Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Eaton PO-45150292964.exe

Overview

General Information

Sample name:Eaton PO-45150292964.exe
Analysis ID:1427169
MD5:3a64b763c78291700bd114bfc3ecdde3
SHA1:7260be2d4cf3fbcf231e94a84c8f3cf252163c89
SHA256:8bbfa40764eabafad6f90d973784f343b8d7146689f4fd4384da26935b2bca5e
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Contains functionality to inject code into remote processes
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Eaton PO-45150292964.exe (PID: 6620 cmdline: "C:\Users\user\Desktop\Eaton PO-45150292964.exe" MD5: 3A64B763C78291700BD114BFC3ECDDE3)
    • Eaton PO-45150292964.exe (PID: 2764 cmdline: "C:\Users\user\Desktop\Eaton PO-45150292964.exe" MD5: 3A64B763C78291700BD114BFC3ECDDE3)
      • WerFault.exe (PID: 2892 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 80 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • Eaton PO-45150292964.exe (PID: 4512 cmdline: "C:\Users\user\Desktop\Eaton PO-45150292964.exe" MD5: 3A64B763C78291700BD114BFC3ECDDE3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.iaa-airferight.com", "Username": "mail@iaa-airferight.com", "Password": "Asaprocky11"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.4451010775.0000000002D0C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000006.00000002.4449526095.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000006.00000002.4449526095.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.1996509099.0000000004B10000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.1996509099.0000000004B10000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Eaton PO-45150292964.exe.4b10000.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.Eaton PO-45150292964.exe.4b10000.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.Eaton PO-45150292964.exe.4b10000.2.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x316f7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x31769:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x317f3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x31885:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x318ef:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x31961:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x319f7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31a87:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.Eaton PO-45150292964.exe.3713540.1.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.Eaton PO-45150292964.exe.3713540.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 16 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Users\user\Desktop\Eaton PO-45150292964.exe, Initiated: true, ProcessId: 4512, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49706

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.Eaton PO-45150292964.exe.4b10000.2.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.iaa-airferight.com", "Username": "mail@iaa-airferight.com", "Password": "Asaprocky11"}
                    Multi AV Scanner detection for submitted file
                    Source: Eaton PO-45150292964.exeReversingLabs: Detection: 39%
                    Source: Eaton PO-45150292964.exeVirustotal: Detection: 52%Perma Link
                    Machine Learning detection for sample
                    Source: Eaton PO-45150292964.exeJoe Sandbox ML: detected
                    Source: Eaton PO-45150292964.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49705 version: TLS 1.2
                    Source: Eaton PO-45150292964.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                    Source: Joe Sandbox ViewIP Address: 46.175.148.58 46.175.148.58
                    Source: Joe Sandbox ViewASN Name: ASLAGIDKOM-NETUA ASLAGIDKOM-NETUA
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.5:49706 -> 46.175.148.58:25
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownDNS traffic detected: queries for: api.ipify.org
                    Source: Eaton PO-45150292964.exe, 00000006.00000002.4451010775.0000000002D0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.iaa-airferight.com
                    Source: Eaton PO-45150292964.exe, 00000006.00000002.4451010775.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Eaton PO-45150292964.exe, 00000000.00000002.1995567829.0000000003564000.00000004.00000800.00020000.00000000.sdmp, Eaton PO-45150292964.exe, 00000000.00000002.1996509099.0000000004B10000.00000040.00001000.00020000.00000000.sdmp, Eaton PO-45150292964.exe, 00000006.00000002.4449526095.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: Eaton PO-45150292964.exe, 00000000.00000002.1995567829.0000000003564000.00000004.00000800.00020000.00000000.sdmp, Eaton PO-45150292964.exe, 00000000.00000002.1996509099.0000000004B10000.00000040.00001000.00020000.00000000.sdmp, Eaton PO-45150292964.exe, 00000006.00000002.4451010775.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, Eaton PO-45150292964.exe, 00000006.00000002.4449526095.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: Eaton PO-45150292964.exe, 00000006.00000002.4451010775.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: Eaton PO-45150292964.exe, 00000006.00000002.4451010775.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49705 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.Eaton PO-45150292964.exe.4b10000.2.raw.unpack, abAX9N.cs.Net Code: BFeixnEv
                    Source: 0.2.Eaton PO-45150292964.exe.36d8b10.0.raw.unpack, abAX9N.cs.Net Code: BFeixnEv
                    Source: 0.2.Eaton PO-45150292964.exe.3713540.1.raw.unpack, abAX9N.cs.Net Code: BFeixnEv
                    Installs a global keyboard hook
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Eaton PO-45150292964.exeJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.Eaton PO-45150292964.exe.4b10000.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Eaton PO-45150292964.exe.3713540.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 6.2.Eaton PO-45150292964.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Eaton PO-45150292964.exe.4b10000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Eaton PO-45150292964.exe.36d8b10.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Eaton PO-45150292964.exe.3713540.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Eaton PO-45150292964.exe.36d8b10.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 00000000.00000002.1996509099.0000000004B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeCode function: 0_2_04A50054 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,0_2_04A50054
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeCode function: 0_2_04A50000 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,0_2_04A50000
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeCode function: 6_2_00FD4A986_2_00FD4A98
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeCode function: 6_2_00FDADF06_2_00FDADF0
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeCode function: 6_2_00FD3E806_2_00FD3E80
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeCode function: 6_2_00FD41C86_2_00FD41C8
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeCode function: 6_2_066835786_2_06683578
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeCode function: 6_2_06685D306_2_06685D30
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeCode function: 6_2_066845A06_2_066845A0
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeCode function: 6_2_066810306_2_06681030
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeCode function: 6_2_0668E0B96_2_0668E0B9
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeCode function: 6_2_0668A1406_2_0668A140
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeCode function: 6_2_066891E06_2_066891E0
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeCode function: 6_2_066856506_2_06685650
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeCode function: 6_2_0668C6186_2_0668C618
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeCode function: 6_2_06683C8F6_2_06683C8F
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeCode function: 6_2_066803286_2_06680328
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 80
                    Source: Eaton PO-45150292964.exe, 00000000.00000002.1994771331.00000000009AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Eaton PO-45150292964.exe
                    Source: Eaton PO-45150292964.exe, 00000000.00000000.1967800956.0000000000298000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamecBvCffO.exe< vs Eaton PO-45150292964.exe
                    Source: Eaton PO-45150292964.exe, 00000000.00000002.1995567829.0000000003564000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename8854fa4e-ee03-4899-b0c3-2df80b3f7614.exe4 vs Eaton PO-45150292964.exe
                    Source: Eaton PO-45150292964.exe, 00000000.00000002.1996509099.0000000004B10000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename8854fa4e-ee03-4899-b0c3-2df80b3f7614.exe4 vs Eaton PO-45150292964.exe
                    Source: Eaton PO-45150292964.exe, 00000006.00000002.4449730524.0000000000CF9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Eaton PO-45150292964.exe
                    Source: Eaton PO-45150292964.exe, 00000006.00000002.4449526095.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename8854fa4e-ee03-4899-b0c3-2df80b3f7614.exe4 vs Eaton PO-45150292964.exe
                    Source: Eaton PO-45150292964.exeBinary or memory string: OriginalFilenamecBvCffO.exe< vs Eaton PO-45150292964.exe
                    Source: Eaton PO-45150292964.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.Eaton PO-45150292964.exe.4b10000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Eaton PO-45150292964.exe.3713540.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 6.2.Eaton PO-45150292964.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Eaton PO-45150292964.exe.4b10000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Eaton PO-45150292964.exe.36d8b10.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Eaton PO-45150292964.exe.3713540.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Eaton PO-45150292964.exe.36d8b10.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 00000000.00000002.1996509099.0000000004B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: Eaton PO-45150292964.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Eaton PO-45150292964.exe, tyFJ.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.Eaton PO-45150292964.exe.4b10000.2.raw.unpack, RsYAkkzVoy.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Eaton PO-45150292964.exe.4b10000.2.raw.unpack, Kqqzixk.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Eaton PO-45150292964.exe.4b10000.2.raw.unpack, xROdzGigX.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Eaton PO-45150292964.exe.4b10000.2.raw.unpack, ywes.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Eaton PO-45150292964.exe.4b10000.2.raw.unpack, iPVW0zV.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 0.2.Eaton PO-45150292964.exe.4b10000.2.raw.unpack, 1Pi9sgbHwoV.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.Eaton PO-45150292964.exe.4b10000.2.raw.unpack, YUgDfWK2g4.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Eaton PO-45150292964.exe.4b10000.2.raw.unpack, YUgDfWK2g4.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/0@2/2
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeMutant created: NULL
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2764
                    Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\52feed5b-8ffe-4cd1-8d8a-78dfd9832551Jump to behavior
                    Source: Eaton PO-45150292964.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Eaton PO-45150292964.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: Eaton PO-45150292964.exeReversingLabs: Detection: 39%
                    Source: Eaton PO-45150292964.exeVirustotal: Detection: 52%
                    Source: unknownProcess created: C:\Users\user\Desktop\Eaton PO-45150292964.exe "C:\Users\user\Desktop\Eaton PO-45150292964.exe"
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess created: C:\Users\user\Desktop\Eaton PO-45150292964.exe "C:\Users\user\Desktop\Eaton PO-45150292964.exe"
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 80
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess created: C:\Users\user\Desktop\Eaton PO-45150292964.exe "C:\Users\user\Desktop\Eaton PO-45150292964.exe"
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess created: C:\Users\user\Desktop\Eaton PO-45150292964.exe "C:\Users\user\Desktop\Eaton PO-45150292964.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess created: C:\Users\user\Desktop\Eaton PO-45150292964.exe "C:\Users\user\Desktop\Eaton PO-45150292964.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: Eaton PO-45150292964.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Eaton PO-45150292964.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeCode function: 0_2_00C30015 push ss; ret 0_2_00C3001E
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeCode function: 6_2_00FD0B4D push edi; ret 6_2_00FD0CC2
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeCode function: 6_2_00FD0C95 push edi; retf 6_2_00FD0C3A

