568 32569 2a44d75 32567->32569 32568->32569 32569->32554 32666 2a4b0d0 32667 2a4b0ee 32666->32667 32670 2a49e18 32667->32670 32669 2a4b125 32672 2a4cff8 LoadLibraryA 32670->32672 32673 2a4d0d4 32672->32673 32674 615c160 32675 615c1c6 32674->32675 32679 615c311 32675->32679 32683 615c320 32675->32683 32676 615c275 32680 615c320 32679->32680 32686 615be44 32680->32686 32684 615be44 DuplicateHandle 32683->32684 32685 615c34e 32684->32685 32685->32676 32687 615c388 DuplicateHandle 32686->32687 32688 615c34e 32687->32688 32688->32676 32570 63272f8 32571 6327317 32570->32571 32572 632734d LdrInitializeThunk 32571->32572 32573 632736a 32572->32573 32574 6155e78 32575 6155e8d 32574->32575 32576 615616c 32575->32576 32577 61575c7 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 32575->32577 32578 6157640 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 32575->32578 32579 61575d8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 32575->32579 32583 61577bb 32575->32583 32588 6156720 32575->32588 32592 6156711 32575->32592 32577->32575 32578->32575 32579->32575 32584 61577bc 32583->32584 32585 61577fe 32584->32585 32596 6157ac7 32584->32596 32602 6157ad8 32584->32602 32585->32575 32589 6156747 32588->32589 32626 61567d8 32588->32626 32634 61567e8 32588->32634 32589->32575 32594 61567d8 3 API calls 32592->32594 32595 61567e8 3 API calls 32592->32595 32593 6156747 32593->32575 32594->32593 32595->32593 32597 6157ad6 32596->32597 32598 6157a6a 32596->32598 32599 6157ae6 32597->32599 32606 6157b10 32597->32606 32614 6157b00 32597->32614 32598->32585 32599->32585 32604 6157b10 2 API calls 32602->32604 32605 6157b00 2 API calls 32602->32605 32603 6157ae6 32603->32585 32604->32603 32605->32603 32607 6157b45 32606->32607 32608 6157b1d 32606->32608 32622 615649c 32607->32622 32608->32599 32610 6157b66 32610->32599 32612 6157c2e GlobalMemoryStatusEx 32613 6157c5e 32612->32613 32613->32599 32615 6157b45 32614->32615 32616 6157b1d 32614->32616 32617 615649c GlobalMemoryStatusEx 32615->32617 32616->32599 32618 6157b62 32617->32618 32619 6157b66 32618->32619 32620 6157c2e GlobalMemoryStatusEx 32618->32620 32619->32599 32621 6157c5e 32620->32621 32621->32599 32623 6157be8 GlobalMemoryStatusEx 32622->32623 32625 6157b62 32623->32625 32625->32610 32625->32612 32627 61567fc 32626->32627 32629 615683a 32626->32629 32630 61567d8 3 API calls 32627->32630 32631 61567e8 3 API calls 32627->32631 32628 6156812 32642 61575c7 32628->32642 32652 61575d8 32628->32652 32629->32589 32630->32628 32631->32628 32635 61567fc 32634->32635 32636 615683a 32634->32636 32638 61567d8 3 API calls 32635->32638 32639 61567e8 3 API calls 32635->32639 32636->32589 32637 6156812 32640 61575c7 3 API calls 32637->32640 32641 61575d8 3 API calls 32637->32641 32638->32637 32639->32637 32640->32636 32641->32636 32643 61575e3 32642->32643 32645 615760b 32642->32645 32643->32629 32644 6157661 32644->32629 32645->32644 32646 61576ff 32645->32646 32649 615770d 32645->32649 32647 6156720 3 API calls 32646->32647 32648 6157706 32647->32648 32648->32629 32649->32648 32650 6157ac7 3 API calls 32649->32650 32651 6157ad8 3 API calls 32649->32651 32650->32648 32651->32648 32653 61575e3 32652->32653 32655 615760b 32652->32655 32653->32629 32654 6157661 32654->32629 32655->32654 32656 61576ff 32655->32656 32658 615770d 32655->32658 32657 6156720 3 API calls 32656->32657 32659 6157706 32657->32659 32658->32659 32660 6157ac7 3 API calls 32658->32660 32661 6157ad8 3 API calls 32658->32661 32659->32629 32660->32659 32661->32659 32662 6150ff8 32663 6151017 LdrInitializeThunk 32662->32663 32665 615104b 32663->32665

                                                                                      Executed Functions

                                                                                      Function 06150FF8 Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 98 6150ff8-6151044 LdrInitializeThunk 102 615104b-6151057 98->102 103 615105d-6151066 102->103 104 6151258-615126b 102->104 105 615128d 103->105 106 615106c-6151081 103->106 107 6151292-6151296 104->107 105->107 112 6151083-6151096 106->112 113 615109b-61510b6 106->113 108 61512a1 107->108 109 6151298 107->109 111 61512a2 108->111 109->108 111->111 114 615122c-6151230 112->114 121 61510c4 113->121 122 61510b8-61510c2 113->122 115 6151232 114->115 116 615123b-615123c 114->116 115->116 116->104 123 61510c9-61510cb 121->123 122->123 124 61510e5-615117e 123->124 125 61510cd-61510e0 123->125 143 6151180-615118a 124->143 144 615118c 124->144 125->114 145 6151191-6151193 143->145 144->145 146 6151195-6151197 145->146 147 61511d6-615122a 145->147 148 61511a5 146->148 149 6151199-61511a3 146->149 147->114 150 61511aa-61511ac 148->150 149->150 150->147 152 61511ae-61511d4 150->152 152->147