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Icon mismatch, binary includes an icon from a different legit application in order to fool users
                    Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (129).png
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeMemory allocated: C30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeMemory allocated: 2560000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeMemory allocated: 4560000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeMemory allocated: FD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeMemory allocated: 2C90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeMemory allocated: 2A10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeWindow / User API: threadDelayed 649Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeWindow / User API: threadDelayed 9211Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 3732Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 5356Thread sleep count: 200 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 5356Thread sleep count: 100 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -26747778906878833s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 2716Thread sleep count: 649 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -99890s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 2716Thread sleep count: 9211 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -99780s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -99671s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -99562s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -99453s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -99344s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -99234s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -99125s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -99015s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -98906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -98797s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -98687s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -98578s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -98467s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -98359s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -98250s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -98140s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -98031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -97922s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -97797s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -97687s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -97578s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -97468s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -97359s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -97250s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -97140s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -97031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -96922s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -96797s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -96687s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -96578s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -96469s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -96344s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -96234s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -96125s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -96015s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -95906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -95797s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -95687s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -95578s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -95468s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -95359s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -95250s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -95140s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -95031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -94922s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -94811s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -94699s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exe TID: 6760Thread sleep time: -94594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 99890Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 99780Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 99671Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 99562Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 99453Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 99344Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 99234Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 99125Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 99015Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 98906Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 98797Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 98687Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 98578Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 98467Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 98359Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 98250Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 98140Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 98031Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 97922Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 97797Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 97687Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 97578Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 97468Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 97359Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 97250Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 97140Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 97031Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 96922Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 96797Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 96687Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 96578Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 96469Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 96344Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 96234Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 96125Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 96015Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 95906Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 95797Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 95687Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 95578Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 95468Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 95359Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 95250Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 95140Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 95031Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 94922Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 94811Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 94699Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeThread delayed: delay time: 94594Jump to behavior
                    Source: Eaton PO-45150292964.exe, 00000006.00000002.4450149868.0000000000EDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Contains functionality to inject code into remote processes
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeCode function: 0_2_04A50054 CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,0_2_04A50054
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeMemory written: C:\Users\user\Desktop\Eaton PO-45150292964.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess created: C:\Users\user\Desktop\Eaton PO-45150292964.exe "C:\Users\user\Desktop\Eaton PO-45150292964.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeProcess created: C:\Users\user\Desktop\Eaton PO-45150292964.exe "C:\Users\user\Desktop\Eaton PO-45150292964.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeQueries volume information: C:\Users\user\Desktop\Eaton PO-45150292964.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeQueries volume information: C:\Users\user\Desktop\Eaton PO-45150292964.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.Eaton PO-45150292964.exe.4b10000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Eaton PO-45150292964.exe.3713540.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.Eaton PO-45150292964.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Eaton PO-45150292964.exe.4b10000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Eaton PO-45150292964.exe.36d8b10.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Eaton PO-45150292964.exe.3713540.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Eaton PO-45150292964.exe.36d8b10.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.4451010775.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.4449526095.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1996509099.0000000004B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.4451010775.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1995567829.0000000003564000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Eaton PO-45150292964.exe PID: 6620, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Eaton PO-45150292964.exe PID: 4512, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\Eaton PO-45150292964.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.Eaton PO-45150292964.exe.4b10000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Eaton PO-45150292964.exe.3713540.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.Eaton PO-45150292964.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Eaton PO-45150292964.exe.4b10000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Eaton PO-45150292964.exe.36d8b10.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Eaton PO-45150292964.exe.3713540.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Eaton PO-45150292964.exe.36d8b10.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.4449526095.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1996509099.0000000004B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.4451010775.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1995567829.0000000003564000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Eaton PO-45150292964.exe PID: 6620, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Eaton PO-45150292964.exe PID: 4512, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.Eaton PO-45150292964.exe.4b10000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Eaton PO-45150292964.exe.3713540.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.Eaton PO-45150292964.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Eaton PO-45150292964.exe.4b10000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Eaton PO-45150292964.exe.36d8b10.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Eaton PO-45150292964.exe.3713540.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Eaton PO-45150292964.exe.36d8b10.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.4451010775.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.4449526095.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1996509099.0000000004B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.4451010775.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1995567829.0000000003564000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Eaton PO-45150292964.exe PID: 6620, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Eaton PO-45150292964.exe PID: 4512, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts211
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Email Collection                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Software Packing                    		NTDS121
                    Security Software Discovery                    		Distributed Component Object Model21
                    Input Capture                    		23
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets1
                    Process Discovery                    		SSH1
                    Clipboard Data                    		Fallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials151
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items151
                    Virtualization/Sandbox Evasion                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job211
                    Process Injection                    		Proc Filesystem1
                    System Network Configuration Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Eaton PO-45150292964.exe39%ReversingLabsWin32.Ransomware.Loki
                    Eaton PO-45150292964.exe52%VirustotalBrowse
                    Eaton PO-45150292964.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    mail.iaa-airferight.com3%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://mail.iaa-airferight.com3%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.iaa-airferight.com
                    		46.175.148.58
                    		truetrueunknown
                    api.ipify.org
                    		104.26.12.205
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://api.ipify.org/false
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://api.ipify.orgEaton PO-45150292964.exe, 00000000.00000002.1995567829.0000000003564000.00000004.00000800.00020000.00000000.sdmp, Eaton PO-45150292964.exe, 00000000.00000002.1996509099.0000000004B10000.00000040.00001000.00020000.00000000.sdmp, Eaton PO-45150292964.exe, 00000006.00000002.4451010775.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, Eaton PO-45150292964.exe, 00000006.00000002.4449526095.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                          		high
                          https://account.dyn.com/Eaton PO-45150292964.exe, 00000000.00000002.1995567829.0000000003564000.00000004.00000800.00020000.00000000.sdmp, Eaton PO-45150292964.exe, 00000000.00000002.1996509099.0000000004B10000.00000040.00001000.00020000.00000000.sdmp, Eaton PO-45150292964.exe, 00000006.00000002.4449526095.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            		high
                            https://api.ipify.org/tEaton PO-45150292964.exe, 00000006.00000002.4451010775.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameEaton PO-45150292964.exe, 00000006.00000002.4451010775.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://mail.iaa-airferight.comEaton PO-45150292964.exe, 00000006.00000002.4451010775.0000000002D0C000.00000004.00000800.00020000.00000000.sdmpfalseunknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                104.26.12.205
                                		api.ipify.orgUnited States
                                		13335CLOUDFLARENETUSfalse
                                46.175.148.58
                                		mail.iaa-airferight.comUkraine
                                		56394ASLAGIDKOM-NETUAtrue

                                General Information

                                Joe Sandbox version:40.0.0 Tourmaline
                                Analysis ID:1427169
                                Start date and time:2024-04-17 07:13:04 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 8m 25s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:9
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:Eaton PO-45150292964.exe
                                Detection:MAL
                                Classification:mal100.troj.spyw.evad.winEXE@6/0@2/2
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 67
                                • Number of non-executed functions: 4
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtReadVirtualMemory calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                07:13:50API Interceptor13232174x Sleep call for process: Eaton PO-45150292964.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                104.26.12.205Sky-Beta.exeGet hashmaliciousStealitBrowse
                                • api.ipify.org/?format=json
                                SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exeGet hashmaliciousBunny LoaderBrowse
                                • api.ipify.org/
                                lods.cmdGet hashmaliciousRemcosBrowse
                                • api.ipify.org/
                                46.175.148.58remittance payment of invoice DMWW24009.exeGet hashmaliciousAgentTeslaBrowse
                                  Proforma Invoice - Well Ergon.exeGet hashmaliciousAgentTeslaBrowse
                                    PURCHASE ORDER.exeGet hashmaliciousAgentTeslaBrowse
                                      SecuriteInfo.com.Win32.PWSX-gen.14523.13498.exeGet hashmaliciousAgentTeslaBrowse
                                        order Depeng POORD20231109001.exeGet hashmaliciousAgentTeslaBrowse
                                          Swift_copy.pdf (2).exeGet hashmaliciousAgentTeslaBrowse
                                            Swift Copy.exeGet hashmaliciousAgentTeslaBrowse
                                              purchase_order T&B19-20PO128.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                Booking Form PIF.scr.exeGet hashmaliciousAgentTeslaBrowse

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  mail.iaa-airferight.comremittance payment of invoice DMWW24009.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  Proforma Invoice - Well Ergon.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  PURCHASE ORDER.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  SecuriteInfo.com.Win32.PWSX-gen.14523.13498.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  order Depeng POORD20231109001.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  Swift_copy.pdf (2).exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  Swift Copy.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  purchase_order T&B19-20PO128.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  Booking Form PIF.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  Outstanding_Invoice_For_PI91328.rar.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 84.54.23.97
                                                  api.ipify.org45brrQrxwH.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 172.67.74.152
                                                  Quotation 0048484.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 104.26.13.205
                                                  msXkgFIUyS.rtfGet hashmaliciousAgentTeslaBrowse
                                                  • 104.26.13.205
                                                  remittance payment of invoice DMWW24009.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 104.26.13.205
                                                  NOA, BL and invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 172.67.74.152
                                                  https://worker-royal-sun-1090.nipocas604.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                  • 172.67.74.152
                                                  z158xIuvhauCQiddTe.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 104.26.12.205
                                                  z34PDnVzyEItkXaInw.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 172.67.74.152
                                                  https://webex-install.comGet hashmaliciousNetSupport RATBrowse
                                                  • 104.26.13.205
                                                  SecuriteInfo.com.Win64.PWSX-gen.6289.18727.exeGet hashmaliciousCredGrabber, Meduza Stealer, PureLog StealerBrowse
                                                  • 172.67.74.152

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  CLOUDFLARENETUShcjt7Ajt5t.exeGet hashmaliciousLummaCBrowse
                                                  • 172.67.217.241
                                                  45brrQrxwH.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 172.67.74.152
                                                  Quotation 0048484.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 104.26.13.205
                                                  3otr19d5Oq.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                  • 104.21.77.31
                                                  msXkgFIUyS.rtfGet hashmaliciousAgentTeslaBrowse
                                                  • 104.26.13.205
                                                  http://bookstopbuzz.comGet hashmaliciousUnknownBrowse
                                                  • 23.227.38.65
                                                  remittance payment of invoice DMWW24009.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 104.26.13.205
                                                  2llKbb9pR7.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLine, SmokeLoaderBrowse
                                                  • 172.67.177.98
                                                  NOA, BL and invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 172.67.74.152
                                                  Hays_compiled_documents.ZIP.jsGet hashmaliciousUnknownBrowse
                                                  • 104.21.95.148
                                                  ASLAGIDKOM-NETUAremittance payment of invoice DMWW24009.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  Proforma Invoice - Well Ergon.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  PURCHASE ORDER.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  SecuriteInfo.com.Win32.PWSX-gen.14523.13498.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  order Depeng POORD20231109001.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  Swift_copy.pdf (2).exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  Swift Copy.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  purchase_order T&B19-20PO128.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  Booking Form PIF.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  vegpadg6oW.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, PureLog Stealer, RedLine, SmokeLoaderBrowse
                                                  • 46.175.144.56

                                                  JA3 Fingerprints

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  3b5074b1b5d032e5620f69f9f700ff0e45brrQrxwH.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 104.26.12.205
                                                  Quotation 0048484.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 104.26.12.205
                                                  remittance payment of invoice DMWW24009.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 104.26.12.205
                                                  2llKbb9pR7.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLine, SmokeLoaderBrowse
                                                  • 104.26.12.205
                                                  NOA, BL and invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 104.26.12.205
                                                  Hays_compiled_documents.ZIP.jsGet hashmaliciousUnknownBrowse
                                                  • 104.26.12.205
                                                  MdeeRbWvqe.exeGet hashmaliciousLummaC, Babuk, Djvu, LummaC Stealer, RedLine, SmokeLoaderBrowse
                                                  • 104.26.12.205
                                                  bCsfnThSOV.exeGet hashmaliciousPhemedrone StealerBrowse
                                                  • 104.26.12.205
                                                  bCsfnThSOV.exeGet hashmaliciousPhemedrone StealerBrowse
                                                  • 104.26.12.205
                                                  z158xIuvhauCQiddTe.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 104.26.12.205

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  No created / dropped files found

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):6.277596623778398
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  • DOS Executable Generic (2002/1) 0.01%
                                                  File name:Eaton PO-45150292964.exe
                                                  File size:567'296 bytes
                                                  MD5:3a64b763c78291700bd114bfc3ecdde3
                                                  SHA1:7260be2d4cf3fbcf231e94a84c8f3cf252163c89
                                                  SHA256:8bbfa40764eabafad6f90d973784f343b8d7146689f4fd4384da26935b2bca5e
                                                  SHA512:87bdf6073e722cca6919d3b63a2483d4066388762baf127e10d347fdc1f9c04d168df63d858557a864f508160f43935635c11b7910fafac5c82f6f661363b9e0
                                                  SSDEEP:12288:bPOq1+u42964kZGQLd6yG6I+GAdP7r9r/+pppppppppppppppppppppppppppppb:bPdlMRZGyd9Z1q
                                                  TLSH:90C48CC0E98566A0ED59AB356A36CD3542237EFDA874A41D28DE3D273FFB3931022153
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3..f.................R...T.......p... ........@.. ....................................@................................

                                                  File Icon

                                                  Icon Hash:c5a484988c94a04b

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x45700e
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x661F1133 [Wed Apr 17 00:00:51 2024 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x56fb40x57.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x580000x35004.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x8e0000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000x550140x5520054d391401da5f92e06496553852519acFalse0.7384963518722467SysEx File -6.214684962548715IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rsrc0x580000x350040x352000c3e512fd03aa067ce13aa9e47cfc4b0False0.2096920955882353data4.457481043915203IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x8e0000xc0x200bd7e376c985099cc5aee7a86630d4799False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_ICON0x584600x668Device independent bitmap graphic, 48 x 96 x 4, image size 11520.3225609756097561
                                                  RT_ICON0x58ac80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 5120.43951612903225806
                                                  RT_ICON0x58db00x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 2880.4016393442622951
                                                  RT_ICON0x58f980x128Device independent bitmap graphic, 16 x 32 x 4, image size 1280.4831081081081081
                                                  RT_ICON0x590c00x35e0PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9907192575406032
                                                  RT_ICON0x5c6a00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.4584221748400853
                                                  RT_ICON0x5d5480x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.47382671480144406
                                                  RT_ICON0x5ddf00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors0.45564516129032256
                                                  RT_ICON0x5e4b80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.3504335260115607
                                                  RT_ICON0x5ea200x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.07868508221933042
                                                  RT_ICON0x6f2480x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.15114568005045195
                                                  RT_ICON0x786f00x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 265600.1543233082706767
                                                  RT_ICON0x7eed80x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.175184842883549
                                                  RT_ICON0x843600x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.15948275862068967
                                                  RT_ICON0x885880x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.24107883817427386
                                                  RT_ICON0x8ab300x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.2678236397748593
                                                  RT_ICON0x8bbd80x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.37459016393442623
                                                  RT_ICON0x8c5600x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.42819148936170215
                                                  RT_GROUP_ICON0x8c9c80x102data0.5775193798449613
                                                  RT_VERSION0x8cacc0x34cdata0.4146919431279621
                                                  RT_MANIFEST0x8ce180x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Network Behavior

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Apr 17, 2024 07:13:50.694330931 CEST49705443192.168.2.5104.26.12.205
                                                  Apr 17, 2024 07:13:50.694423914 CEST44349705104.26.12.205192.168.2.5
                                                  Apr 17, 2024 07:13:50.694636106 CEST49705443192.168.2.5104.26.12.205
                                                  Apr 17, 2024 07:13:50.700783968 CEST49705443192.168.2.5104.26.12.205
                                                  Apr 17, 2024 07:13:50.700820923 CEST44349705104.26.12.205192.168.2.5
                                                  Apr 17, 2024 07:13:50.921248913 CEST44349705104.26.12.205192.168.2.5
                                                  Apr 17, 2024 07:13:50.921516895 CEST49705443192.168.2.5104.26.12.205
                                                  Apr 17, 2024 07:13:50.923881054 CEST49705443192.168.2.5104.26.12.205
                                                  Apr 17, 2024 07:13:50.923907042 CEST44349705104.26.12.205192.168.2.5
                                                  Apr 17, 2024 07:13:50.924175978 CEST44349705104.26.12.205192.168.2.5
                                                  Apr 17, 2024 07:13:50.974773884 CEST49705443192.168.2.5104.26.12.205
                                                  Apr 17, 2024 07:13:50.984734058 CEST49705443192.168.2.5104.26.12.205
                                                  Apr 17, 2024 07:13:51.032113075 CEST44349705104.26.12.205192.168.2.5
                                                  Apr 17, 2024 07:13:51.224271059 CEST44349705104.26.12.205192.168.2.5
                                                  Apr 17, 2024 07:13:51.224334955 CEST44349705104.26.12.205192.168.2.5
                                                  Apr 17, 2024 07:13:51.224410057 CEST49705443192.168.2.5104.26.12.205
                                                  Apr 17, 2024 07:13:51.239022017 CEST49705443192.168.2.5104.26.12.205
                                                  Apr 17, 2024 07:13:51.889219999 CEST4970625192.168.2.546.175.148.58
                                                  Apr 17, 2024 07:13:52.896576881 CEST4970625192.168.2.546.175.148.58
                                                  Apr 17, 2024 07:13:54.896564007 CEST4970625192.168.2.546.175.148.58
                                                  Apr 17, 2024 07:13:58.917332888 CEST4970625192.168.2.546.175.148.58
                                                  Apr 17, 2024 07:14:06.943523884 CEST4970625192.168.2.546.175.148.58

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Apr 17, 2024 07:13:50.583564043 CEST6197753192.168.2.51.1.1.1
                                                  Apr 17, 2024 07:13:50.688230991 CEST53619771.1.1.1192.168.2.5
                                                  Apr 17, 2024 07:13:51.761445045 CEST6342753192.168.2.51.1.1.1
                                                  Apr 17, 2024 07:13:51.888370991 CEST53634271.1.1.1192.168.2.5

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Apr 17, 2024 07:13:50.583564043 CEST192.168.2.51.1.1.10xcf43Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                  Apr 17, 2024 07:13:51.761445045 CEST192.168.2.51.1.1.10xbf26Standard query (0)mail.iaa-airferight.comA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Apr 17, 2024 07:13:50.688230991 CEST1.1.1.1192.168.2.50xcf43No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                  Apr 17, 2024 07:13:50.688230991 CEST1.1.1.1192.168.2.50xcf43No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                  Apr 17, 2024 07:13:50.688230991 CEST1.1.1.1192.168.2.50xcf43No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                  Apr 17, 2024 07:13:51.888370991 CEST1.1.1.1192.168.2.50xbf26No error (0)mail.iaa-airferight.com46.175.148.58A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • api.ipify.org

                                                  HTTPS Proxied Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.549705104.26.12.2054434512C:\Users\user\Desktop\Eaton PO-45150292964.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-04-17 05:13:50 UTC155OUTGET / HTTP/1.1
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                  Host: api.ipify.org
                                                  Connection: Keep-Alive
                                                  2024-04-17 05:13:51 UTC211INHTTP/1.1 200 OK
                                                  Date: Wed, 17 Apr 2024 05:13:51 GMT
                                                  Content-Type: text/plain
                                                  Content-Length: 12
                                                  Connection: close
                                                  Vary: Origin
                                                  CF-Cache-Status: DYNAMIC
                                                  Server: cloudflare
                                                  CF-RAY: 8759ed9e780944dc-ATL
                                                  2024-04-17 05:13:51 UTC12INData Raw: 38 31 2e 31 38 31 2e 35 37 2e 35 32
                                                  Data Ascii: 81.181.57.52


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:07:13:47
                                                  Start date:17/04/2024
                                                  Path:C:\Users\user\Desktop\Eaton PO-45150292964.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\Eaton PO-45150292964.exe"
                                                  Imagebase:0x240000
                                                  File size:567'296 bytes
                                                  MD5 hash:3A64B763C78291700BD114BFC3ECDDE3
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1996509099.0000000004B10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1996509099.0000000004B10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.1996509099.0000000004B10000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1995567829.0000000003564000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1995567829.0000000003564000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:1
                                                  Start time:07:13:47
                                                  Start date:17/04/2024
                                                  Path:C:\Users\user\Desktop\Eaton PO-45150292964.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\Eaton PO-45150292964.exe"
                                                  Imagebase:0x2d0000
                                                  File size:567'296 bytes
                                                  MD5 hash:3A64B763C78291700BD114BFC3ECDDE3
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:4
                                                  Start time:07:13:48
                                                  Start date:17/04/2024
                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 80
                                                  Imagebase:0x2c0000
                                                  File size:483'680 bytes
                                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:6
                                                  Start time:07:13:49
                                                  Start date:17/04/2024
                                                  Path:C:\Users\user\Desktop\Eaton PO-45150292964.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\Eaton PO-45150292964.exe"
                                                  Imagebase:0x7f0000
                                                  File size:567'296 bytes
                                                  MD5 hash:3A64B763C78291700BD114BFC3ECDDE3
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.4451010775.0000000002D0C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.4449526095.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.4449526095.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.4451010775.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.4451010775.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:false

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:36.1%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:55.8%
                                                    Total number of Nodes:113
                                                    Total number of Limit Nodes:0
                                                    execution_graph 1354 c304c3 1355 c304d6 1354->1355 1357 c30870 CallWindowProcA 1355->1357 1356 c3085d 1357->1356 1235 c30d30 1236 c30d73 VirtualAlloc 1235->1236 1237 c30da7 1236->1237 1377 c31030 1378 c3107b CallWindowProcA 1377->1378 1379 c310b2 1378->1379 1238 4a50000 1271 4a50054 1238->1271 1240 4a50006 1303 4a50420 1240->1303 1242 4a50083 1243 4a50420 VirtualAlloc 1242->1243 1244 4a5008f 1243->1244 1245 4a50420 VirtualAlloc 1244->1245 1246 4a50098 1245->1246 1247 4a50420 VirtualAlloc 1246->1247 1248 4a500a1 1247->1248 1249 4a50420 VirtualAlloc 1248->1249 1250 4a500aa 1249->1250 1251 4a50420 VirtualAlloc 1250->1251 1252 4a500b6 1251->1252 1253 4a50155 CreateProcessW 1252->1253 1254 4a50170 1253->1254 1255 4a5018b NtUnmapViewOfSection 1254->1255 1256 4a5019b 1255->1256 1257 4a501b8 VirtualAllocEx 1256->1257 1258 4a501d2 1257->1258 1259 4a50214 WriteProcessMemory 1258->1259 1260 4a50220 1259->1260 1261 4a502fa WriteProcessMemory 1260->1261 1262 4a5031e 1260->1262 1261->1260 1263 4a5034f Wow64GetThreadContext 1262->1263 1264 4a5035e 1263->1264 1265 4a5039e WriteProcessMemory 1264->1265 1266 4a503aa 1265->1266 1267 4a503e5 Wow64SetThreadContext 1266->1267 1268 4a503f5 1267->1268 1269 4a50407 ResumeThread 1268->1269 1270 4a50415 1269->1270 1272 4a5005e 1271->1272 1273 4a50420 VirtualAlloc 1272->1273 1274 4a50083 1273->1274 1275 4a50420 VirtualAlloc 1274->1275 1276 4a5008f 1275->1276 1277 4a50420 VirtualAlloc 1276->1277 1278 4a50098 1277->1278 1279 4a50420 VirtualAlloc 1278->1279 1280 4a500a1 1279->1280 1281 4a50420 VirtualAlloc 1280->1281 1282 4a500aa 1281->1282 1283 4a50420 VirtualAlloc 1282->1283 1284 4a500b6 1283->1284 1285 4a50155 CreateProcessW 1284->1285 1286 4a50170 1285->1286 1287 4a5018b NtUnmapViewOfSection 1286->1287 1288 4a5019b 1287->1288 1289 4a501b8 VirtualAllocEx 1288->1289 1290 4a501d2 1289->1290 1291 4a50214 WriteProcessMemory 1290->1291 1292 4a50220 1291->1292 1293 4a502fa WriteProcessMemory 1292->1293 1294 4a5031e 1292->1294 1293->1292 1295 4a5034f Wow64GetThreadContext 1294->1295 1296 4a5035e 1295->1296 1297 4a5039e WriteProcessMemory 1296->1297 1298 4a503aa 1297->1298 1299 4a503e5 Wow64SetThreadContext 1298->1299 1300 4a503f5 1299->1300 1301 4a50407 ResumeThread 1300->1301 1302 4a50415 1301->1302 1302->1240 1304 4a50427 1303->1304 1305 4a50432 VirtualAlloc 1304->1305 1306 4a5044a 1305->1306 1306->1242 1374 c30d29 1375 c30d73 VirtualAlloc 1374->1375 1376 c30da7 1375->1376 1307 c30848 1308 c30855 1307->1308 1311 c30870 1308->1311 1312 c308c4 1311->1312 1316 c30900 1312->1316 1320 c30910 1312->1320 1313 c3085d 1317 c30939 1316->1317 1324 c30988 1317->1324 1321 c30939 1320->1321 1323 c30988 CallWindowProcA 1321->1323 1322 c30953 1322->1322 1323->1322 1325 c309c1 1324->1325 1326 c30953 1324->1326 1329 c30dd8 1325->1329 1333 c30dc9 1325->1333 1330 c30e25 1329->1330 1337 c30e61 1330->1337 1334 c30e25 1333->1334 1336 c30e61 CallWindowProcA 1334->1336 1335 c30e4b 1335->1326 1336->1335 1338 c30e99 1337->1338 1342 c30ee8 1338->1342 1346 c30ef8 1338->1346 1339 c30eb3 1344 c30f21 1342->1344 1345 c30f81 1344->1345 1350 c305c4 1344->1350 1345->1339 1347 c30f21 1346->1347 1348 c305c4 CallWindowProcA 1347->1348 1349 c30f81 1347->1349 1348->1347 1349->1339 1351 c31038 CallWindowProcA 1350->1351 1353 c310b2 1351->1353 1353->1344