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.517906786.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_6150000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: 3fad9594d347115e13056980f39eb2dc484b4664ee736838b8954b618a61175b
                                                                                      • Instruction ID: edd521ec2a53b0bba12436dbea07f950285a55bf3fefd31b8fe008bf1efe5095
                                                                                      • Opcode Fuzzy Hash: 3fad9594d347115e13056980f39eb2dc484b4664ee736838b8954b618a61175b
                                                                                      • Instruction Fuzzy Hash: B7613E30E00209EBDB55EFB4D5997AEB7F6AF85304F218829D812E7394DF789845CB90
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 063272F8 Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 162 63272f8-6327364 call 63275d0 LdrInitializeThunk 170 632736a-6327384 162->170 171 63274ad-63274ca 162->171 170->171 174 632738a-63273a4 170->174 183 63274cf-63274d8 171->183 178 63273a6-63273a8 174->178 179 63273aa 174->179 180 63273ad-6327408 178->180 179->180 189 632740a-632740c 180->189 190 632740e 180->190 191 6327411-63274ab 189->191 190->191 191->183
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.517965205.0000000006320000.00000040.00000800.00020000.00000000.sdmp, Offset: 06320000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_6320000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: 1c38fe5d59d3074f6a3688028224ab54653d59f85cd5ca8b5deb4644518c5419
                                                                                      • Instruction ID: 00c6b4307904d757d750e0621dc26b62a8717f3048e70e43795841debb03549f
                                                                                      • Opcode Fuzzy Hash: 1c38fe5d59d3074f6a3688028224ab54653d59f85cd5ca8b5deb4644518c5419
                                                                                      • Instruction Fuzzy Hash: 4751A631B102059FCB04EFB4D955A9EBBB6FF84304F148969E506DB295EF38E904CBA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 06157B10 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 209 6157b10-6157b1b 210 6157b45-6157b64 call 615649c 209->210 211 6157b1d-6157b44 call 6156490 209->211 217 6157b66-6157b69 210->217 218 6157b6a-6157bc9 210->218 225 6157bcf-6157c5c GlobalMemoryStatusEx 218->225 226 6157bcb-6157bce 218->226 229 6157c65-6157c8d 225->229 230 6157c5e-6157c64 225->230 230->229
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.517906786.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_6150000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 84e321a7a671c59471853ff4efe80d29936a2b967c349bfc93e4832cd1216c0f
                                                                                      • Instruction ID: 0db6b3e7bf729f0ebe1094a97b632ffa2b046d4f23a2dc31d7256fd08251d2e9
                                                                                      • Opcode Fuzzy Hash: 84e321a7a671c59471853ff4efe80d29936a2b967c349bfc93e4832cd1216c0f
                                                                                      • Instruction Fuzzy Hash: E6415671D043558FCB00DFB5C8546EEFBF5AF89210F16816AD914A7281DB38A845CBE1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 06150F98 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 270 6150f98-6150fb7 271 6150fdc-6151026 270->271 272 6150fb9-6150fc3 270->272 280 615102f-6151044 LdrInitializeThunk 271->280 273 6150fc5-6150fd6 272->273 274 6150fd8-6150fdb 272->274 273->274 281 615104b-6151057 280->281 282 615105d-6151066 281->282 283 6151258-615126b 281->283 284 615128d 282->284 285 615106c-6151081 282->285 286 6151292-6151296 283->286 284->286 291 6151083-6151096 285->291 292 615109b-61510b6 285->292 287 61512a1 286->287 288 6151298 286->288 290 61512a2 287->290 288->287 290->290 293 615122c-6151230 291->293 300 61510c4 292->300 301 61510b8-61510c2 292->301 294 6151232 293->294 295 615123b-615123c 293->295 294->295 295->283 302 61510c9-61510cb 300->302 301->302 303 61510e5-615117e 302->303 304 61510cd-61510e0 302->304 322 6151180-615118a 303->322 323 615118c 303->323 304->293 324 6151191-6151193 322->324 323->324 325 6151195-6151197 324->325 326 61511d6-615122a 324->326 327 61511a5 325->327 328 6151199-61511a3 325->328 326->293 329 61511aa-61511ac 327->329 328->329 329->326 331 61511ae-61511d4 329->331 331->326
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.517906786.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_6150000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: 06b2287765044691828a7a0ca85a6f76daa5a9c690bc6d9969133c9826ecf617