                                                    Executed Functions

                                                    Function 04A50000 Relevance: 13.9, APIs: 9, Instructions: 352threadinjectionmemoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                      • Part of subcall function 04A50054: CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000042,0000002A,0000002E,?,16B3FE88,00000000), ref: 04A50167
                                                    • NtUnmapViewOfSection.NTDLL(?,?,0000002E,00000022,?,F21037D0,00000012,?,00000000,00000000,00000000,00000000,00000004,00000000,00000000), ref: 04A50192
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040,0000002E,00000022,?,6E1A959C,00000000,?,?,0000002E,00000022,?,F21037D0), ref: 04A501C9
                                                    • WriteProcessMemory.KERNELBASE ref: 04A50217
                                                    • WriteProcessMemory.KERNELBASE(00000026,0000003E,00000026,?,CF14E85B,00000012), ref: 04A502FD
                                                    • Wow64GetThreadContext.KERNEL32(?,?,0000002E,00000032,?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 04A50355
                                                    • WriteProcessMemory.KERNELBASE(?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 04A503A1
                                                    • Wow64SetThreadContext.KERNEL32(?,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000,00000032,0000003A,00000036), ref: 04A503EC
                                                    • ResumeThread.KERNELBASE(?,0000002E,?,9E4A3F88,00000000,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000), ref: 04A5040C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1996028333.0000000004A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4a50000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID: Process$MemoryThreadWrite$ContextWow64$AllocCreateResumeSectionUnmapViewVirtual
                                                    • String ID:
                                                    • API String ID: 2814188497-0
                                                    • Opcode ID: 475579a4da51060551cf1a565a06ecb6062e12be4c39a443bcd9d84050d1d347
                                                    • Instruction ID: 9c6ee690607399527f5e6b209696fdd910028e1648fde6f5a0f1d18834eedd2f
                                                    • Opcode Fuzzy Hash: 475579a4da51060551cf1a565a06ecb6062e12be4c39a443bcd9d84050d1d347
                                                    • Instruction Fuzzy Hash: 21B109746D8244BFF61577B19F06F2937359FA6B0CF1480A9EA006F1F3C9B278218662
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04A50054 Relevance: 13.8, APIs: 9, Instructions: 322threadinjectionprocessCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                      • Part of subcall function 04A50420: VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,04A50083,0000003C,0000001E,0000004A,0000003E,00000042), ref: 04A5043F
                                                    • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000042,0000002A,0000002E,?,16B3FE88,00000000), ref: 04A50167
                                                    • NtUnmapViewOfSection.NTDLL(?,?,0000002E,00000022,?,F21037D0,00000012,?,00000000,00000000,00000000,00000000,00000004,00000000,00000000), ref: 04A50192
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040,0000002E,00000022,?,6E1A959C,00000000,?,?,0000002E,00000022,?,F21037D0), ref: 04A501C9
                                                    • WriteProcessMemory.KERNELBASE ref: 04A50217
                                                    • WriteProcessMemory.KERNELBASE(00000026,0000003E,00000026,?,CF14E85B,00000012), ref: 04A502FD
                                                    • Wow64GetThreadContext.KERNEL32(?,?,0000002E,00000032,?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 04A50355
                                                    • WriteProcessMemory.KERNELBASE(?,68A7C7D2,00000000,00000032,0000003A,00000036,?,CF14E85B,00000012), ref: 04A503A1
                                                    • Wow64SetThreadContext.KERNEL32(?,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000,00000032,0000003A,00000036), ref: 04A503EC
                                                    • ResumeThread.KERNELBASE(?,0000002E,?,9E4A3F88,00000000,?,0000002E,00000032,?,E8A7C7D3,00000000,00000032,00000022,?,68A7C7D2,00000000), ref: 04A5040C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1996028333.0000000004A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4a50000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID: Process$MemoryThreadWrite$AllocContextVirtualWow64$CreateResumeSectionUnmapView
                                                    • String ID:
                                                    • API String ID: 4009322845-0
                                                    • Opcode ID: abefd893c78f63ec501357fb14bf61d80a739cae84c00b71e3bd370fcc70d613
                                                    • Instruction ID: e2e1c1c7f87e8d6c98901f61118f9dc133cfa63896666a5e77a58be95032c667
                                                    • Opcode Fuzzy Hash: abefd893c78f63ec501357fb14bf61d80a739cae84c00b71e3bd370fcc70d613
                                                    • Instruction Fuzzy Hash: 17A1B6746D8204BFF6157BF1DF46F2D36259FA5B0CF208168EA006E1F2C9B279219662
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00C305C4 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 366 c305c4-c310b0 CallWindowProcA 369 c310b2-c310b8 366->369 370 c310b9-c310cd 366->370 369->370
                                                    APIs
                                                    • CallWindowProcA.USER32(?,00000000,?,?,FFFFFFFF), ref: 00C310A3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1995181409.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_c30000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID: CallProcWindow
                                                    • String ID:
                                                    • API String ID: 2714655100-0
                                                    • Opcode ID: 8c7899244b04bf77df66a88ccebab00dd5d2a200458d119c5d7527e5f289206e
                                                    • Instruction ID: cefee35d192f497cebbc512c725c435c94329c4a6d309232f693f385f1a95b53
                                                    • Opcode Fuzzy Hash: 8c7899244b04bf77df66a88ccebab00dd5d2a200458d119c5d7527e5f289206e
                                                    • Instruction Fuzzy Hash: 841116B5810289DFCB24DF9AD884BDEBFF4FB88310F148459E919A7210C375A954CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00C31030 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 372 c31030-c31073 373 c3107b-c310b0 CallWindowProcA 372->373 374 c310b2-c310b8 373->374 375 c310b9-c310cd 373->375 374->375
                                                    APIs
                                                    • CallWindowProcA.USER32(?,00000000,?,?,FFFFFFFF), ref: 00C310A3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1995181409.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_c30000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID: CallProcWindow
                                                    • String ID:
                                                    • API String ID: 2714655100-0
                                                    • Opcode ID: a5cb6d5c4a9c1e019323734e412dff3d2f3e81af88573533aa894a2d8ba9bfba
                                                    • Instruction ID: 1ca95447378443c2b19284784f7b5d1355f5a5440d5d11661b6f3d13598f19cc
                                                    • Opcode Fuzzy Hash: a5cb6d5c4a9c1e019323734e412dff3d2f3e81af88573533aa894a2d8ba9bfba
                                                    • Instruction Fuzzy Hash: 971113B6910249DFCB10CF99D984BDEBFF4FB88310F248419E929A7210C375A954CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00C30D29 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 402 c30d29-c30da5 VirtualAlloc 404 c30da7-c30dad 402->404 405 c30dae-c30dc2 402->405 404->405
                                                    APIs
                                                    • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 00C30D98
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1995181409.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_c30000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: 5845b760a5c4fa9e4b9f58422984ecfb4cbe08ccf990d5ef0683385d7f573c6b
                                                    • Instruction ID: 26fbf58525cfa49c52360da1b3dd8472941ca57e12701ec37cb266ec3334c373
                                                    • Opcode Fuzzy Hash: 5845b760a5c4fa9e4b9f58422984ecfb4cbe08ccf990d5ef0683385d7f573c6b
                                                    • Instruction Fuzzy Hash: 381102B68002499FCB10CF9AD984BDEBFF4FB88310F208459E459A7250C375A984CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00C30D30 Relevance: 1.3, APIs: 1, Instructions: 47memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 407 c30d30-c30da5 VirtualAlloc 409 c30da7-c30dad 407->409 410 c30dae-c30dc2 407->410 409->410
                                                    APIs
                                                    • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 00C30D98
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1995181409.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_c30000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: c6841d22fb525f6c402dd07609cfd3378ed333a6a603e1e91b393812f040eff9
                                                    • Instruction ID: 03607ecdaf7a81f76ae4a4f5d747eae70b102de8969a366378a4f48a6096b311
                                                    • Opcode Fuzzy Hash: c6841d22fb525f6c402dd07609cfd3378ed333a6a603e1e91b393812f040eff9
                                                    • Instruction Fuzzy Hash: 9111F5B6C002499FCB10DF9AD545BDEBFF4EB88310F208419E559A7250C375A944CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04A50420 Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,91AFCA54,00000000,04A50083,0000003C,0000001E,0000004A,0000003E,00000042), ref: 04A5043F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1996028333.0000000004A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A50000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4a50000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
                                                    • Instruction ID: 51193051b077660b080e775acc6d7b0aa95179f2b6e878ce1320efcbcba43ad8
                                                    • Opcode Fuzzy Hash: 06eb02c548db0a05d1e20e56bead04f6bc1efedc2ff2b69c3f0a506310807bbb
                                                    • Instruction Fuzzy Hash: 3CD022701CC3007AF2017BB14F02F1C36A0AF50B0DF400814FB04380F2C5BAB8180256
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0099D6CD Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1994757325.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_99d000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e2a7987bbe15a41ec5af68b7e8c7e533812b3109ac67951bf926c2b535e673ab
                                                    • Instruction ID: d375779a8808d8aeb4fbc253a6c119ddbe691ea93bfb24db130b85b7651639e8
                                                    • Opcode Fuzzy Hash: e2a7987bbe15a41ec5af68b7e8c7e533812b3109ac67951bf926c2b535e673ab
                                                    • Instruction Fuzzy Hash: 9301D6B10063409AEF109A5EDDC4B67FFECEF55360F28C91AED090A286C3789845CA71
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0099D6CC Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1994757325.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_99d000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6211a2e78ee8e760672a181f9601b986044573cfe8164250a4857e759b729ea2
                                                    • Instruction ID: 8ae7cdce661a825678e5139c6a0d54da946dbd22121884a62fd6eeee2d6e73c8
                                                    • Opcode Fuzzy Hash: 6211a2e78ee8e760672a181f9601b986044573cfe8164250a4857e759b729ea2
                                                    • Instruction Fuzzy Hash: 4FF0CDB1405340AEEB108A0ADDC8B62FFACEF51364F18C45AED080B286C3789845CAB0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Execution Graph

                                                    Execution Coverage:12.9%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:26
                                                    Total number of Limit Nodes:5
                                                    execution_graph 24811 fd0848 24813 fd084e 24811->24813 24812 fd091b 24813->24812 24816 fd1488 24813->24816 24822 fd1382 24813->24822 24817 fd148f 24816->24817 24819 fd1396 24816->24819 24817->24813 24818 fd1484 24818->24813 24819->24818 24821 fd1488 GlobalMemoryStatusEx 24819->24821 24827 fd7ea8 24819->24827 24821->24819 24824 fd1396 24822->24824 24823 fd1484 24823->24813 24824->24823 24825 fd7ea8 GlobalMemoryStatusEx 24824->24825 24826 fd1488 GlobalMemoryStatusEx 24824->24826 24825->24824 24826->24824 24828 fd7eb2 24827->24828 24829 fd7ecc 24828->24829 24832 668d9e0 24828->24832 24837 668d9f0 24828->24837 24829->24819 24834 668da05 24832->24834 24833 668dc1a 24833->24829 24834->24833 24835 668de88 GlobalMemoryStatusEx 24834->24835 24836 668dc31 GlobalMemoryStatusEx 24834->24836 24835->24834 24836->24834 24839 668da05 24837->24839 24838 668dc1a 24838->24829 24839->24838 24840 668de88 GlobalMemoryStatusEx 24839->24840 24841 668dc31 GlobalMemoryStatusEx 24839->24841 24840->24839 24841->24839