                                                                                      • Instruction ID: 9a6f57c5786d4c5faec83e96780e47c50505548510b7dbe20036b7d0722faebb
                                                                                      • Opcode Fuzzy Hash: 06b2287765044691828a7a0ca85a6f76daa5a9c690bc6d9969133c9826ecf617
                                                                                      • Instruction Fuzzy Hash: 6331AF30A04208DFDB05DFB4D596B9DBBB2EF85304F258469E515EB391CB35D846CB50
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 02A49E18 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 233 2a49e18-2a4d04f 235 2a4d051-2a4d05b 233->235 236 2a4d088-2a4d0d2 LoadLibraryA 233->236 235->236 237 2a4d05d-2a4d05f 235->237 241 2a4d0d4-2a4d0da 236->241 242 2a4d0db-2a4d10c 236->242 239 2a4d061-2a4d06b 237->239 240 2a4d082-2a4d085 237->240 243 2a4d06d 239->243 244 2a4d06f-2a4d07e 239->244 240->236 241->242 248 2a4d11c 242->248 249 2a4d10e-2a4d112 242->249 243->244 244->244 246 2a4d080 244->246 246->240 251 2a4d11d 248->251 249->248 250 2a4d114 249->250 250->248 251->251
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNELBASE(?), ref: 02A4D0C2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.513958727.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_2a40000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad
                                                                                      • String ID:
                                                                                      • API String ID: 1029625771-0
                                                                                      • Opcode ID: 50517bfe2af147c1e7f90a2ae17b8aeddf36891417fc5d03fdf9732830d2059d
                                                                                      • Instruction ID: a0aa1da9c0abfe2fa6dfa340594a4558995999585b8da26254dad45dc42dc53a
                                                                                      • Opcode Fuzzy Hash: 50517bfe2af147c1e7f90a2ae17b8aeddf36891417fc5d03fdf9732830d2059d
                                                                                      • Instruction Fuzzy Hash: A63127B0D106498FDB14DFA9C88579EBBF1BB88314F14852AE816A7280DB74A446CF95
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 02A4CFEC Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 252 2a4cfec-2a4d04f 253 2a4d051-2a4d05b 252->253 254 2a4d088-2a4d0d2 LoadLibraryA 252->254 253->254 255 2a4d05d-2a4d05f 253->255 259 2a4d0d4-2a4d0da 254->259 260 2a4d0db-2a4d10c 254->260 257 2a4d061-2a4d06b 255->257 258 2a4d082-2a4d085 255->258 261 2a4d06d 257->261 262 2a4d06f-2a4d07e 257->262 258->254 259->260 266 2a4d11c 260->266 267 2a4d10e-2a4d112 260->267 261->262 262->262 264 2a4d080 262->264 264->258 269 2a4d11d 266->269 267->266 268 2a4d114 267->268 268->266 269->269
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNELBASE(?), ref: 02A4D0C2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.513958727.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_2a40000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad
                                                                                      • String ID:
                                                                                      • API String ID: 1029625771-0
                                                                                      • Opcode ID: c85f574cbe256dc1a31a005cb090ccbc8ad289c1119b6d217b9c2e02844cf3ba
                                                                                      • Instruction ID: 8bd3bbc51ab3bdc1888d6c0a1941a2f65941f29efe88e6aaea833c694780c922
                                                                                      • Opcode Fuzzy Hash: c85f574cbe256dc1a31a005cb090ccbc8ad289c1119b6d217b9c2e02844cf3ba
                                                                                      • Instruction Fuzzy Hash: BE3147B0D10648CFDB14CFA8C88579EBFB1BB88314F14852EE816E7280DB749446CF52
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0615C381 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 966 615c381-615c385 967 615c388-615c41c DuplicateHandle 966->967 968 615c425-615c442 967->968 969 615c41e-615c424 967->969 969->968
                                                                                      APIs
                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0615C34E,?,?,?,?,?), ref: 0615C40F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.517906786.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_6150000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID: DuplicateHandle
                                                                                      • String ID:
                                                                                      • API String ID: 3793708945-0
                                                                                      • Opcode ID: f81a4d48f3e8c701fcd79ee2ded3ae13621a6d10a135997e31b5dba85e4a0436
                                                                                      • Instruction ID: 00a3054a33ce174e81766cbea5135df4bc385a8f4a9f8e4f32903cedfb7dc221
                                                                                      • Opcode Fuzzy Hash: f81a4d48f3e8c701fcd79ee2ded3ae13621a6d10a135997e31b5dba85e4a0436
                                                                                      • Instruction Fuzzy Hash: A621F2B5900208EFDB10CFA9D984ADEFBF5EB48320F15842AE954A7310D374A944CFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0615BE44 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 960 615be44-615c41c DuplicateHandle 962 615c425-615c442 960->962 963 615c41e-615c424 960->963 963->962
                                                                                      APIs
                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0615C34E,?,?,?,?,?), ref: 0615C40F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.517906786.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_6150000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID: DuplicateHandle
                                                                                      • String ID:
                                                                                      • API String ID: 3793708945-0
                                                                                      • Opcode ID: 9ffa50456e6b3f51d5d37fe50ead92eb49cf9ef018425dd384680c73ce2ca59e
                                                                                      • Instruction ID: d999bb05db75ff3a9838d9c43d1f1e8ed7a94d2fa74a2ccd8cf8160418e97b38
                                                                                      • Opcode Fuzzy Hash: 9ffa50456e6b3f51d5d37fe50ead92eb49cf9ef018425dd384680c73ce2ca59e
                                                                                      • Instruction Fuzzy Hash: 0B21F2B5900308EFDB10CFA9D984AEEFBF4EB48320F15801AE914A3310D378A944CFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 02A44CD8 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 972 2a44cd8-2a44d2a 976 2a44d30 972->976 977 2a44d2c-2a44d2e 972->977 978 2a44d35-2a44d40 976->978 977->978 979 2a44da1-2a44dae 978->979 980 2a44d42-2a44d73 RtlEncodePointer 978->980 982 2a44d75-2a44d7b 980->982 983 2a44d7c-2a44d9c 980->983 982->983 983->979
                                                                                      APIs
                                                                                      • RtlEncodePointer.NTDLL(00000000), ref: 02A44D62
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.513958727.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_2a40000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID: EncodePointer
                                                                                      • String ID:
                                                                                      • API String ID: 2118026453-0
                                                                                      • Opcode ID: 360f784691223767bf83cf34805604a50cfd3a28ee9d3077d7313f7399bec80a
                                                                                      • Instruction ID: 8da2dc25c53bfb8378193dad5987ec837f7bcdca6b9ba0c888f26c9f33a746f9
                                                                                      • Opcode Fuzzy Hash: 360f784691223767bf83cf34805604a50cfd3a28ee9d3077d7313f7399bec80a
                                                                                      • Instruction Fuzzy Hash: DC21A9759017048FDB10DFA9D9497DEBFF8FB88314F24846AE904A3600CB389548CFA6
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 0615649C Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1077 615649c-6157c5c GlobalMemoryStatusEx 1080 6157c65-6157c8d 1077->1080 1081 6157c5e-6157c64 1077->1081 1081->1080
                                                                                      APIs
                                                                                      • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,06157B62), ref: 06157C4F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.517906786.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_6150000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID: GlobalMemoryStatus
                                                                                      • String ID:
                                                                                      • API String ID: 1890195054-0
                                                                                      • Opcode ID: b69c3514c8550da53c86b6708bb5f3891a4e8490856c6ab84eb7a09b06211cad
                                                                                      • Instruction ID: 56666a151aebed76118a913f56fd7b8d6fc92b0e9b66f6a1824167aceefbc39d
                                                                                      • Opcode Fuzzy Hash: b69c3514c8550da53c86b6708bb5f3891a4e8490856c6ab84eb7a09b06211cad
                                                                                      • Instruction Fuzzy Hash: A31136B1C046599BCB10DF9AC544B9EFBF4AB48224F01812AD924B7240D378A944CFE1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 06157BE0 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1096 6157be0-6157c26 1097 6157c2e-6157c5c GlobalMemoryStatusEx 1096->1097 1098 6157c65-6157c8d 1097->1098 1099 6157c5e-6157c64 1097->1099 1099->1098
                                                                                      APIs
                                                                                      • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,06157B62), ref: 06157C4F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.517906786.0000000006150000.00000040.00000800.00020000.00000000.sdmp, Offset: 06150000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_6150000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID: GlobalMemoryStatus
                                                                                      • String ID:
                                                                                      • API String ID: 1890195054-0
                                                                                      • Opcode ID: 82fc72b0f965fe54bb7568eb8963606645a32a69acdcace17fe4960d5cdb11d5
                                                                                      • Instruction ID: e77b1300b85a4120ed940384393089ee5db1cf2d0ea2f2081cfcc2a8f6664ff9
                                                                                      • Opcode Fuzzy Hash: 82fc72b0f965fe54bb7568eb8963606645a32a69acdcace17fe4960d5cdb11d5
                                                                                      • Instruction Fuzzy Hash: D81129B1C10659DFCB10DFA9C9487DEFBF4AF08214F15851AD914B7240D378A945CFA1
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%

                                                                                      Function 02A44CE8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1084 2a44ce8-2a44d2a 1087 2a44d30 1084->1087 1088 2a44d2c-2a44d2e 1084->1088 1089 2a44d35-2a44d40 1087->1089 1088->1089 1090 2a44da1-2a44dae 1089->1090 1091 2a44d42-2a44d73 RtlEncodePointer 1089->1091 1093 2a44d75-2a44d7b 1091->1093 1094 2a44d7c-2a44d9c 1091->1094 1093->1094 1094->1090
                                                                                      APIs
                                                                                      • RtlEncodePointer.NTDLL(00000000), ref: 02A44D62
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000009.00000002.513958727.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_9_2_2a40000_PAGO 041011.jbxd
                                                                                      Similarity
                                                                                      • API ID: EncodePointer
                                                                                      • String ID:
                                                                                      • API String ID: 2118026453-0
                                                                                      • Opcode ID: 5efd19bd526342cb67ad5fafcea3baf957962e46833b67d365d4caaa1251906a
                                                                                      • Instruction ID: 3ac5d3cc6109fb76b068279629e1921de69a72c5cb0a9dff465192def1354664
                                                                                      • Opcode Fuzzy Hash: 5efd19bd526342cb67ad5fafcea3baf957962e46833b67d365d4caaa1251906a
                                                                                      • Instruction Fuzzy Hash: 211197759017048FDB10DFA9D54879EBFF8EB88314F20846EE809A3600CB38A589CFA5
                                                                                      Uniqueness

                                                                                      Uniqueness Score: -1.00%