                                                    Executed Functions

                                                    Function 06681030 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 126 6681030-6681051 127 6681053-6681056 126->127 128 668105c-668107b 127->128 129 66817f7-66817fa 127->129 138 668107d-6681080 128->138 139 6681094-668109e 128->139 130 66817fc-668181b 129->130 131 6681820-6681822 129->131 130->131 132 6681829-668182c 131->132 133 6681824 131->133 132->127 135 6681832-668183b 132->135 133->132 138->139 141 6681082-6681092 138->141 143 66810a4-66810b3 139->143 141->143 252 66810b5 call 6681848 143->252 253 66810b5 call 6681850 143->253 145 66810ba-66810bf 146 66810cc-66813a9 145->146 147 66810c1-66810c7 145->147 168 66817e9-66817f6 146->168 169 66813af-668145e 146->169 147->135 178 6681460-6681485 169->178 179 6681487 169->179 181 6681490-66814a3 178->181 179->181 183 66814a9-66814cb 181->183 184 66817d0-66817dc 181->184 183->184 187 66814d1-66814db 183->187 184->169 185 66817e2 184->185 185->168 187->184 188 66814e1-66814ec 187->188 188->184 189 66814f2-66815c8 188->189 201 66815ca-66815cc 189->201 202 66815d6-6681606 189->202 201->202 206 6681608-668160a 202->206 207 6681614-6681620 202->207 206->207 208 6681680-6681684 207->208 209 6681622-6681626 207->209 210 668168a-66816c6 208->210 211 66817c1-66817ca 208->211 209->208 212 6681628-6681652 209->212 222 66816c8-66816ca 210->222 223 66816d4-66816e2 210->223 211->184 211->189 219 6681660-668167d 212->219 220 6681654-6681656 212->220 219->208 220->219 222->223 226 66816f9-6681704 223->226 227 66816e4-66816ef 223->227 231 668171c-668172d 226->231 232 6681706-668170c 226->232 227->226 230 66816f1 227->230 230->226 236 668172f-6681735 231->236 237 6681745-6681751 231->237 233 668170e 232->233 234 6681710-6681712 232->234 233->231 234->231 238 6681739-668173b 236->238 239 6681737 236->239 241 6681769-66817ba 237->241 242 6681753-6681759 237->242 238->237 239->237 241->211 243 668175b 242->243 244 668175d-668175f 242->244 243->241 244->241 252->145 253->145
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4453229486.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_6680000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                                    • API String ID: 0-3723351465
                                                    • Opcode ID: a62e65e29a60859aafb19e70d9e36fba2cf2470d69b49e4c2906f5bf6dd0e33e
                                                    • Instruction ID: 78365a8ff29cd30c19082ff100adb61072f82bab59efa789379f1adfaa9d702b
                                                    • Opcode Fuzzy Hash: a62e65e29a60859aafb19e70d9e36fba2cf2470d69b49e4c2906f5bf6dd0e33e
                                                    • Instruction Fuzzy Hash: C3322E31E1071A8FCB55EF75C89459DF7B2FFC9300F24866AD409A7254EB30AA86CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06685D30 Relevance: 3.0, Strings: 2, Instructions: 470COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 794 6685d30-6685d4e 795 6685d50-6685d53 794->795 796 6685d55-6685d71 795->796 797 6685d76-6685d79 795->797 796->797 798 6685d9a-6685d9d 797->798 799 6685d7b-6685d95 797->799 800 6685daa-6685dad 798->800 801 6685d9f-6685da9 798->801 799->798 804 6685daf-6685dbd 800->804 805 6685dc4-6685dc6 800->805 809 6685dd6-6685dec 804->809 812 6685dbf 804->812 807 6685dc8 805->807 808 6685dcd-6685dd0 805->808 807->808 808->795 808->809 814 6685df2-6685dfb 809->814 815 6686007-6686011 809->815 812->805 816 6685e01-6685e1e 814->816 817 6686012-6686047 814->817 826 6685ff4-6686001 816->826 827 6685e24-6685e4c 816->827 820 6686049-668604c 817->820 822 6686278-668627b 820->822 823 6686052-6686061 820->823 824 6686281-668628d 822->824 825 6686332-6686335 822->825 831 6686080-66860bb 823->831 832 6686063-668607e 823->832 833 6686298-668629a 824->833 828 6686358-668635a 825->828 829 6686337-6686353 825->829 826->814 826->815 827->826 852 6685e52-6685e5b 827->852 834 668635c 828->834 835 6686361-6686364 828->835 829->828 849 668624c-6686262 831->849 850 66860c1-66860d2 831->850 832->831 837 668629c-66862a2 833->837 838 66862b2-66862b9 833->838 834->835 835->820 840 668636a-6686373 835->840 842 66862a4 837->842 843 66862a6-66862a8 837->843 845 66862ca 838->845 846 66862bb-66862c8 838->846 842->838 843->838 848 66862cf-66862d1 845->848 846->848 855 66862e8-6686321 848->855 856 66862d3-66862d6 848->856 849->822 860 66860d8-66860f5 850->860 861 6686237-6686246 850->861 852->817 853 6685e61-6685e7d 852->853 864 6685fe2-6685fee 853->864 865 6685e83-6685ead 853->865 855->823 876 6686327-6686331 855->876 856->840 860->861 872 66860fb-66861f1 call 6684550 860->872 861->849 861->850 864->826 864->852 878 6685fd8-6685fdd 865->878 879 6685eb3-6685edb 865->879 927 66861ff 872->927 928 66861f3-66861fd 872->928 878->864 879->878 886 6685ee1-6685f0f 879->886 886->878 891 6685f15-6685f1e 886->891 891->878 892 6685f24-6685f56 891->892 900 6685f58-6685f5c 892->900 901 6685f61-6685f7d 892->901 900->878 903 6685f5e 900->903 901->864 904 6685f7f-6685fd6 call 6684550 901->904 903->901 904->864 929 6686204-6686206 927->929 928->929 929->861 930 6686208-668620d 929->930 931 668621b 930->931 932 668620f-6686219 930->932 933 6686220-6686222 931->933 932->933 933->861 934 6686224-6686230 933->934 934->861
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4453229486.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_6680000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $]q$$]q
                                                    • API String ID: 0-127220927
                                                    • Opcode ID: 5869241172f2a5edb506773abca9ed08cd51257265b049b5d35024c175358218
                                                    • Instruction ID: 790ccf0514fe318fc94281d34fa77f15d7ff2cff58192340cb6448b44071ceab
                                                    • Opcode Fuzzy Hash: 5869241172f2a5edb506773abca9ed08cd51257265b049b5d35024c175358218
                                                    • Instruction Fuzzy Hash: 91028F30B002059FDB54EB78D594A6EB7E2FF84304F258669E806DB395DB35EC82CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0668E0B9 Relevance: 2.8, Strings: 2, Instructions: 337COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1066 668e0b9-668e0da 1067 668e0dc-668e109 call 668d1c0 call 668d09c 1066->1067 1068 668e13e-668e145 1066->1068 1075 668e10e-668e11b 1067->1075 1077 668e11d-668e136 1075->1077 1078 668e146-668e1ad 1075->1078 1077->1068 1088 668e1af-668e1b1 1078->1088 1089 668e1b6-668e1c6 1078->1089 1090 668e455-668e45c 1088->1090 1091 668e1c8 1089->1091 1092 668e1cd-668e1dd 1089->1092 1091->1090 1094 668e43c-668e44a 1092->1094 1095 668e1e3-668e1f1 1092->1095 1098 668e45d-668e4d6 1094->1098 1100 668e44c-668e44e 1094->1100 1095->1098 1099 668e1f7 1095->1099 1099->1098 1101 668e288-668e2a9 1099->1101 1102 668e40c-668e42e 1099->1102 1103 668e2ae-668e2cf 1099->1103 1104 668e3ef-668e40a 1099->1104 1105 668e3c1-668e3ed 1099->1105 1106 668e262-668e283 1099->1106 1107 668e327-668e34f 1099->1107 1108 668e2fa-668e322 1099->1108 1109 668e23b-668e25d 1099->1109 1110 668e1fe-668e210 1099->1110 1111 668e430-668e43a 1099->1111 1112 668e2d4-668e2f5 1099->1112 1113 668e354-668e391 1099->1113 1114 668e215-668e236 1099->1114 1115 668e396-668e3bc 1099->1115 1100->1090 1101->1090 1102->1090 1103->1090 1104->1090 1105->1090 1106->1090 1107->1090 1108->1090 1109->1090 1110->1090 1111->1090 1112->1090 1113->1090 1114->1090 1115->1090
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4453229486.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_6680000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Xaq$$]q
                                                    • API String ID: 0-1280934391
                                                    • Opcode ID: f5813452347c84e16d36efe564d08da79ba26844e8864600a3546703175ef87f
                                                    • Instruction ID: 9d879720024b6ecf9881b9de92df04c0d0463f2464212c6e26da98df398ecab2
                                                    • Opcode Fuzzy Hash: f5813452347c84e16d36efe564d08da79ba26844e8864600a3546703175ef87f
                                                    • Instruction Fuzzy Hash: 36B1C230B042189FDB58EF79985467E7BB7BFC8710B19852EE50AD7384DE398C029792
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FDADF0 Relevance: 2.7, Instructions: 2707COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d88b86519291a34cdc270c28efd42be7176b303712b090fe1dbb86f8d0a66d72
                                                    • Instruction ID: 573004f0b6d32fbf79167846143151ce514e5e58c57bd6939e8db51764cd0e87
                                                    • Opcode Fuzzy Hash: d88b86519291a34cdc270c28efd42be7176b303712b090fe1dbb86f8d0a66d72
                                                    • Instruction Fuzzy Hash: B553E831C10B1A8ACB51EF68C8905A9F7B1FF99310F15D79AE45877221FB70AAD4CB81
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD3E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \Vl
                                                    • API String ID: 0-682378881
                                                    • Opcode ID: b3edf202817325be9231ff04afc15c1ada6478f3105550a0ac82c994b5161b93
                                                    • Instruction ID: db13116ea186ccd369fbb96c1a35374e5311f9c769e61f4ff2ec8609af178698
                                                    • Opcode Fuzzy Hash: b3edf202817325be9231ff04afc15c1ada6478f3105550a0ac82c994b5161b93
                                                    • Instruction Fuzzy Hash: 77915E71E00209DFDF14CFA9C9857DDBBF2AF88314F18812AE415A7354EB749986DB82
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06680328 Relevance: 1.0, Instructions: 1004COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4453229486.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_6680000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f63fbd3d990954d5555b74c6d965c38894d49d1e41598cbb714033bceeeb6fc3
                                                    • Instruction ID: 6b3ccb599e442dd7462ee5989b14587ac52dc17d2776e9d6f77b567eb8cf6b90
                                                    • Opcode Fuzzy Hash: f63fbd3d990954d5555b74c6d965c38894d49d1e41598cbb714033bceeeb6fc3
                                                    • Instruction Fuzzy Hash: 11925734A00204CFDB64EB68C584A5DB7F2FB85314F55CAA9E449EB351DB35EC8ACB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 066845A0 Relevance: .8, Instructions: 812COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4453229486.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_6680000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 639b05cb11daf2a5ccd705da5d01b005f14b946d958dbdcbd8e738b5743b7d5d
                                                    • Instruction ID: 31c8d2fa3508ffcc5381601725312440ac0a4af238b90a3e12c1e164dd1c611d
                                                    • Opcode Fuzzy Hash: 639b05cb11daf2a5ccd705da5d01b005f14b946d958dbdcbd8e738b5743b7d5d
                                                    • Instruction Fuzzy Hash: B4629D30A002068FDB54EB78D584BADB7F2EF84314F258629E506EB395DB35ED42CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0668A140 Relevance: .6, Instructions: 636COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4453229486.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_6680000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 14a27e339d734e6efbaffa69935985030183e6e40946b1d338c5522b04dfc927
                                                    • Instruction ID: 527ca18738cb5c9712e45c561d79df6725da10eecbb9fbaa680259ba999185ce
                                                    • Opcode Fuzzy Hash: 14a27e339d734e6efbaffa69935985030183e6e40946b1d338c5522b04dfc927
                                                    • Instruction Fuzzy Hash: E8327F34B102099FDF54EBA8D894BADB7B2FB88310F218626E905D7355DB35EC42CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06683578 Relevance: .6, Instructions: 588COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4453229486.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_6680000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bcaad5a79b8639913bcf3b20da845ea284a5bb55904855f1decad1defff4844b
                                                    • Instruction ID: 35ce4e0e5235447ba6710e621a65308ba75bce9f5337172bd82df2f5a7a63aea
                                                    • Opcode Fuzzy Hash: bcaad5a79b8639913bcf3b20da845ea284a5bb55904855f1decad1defff4844b
                                                    • Instruction Fuzzy Hash: E422E171F002159FDB64EFB8C8806AEB7B2EB84710F248569D919EB345DB34ED42CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 066891E0 Relevance: .6, Instructions: 576COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4453229486.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_6680000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 14ccdfad3b658c994bb35c8db38f53a95726a98fd15f80620f237ee3846e0ad0
                                                    • Instruction ID: cb931a29fa294bd11fafd3eb7a035ef4b4792cbcbc66f27ab7c85409bb8807b5
                                                    • Opcode Fuzzy Hash: 14ccdfad3b658c994bb35c8db38f53a95726a98fd15f80620f237ee3846e0ad0
                                                    • Instruction Fuzzy Hash: 71225170E102099FDF64EA6CD4907BEB7A6EB85310F248B26E459DB391CA35DC81CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD4A98 Relevance: .3, Instructions: 266COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5e788d95f9468e0db2569877b3a649c577570c3b1983ad3bb2f236584dafbd71
                                                    • Instruction ID: 526d361ee814be9e87d9601ee3c89ee7558785d6d6707c9f5c283e9cf5ac9cf5
                                                    • Opcode Fuzzy Hash: 5e788d95f9468e0db2569877b3a649c577570c3b1983ad3bb2f236584dafbd71
                                                    • Instruction Fuzzy Hash: 64B13E71E102099FDF10CFA9C98579DBBF3AF88314F18852AD819E7394EB74A845DB81
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD4810 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1655 fd4810-fd489c 1658 fd489e-fd48a9 1655->1658 1659 fd48e6-fd48e8 1655->1659 1658->1659 1660 fd48ab-fd48b7 1658->1660 1661 fd48ea-fd4902 1659->1661 1662 fd48b9-fd48c3 1660->1662 1663 fd48da-fd48e4 1660->1663 1668 fd494c-fd494e 1661->1668 1669 fd4904-fd490f 1661->1669 1664 fd48c5 1662->1664 1665 fd48c7-fd48d6 1662->1665 1663->1661 1664->1665 1665->1665 1667 fd48d8 1665->1667 1667->1663 1670 fd4950-fd4995 1668->1670 1669->1668 1671 fd4911-fd491d 1669->1671 1679 fd499b-fd49a9 1670->1679 1672 fd491f-fd4929 1671->1672 1673 fd4940-fd494a 1671->1673 1675 fd492d-fd493c 1672->1675 1676 fd492b 1672->1676 1673->1670 1675->1675 1677 fd493e 1675->1677 1676->1675 1677->1673 1680 fd49ab-fd49b1 1679->1680 1681 fd49b2-fd4a0f 1679->1681 1680->1681 1688 fd4a1f-fd4a23 1681->1688 1689 fd4a11-fd4a15 1681->1689 1691 fd4a25-fd4a29 1688->1691 1692 fd4a33-fd4a37 1688->1692 1689->1688 1690 fd4a17-fd4a1a call fd0ab8 1689->1690 1690->1688 1691->1692 1696 fd4a2b-fd4a2e call fd0ab8 1691->1696 1693 fd4a39-fd4a3d 1692->1693 1694 fd4a47-fd4a4b 1692->1694 1693->1694 1697 fd4a3f 1693->1697 1698 fd4a4d-fd4a51 1694->1698 1699 fd4a5b 1694->1699 1696->1692 1697->1694 1698->1699 1701 fd4a53 1698->1701 1702 fd4a5c 1699->1702 1701->1699 1702->1702
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \Vl$\Vl
                                                    • API String ID: 0-415357090
                                                    • Opcode ID: 5ec53226368e63a72a08ff921f8245495cbd5f40936654ad298cff4bcec96371
                                                    • Instruction ID: a1744a9518bc7dd4e572ef5f71fbfcfff893422b0d0def2026cced3cd74858ce
                                                    • Opcode Fuzzy Hash: 5ec53226368e63a72a08ff921f8245495cbd5f40936654ad298cff4bcec96371
                                                    • Instruction Fuzzy Hash: A6718F70E002498FDF10CFA9C88579EBBF2BF88314F18812AE419A7354DB74A842DB85
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD4806 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1607 fd4806-fd489c 1610 fd489e-fd48a9 1607->1610 1611 fd48e6-fd48e8 1607->1611 1610->1611 1612 fd48ab-fd48b7 1610->1612 1613 fd48ea-fd4902 1611->1613 1614 fd48b9-fd48c3 1612->1614 1615 fd48da-fd48e4 1612->1615 1620 fd494c-fd494e 1613->1620 1621 fd4904-fd490f 1613->1621 1616 fd48c5 1614->1616 1617 fd48c7-fd48d6 1614->1617 1615->1613 1616->1617 1617->1617 1619 fd48d8 1617->1619 1619->1615 1622 fd4950-fd4962 1620->1622 1621->1620 1623 fd4911-fd491d 1621->1623 1630 fd4969-fd4995 1622->1630 1624 fd491f-fd4929 1623->1624 1625 fd4940-fd494a 1623->1625 1627 fd492d-fd493c 1624->1627 1628 fd492b 1624->1628 1625->1622 1627->1627 1629 fd493e 1627->1629 1628->1627 1629->1625 1631 fd499b-fd49a9 1630->1631 1632 fd49ab-fd49b1 1631->1632 1633 fd49b2-fd4a0f 1631->1633 1632->1633 1640 fd4a1f-fd4a23 1633->1640 1641 fd4a11-fd4a15 1633->1641 1643 fd4a25-fd4a29 1640->1643 1644 fd4a33-fd4a37 1640->1644 1641->1640 1642 fd4a17-fd4a1a call fd0ab8 1641->1642 1642->1640 1643->1644 1648 fd4a2b-fd4a2e call fd0ab8 1643->1648 1645 fd4a39-fd4a3d 1644->1645 1646 fd4a47-fd4a4b 1644->1646 1645->1646 1649 fd4a3f 1645->1649 1650 fd4a4d-fd4a51 1646->1650 1651 fd4a5b 1646->1651 1648->1644 1649->1646 1650->1651 1653 fd4a53 1650->1653 1654 fd4a5c 1651->1654 1653->1651 1654->1654
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \Vl$\Vl
                                                    • API String ID: 0-415357090
                                                    • Opcode ID: 96f0dae882e274d8514525ca763ed0e88b76fa3088ef695b332eaf84c8193d17
                                                    • Instruction ID: 54181b098f61452ee2c4837bd024ec92c7393d68db0f7b2896c2b24f00da1d80
                                                    • Opcode Fuzzy Hash: 96f0dae882e274d8514525ca763ed0e88b76fa3088ef695b332eaf84c8193d17
                                                    • Instruction Fuzzy Hash: 35715E71E002499FDF10CFA9C98579EBBF2BF48314F18812AE419A7354D774A842DB95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0668E950 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4453229486.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_6680000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 994d1bef124865de4a87c808abb87ef46736b601aac7ddcd667f274b6f737eb8
                                                    • Instruction ID: 3c7aeb5353d13452873ca7b47c0238a8b4dadbd511078951eceb844a099060fa
                                                    • Opcode Fuzzy Hash: 994d1bef124865de4a87c808abb87ef46736b601aac7ddcd667f274b6f737eb8
                                                    • Instruction Fuzzy Hash: FF412472D043499FCB14EFB9D80469EBBF6EF89310F05866AD908A7341EB749845CBE1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0668EA38 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GlobalMemoryStatusEx.KERNELBASE ref: 0668EA9F
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4453229486.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_6680000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID: GlobalMemoryStatus
                                                    • String ID:
                                                    • API String ID: 1890195054-0
                                                    • Opcode ID: 2ae6db5286120eba959729dbcf1a583b52602c52b91271e407497e3d6f57d084
                                                    • Instruction ID: f7ceb00e2a7f142631e6463a65bc64a5a13911efdf58b87dd358b3493bf565aa
                                                    • Opcode Fuzzy Hash: 2ae6db5286120eba959729dbcf1a583b52602c52b91271e407497e3d6f57d084
                                                    • Instruction Fuzzy Hash: 1A111FB1C0025A9FCB10DFAAC444B9EFBF4BB48320F11812AD818B7240D378A944CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD3E74 Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \Vl
                                                    • API String ID: 0-682378881
                                                    • Opcode ID: 9780a150cbe75a7eeda33cbd355b1d0ee7e4772b988bb8f76fc2577553603ceb
                                                    • Instruction ID: 3b6203e2b5ecc9f53122585c8a73b8e97460d426d20bb80aef867e03e2929bcc
                                                    • Opcode Fuzzy Hash: 9780a150cbe75a7eeda33cbd355b1d0ee7e4772b988bb8f76fc2577553603ceb
                                                    • Instruction Fuzzy Hash: 14A17F71E00209DFDF15CFA8C9857DDBBF2AF88314F18812AE419A7354DB749986DB82
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD6ECF Relevance: 1.4, Strings: 1, Instructions: 163COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LR]q
                                                    • API String ID: 0-3081347316
                                                    • Opcode ID: c83ecbedebedb592e554c898d2435de8ee30fabfbe79323cc09befa98feeb056
                                                    • Instruction ID: a8b0d22684e3883a9575e14eb6ce803f9fa971ae952504d56da7eae95c6df4d5
                                                    • Opcode Fuzzy Hash: c83ecbedebedb592e554c898d2435de8ee30fabfbe79323cc09befa98feeb056
                                                    • Instruction Fuzzy Hash: D9515A34B142148FCB14EB68C458AAE7BF2FF89710F2544AAE406DB3A1DB75DC41DBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD7D90 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LR]q
                                                    • API String ID: 0-3081347316
                                                    • Opcode ID: 8dc13f2e970fdddf5a644c26e76b16b4aaabd5034598d37374addad8a2c7b9f5
                                                    • Instruction ID: 44beb59911b711fff847d11d47d7384e2401cec802b49979b6afdf7d073b35c2
                                                    • Opcode Fuzzy Hash: 8dc13f2e970fdddf5a644c26e76b16b4aaabd5034598d37374addad8a2c7b9f5
                                                    • Instruction Fuzzy Hash: 31315C31E143199BDB24EF65D4447AEB7B2EF89310F24852AE805EB340EB70AD429B51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD7D80 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LR]q
                                                    • API String ID: 0-3081347316
                                                    • Opcode ID: d8b1d8d84376ab4a43f1071007083b08614bbbaf471ef9389cad674e982743eb
                                                    • Instruction ID: e1a753f6c3d9093bdab05a31a3a53700b67bb0ebbbc7cdc0e04ef07c56024e35
                                                    • Opcode Fuzzy Hash: d8b1d8d84376ab4a43f1071007083b08614bbbaf471ef9389cad674e982743eb
                                                    • Instruction Fuzzy Hash: 6F315A30E1435A9FEB25EF65C4447AEB7B2EF85310F28846AE805EB340EB709C429B51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD6B98 Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LR]q
                                                    • API String ID: 0-3081347316
                                                    • Opcode ID: 712d9f50434ff60ba2247eb7785bb22371c628e236adc860b2a21c2bd661a476
                                                    • Instruction ID: bfbb6792665b9f8c62a55469bbdf0dafdac95a6f47221c1d5c2263df0d7d55e9
                                                    • Opcode Fuzzy Hash: 712d9f50434ff60ba2247eb7785bb22371c628e236adc860b2a21c2bd661a476
                                                    • Instruction Fuzzy Hash: B4213B317082405FC716AB3CD4652AE7BF2EF86310B06849FD055CB39ADE359C46C7A2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD8720 Relevance: .6, Instructions: 555COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c4277489ea815b731826bd920c3ace9c5a66a70aacc5e868dca876cee9875d1a
                                                    • Instruction ID: f5dd11319d66032bd0414ef91082efa6095dbcc0a4da7fbe276bceae84941de8
                                                    • Opcode Fuzzy Hash: c4277489ea815b731826bd920c3ace9c5a66a70aacc5e868dca876cee9875d1a
                                                    • Instruction Fuzzy Hash: 931282707012069BCB65AB3CE59866D33A3FBC5350F26492AE406CB355CF35EC879BA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FDA1AA Relevance: .4, Instructions: 404COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 86d01203a4367e38dc69d74c1b690afc2e343b6ae38e8e3098ed6dcd9dac0727
                                                    • Instruction ID: b0be88890b1057cb41792bcc88027111e9ac51a8f66f34e7d3c5fe2a2d1939a2
                                                    • Opcode Fuzzy Hash: 86d01203a4367e38dc69d74c1b690afc2e343b6ae38e8e3098ed6dcd9dac0727
                                                    • Instruction Fuzzy Hash: F8E1CF30B002058FCB14DB68D594BADB7B3FB89320F288466E509DB395DB35DD42DB56
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD4A8E Relevance: .3, Instructions: 261COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d97c0e2f33fe55551cfef4d8b1797d97b305950c00f2cb8158217dcd0608e74e
                                                    • Instruction ID: fdd5120575d43f60f7e62eb01b706f5f1170521696d1b71c2266624cdb5e051d
                                                    • Opcode Fuzzy Hash: d97c0e2f33fe55551cfef4d8b1797d97b305950c00f2cb8158217dcd0608e74e
                                                    • Instruction Fuzzy Hash: A1A13E71E102098FDF10CFA8D9867DDBBF2AF88314F18852AD819E7354EB74A845DB81
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FDA6C8 Relevance: .1, Instructions: 137COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7851afbffb89aa4a38eb68442207e6d781c49d75fef996f209b42f7898ce1bb2
                                                    • Instruction ID: bba3713b122ce25f7ceab2b3f424da9d5ebf8edab36c0d10564c56440bb985db
                                                    • Opcode Fuzzy Hash: 7851afbffb89aa4a38eb68442207e6d781c49d75fef996f209b42f7898ce1bb2
                                                    • Instruction Fuzzy Hash: C0514D71A00205DFDB14DF69E884799FBB6FF88320F24C1AAE9089B355E770D945CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD6CD4 Relevance: .1, Instructions: 134COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b03bd9d4c5dfec717e379c6f54011acf31dc3fb6e4d852ef937deb492d11bcbd
                                                    • Instruction ID: 7735e41d448fb2f2c0b26fe7a7a5b529e27bf7b9450123e259f052ac221e4502
                                                    • Opcode Fuzzy Hash: b03bd9d4c5dfec717e379c6f54011acf31dc3fb6e4d852ef937deb492d11bcbd
                                                    • Instruction Fuzzy Hash: 17513374E002188FDB14CFA9D885B9DBBB2BF48314F18852AE819BB391C774A845DF95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD6CE0 Relevance: .1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a076dc103e8433dd40db205b391260db9803029ad8e437a52be464ebd7933ba7
                                                    • Instruction ID: 3ba4edd6e67dc990401ba2cc921512566622e42890c71f7dddd636e786d5b4ae
                                                    • Opcode Fuzzy Hash: a076dc103e8433dd40db205b391260db9803029ad8e437a52be464ebd7933ba7
                                                    • Instruction Fuzzy Hash: B7512474E002188FDB14CFA9D885B9DBBB2BF48314F18852AE819BB391D774A844DF95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD1128 Relevance: .1, Instructions: 118COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0129369a6991c0f872e550b8f74564da83029bd45086d6fd0bc19f0d2976851b
                                                    • Instruction ID: 28fddd3cb9ffa482932b7c23f4f3e3745d3a7c200e9ba2a69e4f4aefd6c8f355
                                                    • Opcode Fuzzy Hash: 0129369a6991c0f872e550b8f74564da83029bd45086d6fd0bc19f0d2976851b
                                                    • Instruction Fuzzy Hash: 12511E7411218AAFCB06FB28F888B553F76F76E3043164957E484DB22AD7246D45EB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD1138 Relevance: .1, Instructions: 112COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 591f04f5b2b869a057b5bd502123f4cbeb5fe8aa4c6e7c594768634497c6a581
                                                    • Instruction ID: 5b964ec2d099624e17452819db5094bdde032529294bb40b22202b16f2873b3b
                                                    • Opcode Fuzzy Hash: 591f04f5b2b869a057b5bd502123f4cbeb5fe8aa4c6e7c594768634497c6a581
                                                    • Instruction Fuzzy Hash: A6513F7421218AEFCB05FB28F888B553F6AF76E3043164956E484D7229DB306D45EF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FDDE6A Relevance: .1, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bbb823537048e829c46a313e37ab61e46fa79fc5ad428d8c68b80185fda96f68
                                                    • Instruction ID: 461cf2e8cba6e704e450bb57c68bde661760741e4d7cb255a644192e9f374a15
                                                    • Opcode Fuzzy Hash: bbb823537048e829c46a313e37ab61e46fa79fc5ad428d8c68b80185fda96f68
                                                    • Instruction Fuzzy Hash: 813149B5B00216AFD705DB28C890E3AB7ABFB88304F15C169E5058B299CB32EC53D791
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD26DC Relevance: .1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d152f0a51c3046dbe098fc2ecbeb469c04915abaf81014bc60222770cffc1ac0
                                                    • Instruction ID: 6d03fb17bcb3648a4da04cc3687804482928ec2045008785cab7eea176d7cd36
                                                    • Opcode Fuzzy Hash: d152f0a51c3046dbe098fc2ecbeb469c04915abaf81014bc60222770cffc1ac0
                                                    • Instruction Fuzzy Hash: 2141F2B0D003499FDB10CFA9C584ADEBFB6FF48314F24842AE409AB250DB759946DF91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD26E8 Relevance: .1, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ff65d5886c2413bc6051d7d0efac1d607c879bb2f7ea7c14a57e3ae03fe4ca3b
                                                    • Instruction ID: befa3b132c3006502a25b56a86a9917465927626e4088bb77d56a94471c7bf25
                                                    • Opcode Fuzzy Hash: ff65d5886c2413bc6051d7d0efac1d607c879bb2f7ea7c14a57e3ae03fe4ca3b
                                                    • Instruction Fuzzy Hash: 9F410EB0D003489FDB10CFA9C484ADEBFF5FF48314F24842AE809AB250DB75A946DB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD50A8 Relevance: .1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 170e10126b745603c01771757ab3e11e58938f6acae8fc1ce2f52ed6f97df4bf
                                                    • Instruction ID: 05fba1ed88b6d8b6a30418c2873f057bd5c4226d713ac5249849edd888aceea4
                                                    • Opcode Fuzzy Hash: 170e10126b745603c01771757ab3e11e58938f6acae8fc1ce2f52ed6f97df4bf
                                                    • Instruction Fuzzy Hash: 45316730B006099FDB14EB74C9157AE77B6BF88740F24046AD401EB3A8DB36DC45DB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD5097 Relevance: .1, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f2ac61b1f43bdc497e55767a321ba4f973a6bb6245942c84357c8a9c2cacf1e9
                                                    • Instruction ID: a23a21410b194e61ca48f253a28bda6ca3fe5d7bb1a72ea6fedc1b03cbef366c
                                                    • Opcode Fuzzy Hash: f2ac61b1f43bdc497e55767a321ba4f973a6bb6245942c84357c8a9c2cacf1e9
                                                    • Instruction Fuzzy Hash: 7531CA30A006099FDB14EB74C9687AE77B3BF88740F2404AAD401EB3A8DB36CC45DB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FDA068 Relevance: .1, Instructions: 82COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 63e20fc38d0faaf8f018e885fd9d1a18ecff49ca6b572be7267978612324cb46
                                                    • Instruction ID: 317ec63a40beb4c0250181901e77120489a17ced80a288762c692d080b9bc90a
                                                    • Opcode Fuzzy Hash: 63e20fc38d0faaf8f018e885fd9d1a18ecff49ca6b572be7267978612324cb46
                                                    • Instruction Fuzzy Hash: 97316D31E0424A9BCB19CF64C45469EF7B2FF89310F14861AE905AB341DB719D46CB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD169F Relevance: .1, Instructions: 79COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 01a17b56652b7cb2ec7c1ca39d843e50187f8052edfbb68495b9cb05ef58b27d
                                                    • Instruction ID: 726f08e3d6dc6fad623adea61ba5bcab8435840a39eed6ac57311da184ad38a0
                                                    • Opcode Fuzzy Hash: 01a17b56652b7cb2ec7c1ca39d843e50187f8052edfbb68495b9cb05ef58b27d
                                                    • Instruction Fuzzy Hash: 5721D878A00141ABDF22F778E8887193767F759314F294A67E405C7369DB38DC41D792
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FDA078 Relevance: .1, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2499afd2aee56bb7b8bb08a705d83df1ba173aaf5ca7fbf01a6e1c112199e304
                                                    • Instruction ID: 249f3cdea5840b0510857397b9c916e7620771e1fefc653fd1f1577f72f42920
                                                    • Opcode Fuzzy Hash: 2499afd2aee56bb7b8bb08a705d83df1ba173aaf5ca7fbf01a6e1c112199e304
                                                    • Instruction Fuzzy Hash: B2214D31E0424A9BCB19CF68D85469EB7B3FF89310F14C61AE905EB344DB719D82CB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD17C0 Relevance: .1, Instructions: 76COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 73c76da3ff68b63076a740946c9a17a0159e50a4b95bf214f4be44992a2220b0
                                                    • Instruction ID: 8dc066db50f80d2929115c9f39463ed39059573afd51786d15b4bb75e921fdea
                                                    • Opcode Fuzzy Hash: 73c76da3ff68b63076a740946c9a17a0159e50a4b95bf214f4be44992a2220b0
                                                    • Instruction Fuzzy Hash: B121F635F002416BCB21AB79E84876E7BA7FB89321F140977E809D7304EB35CC429B81
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD1488 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e756fb2b459a33e55d3cb8379f0d6905b77804970d173899ae693e91c0543118
                                                    • Instruction ID: b3a66428c834c2d7789a712523ccd7ea1c339fa3ba8f2251b4d1001e0bad59e7
                                                    • Opcode Fuzzy Hash: e756fb2b459a33e55d3cb8379f0d6905b77804970d173899ae693e91c0543118
                                                    • Instruction Fuzzy Hash: 37219271E002119BCF21EBB899413AD77A2FB46320F29047BE806EB341EB39CD419791
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FDA85A Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fe4bbbcfb4648c717051d04c47f7e0327cad7ac95bb23ef80d11347872fa7755
                                                    • Instruction ID: 162f986b2a66dd93d3c341583281ac583f6de72cddb2f511f23942f9cca0b814
                                                    • Opcode Fuzzy Hash: fe4bbbcfb4648c717051d04c47f7e0327cad7ac95bb23ef80d11347872fa7755
                                                    • Instruction Fuzzy Hash: DE21B071B001048FEB14DF78C864BAD7BF6AF8C720F298166E505EB3A4DA71CD019B56
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD9F68 Relevance: .1, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 90be4f2e28d2488ddab8326434b625ebffe112b18857dde914112eb67cbe237d
                                                    • Instruction ID: 466d884fb9c553fcee4ea45aeaef78c1bacee72c6e60449cf92797d5b268cb0e
                                                    • Opcode Fuzzy Hash: 90be4f2e28d2488ddab8326434b625ebffe112b18857dde914112eb67cbe237d
                                                    • Instruction Fuzzy Hash: 30216231E046099BCB15CFA4C85469EB7B3EF89310F28851AE815FB750DBB0A946DB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD4F8A Relevance: .1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 90cb4333bb7609270870e8abcb669b59020234170b3ee5b75efabb232526586b
                                                    • Instruction ID: 8542a524d4067e6d999f3d1b3de4158747ddc96356c0aa5afb7ea61b8a190282
                                                    • Opcode Fuzzy Hash: 90cb4333bb7609270870e8abcb669b59020234170b3ee5b75efabb232526586b
                                                    • Instruction Fuzzy Hash: D6215C34A00609CFCB14EB78C959BAD7BF2FF49711B1444A9E406EB3A4DB319D01DB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD1382 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 777c0c169af388553772be480d3d31cc39354c7b3eef9ff1a1c270cd2369290b
                                                    • Instruction ID: 769c15c03ec1fe4408cd086f8cb3866c3ca1d780ada41a8430d5370bfd783684
                                                    • Opcode Fuzzy Hash: 777c0c169af388553772be480d3d31cc39354c7b3eef9ff1a1c270cd2369290b
                                                    • Instruction Fuzzy Hash: 6421A574A042419FDB31A778E48833D3B62FB17325F59086BE806C7795DB358C86D752
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F4D005 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450233884.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_f4d000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ea27d44feeb3ed4fa54ba9bf8cd6e332d5e1009c5b5809ff6a355b176c234a04
                                                    • Instruction ID: 52db5e7068ce800b113b0363373d01f4e8a4b1e045a106b510fd55efa220bb8d
                                                    • Opcode Fuzzy Hash: ea27d44feeb3ed4fa54ba9bf8cd6e332d5e1009c5b5809ff6a355b176c234a04
                                                    • Instruction Fuzzy Hash: 36215E7150D3C09FC703CB24D994711BF71AB46224F29C5EBD8898F2A7C23A981ADB62
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F4D030 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450233884.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_f4d000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a99886d55684687dfecc714a29721a9681d6cfeaf0f05af21858f06386b5c2f6
                                                    • Instruction ID: a5b6eed3e6932895fb8010a121bf533ca2fe9128e842b78a9db86ba0af9a62ae
                                                    • Opcode Fuzzy Hash: a99886d55684687dfecc714a29721a9681d6cfeaf0f05af21858f06386b5c2f6
                                                    • Instruction Fuzzy Hash: A821F5B1904244DFDB14DF18D9C0B26BFA5EB84324F34C56DDD0A4B25AC376D847DA62
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD1888 Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 94d16807bcf38d84bf9175bbf0cd3d6edc8149209ad9c4c6affc7dc89e0fa87c
                                                    • Instruction ID: bc7cc47955c2304c855f67b876d1425cfdc56e0f262bde6b860b78e14e8d591c
                                                    • Opcode Fuzzy Hash: 94d16807bcf38d84bf9175bbf0cd3d6edc8149209ad9c4c6affc7dc89e0fa87c
                                                    • Instruction Fuzzy Hash: D6213D31B002099FDB14EB78C9257AE77F6BB49351F24046AD405EB394DB35CD40EBA2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD9F78 Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4ba524eb3b87b2d0f922ac0955fe51dbc0e2a6f24a9d9951d3fdd36931713fe7
                                                    • Instruction ID: 07dd05a41ddb199aba38f8165e866009f8e2dbd75f8bcb8d0037c6ce29e7e581
                                                    • Opcode Fuzzy Hash: 4ba524eb3b87b2d0f922ac0955fe51dbc0e2a6f24a9d9951d3fdd36931713fe7
                                                    • Instruction Fuzzy Hash: 1E213031E046099BCB19CFA4C45469EF7B6EF89310F24C51AE815FB390DBB0AD46DB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD16B0 Relevance: .1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 031f937d8d5aee3f20ae80f3776139b0b6f51dc438ab5e07d85d3a8a8f94c4b4
                                                    • Instruction ID: 60aa625b56bbb9f8e2d6f7c59622c09a2aa40a37ebef36ef275df4f0ecfd89ca
                                                    • Opcode Fuzzy Hash: 031f937d8d5aee3f20ae80f3776139b0b6f51dc438ab5e07d85d3a8a8f94c4b4
                                                    • Instruction Fuzzy Hash: 4C216078A001416BDF22F768E88871A3767F749314F254A27E40AC7369DB78DC818B91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD1878 Relevance: .1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9760863f173e1cf59cda625ca0e8ddb9cd12d7004015fca5bae0a9187ba86921
                                                    • Instruction ID: 7e8f2e1bce882ede257bd709dab6212e710aa27eee205eec546ab50af87152c5
                                                    • Opcode Fuzzy Hash: 9760863f173e1cf59cda625ca0e8ddb9cd12d7004015fca5bae0a9187ba86921
                                                    • Instruction Fuzzy Hash: C3215E31B002059FDB14EB74C9697AE77B2BB49345F28046AD005EB3A5DB35CD44EB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD4F98 Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e2fc9f5577e23cd7772d51defd87a54af9f83cc572097b55fe0505dbc61171f3
                                                    • Instruction ID: 1ed3fc127f12b0455abba48a3f5f1d7fd02fc4a9e3e8a77aefd57a1bc8f31055
                                                    • Opcode Fuzzy Hash: e2fc9f5577e23cd7772d51defd87a54af9f83cc572097b55fe0505dbc61171f3
                                                    • Instruction Fuzzy Hash: C5214A34B00209CFCB14EB78C958BAD77F2BB4D711B104469E506EB3A4DB329D00EB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD0848 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ecb83bf78570a2d251c5d58f4284c22e6784449c6661ad5c201498f4f68978a7
                                                    • Instruction ID: 3758529f264b77132728d3517c41c5288e34c98e014aa7cf77547d82be656c09
                                                    • Opcode Fuzzy Hash: ecb83bf78570a2d251c5d58f4284c22e6784449c6661ad5c201498f4f68978a7
                                                    • Instruction Fuzzy Hash: 3C118F35F002044BDF64AA78C44832D3292EB45760F28493BE006CB391DE75CC85BBD1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD0838 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 370701bcd2d20a2cc043071dd2157c16831915c34770937eec65835043e7fe78
                                                    • Instruction ID: ba0a280faef6534d54874538b3a58ecf450fd596dff9112bb180390e7b2bfa1e
                                                    • Opcode Fuzzy Hash: 370701bcd2d20a2cc043071dd2157c16831915c34770937eec65835043e7fe78
                                                    • Instruction Fuzzy Hash: 9911A335E043444FEF21AA74985837D7792EB56360F28497BD406CB382DE65CC85BBD2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FDDBCF Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 83e7c4a3dfe22abb7aed903978cc8abacfae3d5bb199c5d8d920c62c82ed8aa6
                                                    • Instruction ID: fc37a1dd7a8852e984ad3cb812b079cc7ebb8b898b9e95476a398ed114f34eff
                                                    • Opcode Fuzzy Hash: 83e7c4a3dfe22abb7aed903978cc8abacfae3d5bb199c5d8d920c62c82ed8aa6
                                                    • Instruction Fuzzy Hash: 3501F172B00229ABD7249A99E84576BBB6AFBC4730F258517E2184B208DFB06C05C7E4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD1498 Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 59d5a2ed03ce10ae4b0993a3ba3f33e42a1ff2c5a9e655f970eef600e4384ea0
                                                    • Instruction ID: 13fa5d7d2801383f200234900206409df87e9fb0df3a4d714c275346ff204eba
                                                    • Opcode Fuzzy Hash: 59d5a2ed03ce10ae4b0993a3ba3f33e42a1ff2c5a9e655f970eef600e4384ea0
                                                    • Instruction Fuzzy Hash: 9C016131E002149FCB21EFB8985129D77E7FB49320F28047AE805E7301EB39D8419B91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FDA6B8 Relevance: .1, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c56c87aedfff07dadc143c3649ae8ebc7d22966acd17eb4a7a1fa8edc767236a
                                                    • Instruction ID: 7b94fd9c02b2429cee24dc0e5faf0bd2f1aad7746b829851285ff29297425985
                                                    • Opcode Fuzzy Hash: c56c87aedfff07dadc143c3649ae8ebc7d22966acd17eb4a7a1fa8edc767236a
                                                    • Instruction Fuzzy Hash: C011E530A002048BCB05DFA4D89069ABFB2EF85310F29C5A5DC4C5F29AD774DD56CBA2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD8F08 Relevance: .0, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 57d10ac124195ba78cb2d9f255513a1d4c4afca5d0e36ba34b167c589b92bbb4
                                                    • Instruction ID: 098e73154982c0d8383e818d27b1f5654baf35cf3410ddc5dd09b3e4504be534
                                                    • Opcode Fuzzy Hash: 57d10ac124195ba78cb2d9f255513a1d4c4afca5d0e36ba34b167c589b92bbb4
                                                    • Instruction Fuzzy Hash: BF01D474910189DFCB42FBB8E85479C7BB2EF45300F2145AAD008DF255DA305F568B61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD1524 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b8b6e94d1d4decac742e2c17e2d98d4b125d22545bc1d9faedba12154b731662
                                                    • Instruction ID: a6e67f46af964e1eb3439756d9ee0393f9428bb5063ae9cdbbb2b61ea02e1a7a
                                                    • Opcode Fuzzy Hash: b8b6e94d1d4decac742e2c17e2d98d4b125d22545bc1d9faedba12154b731662
                                                    • Instruction Fuzzy Hash: 1FF0F637E04150AFD7228BA4A8913AC7BA3FE9632172C00D7D802DB352D739D842E751
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD7EA8 Relevance: .0, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ad18d15887186570dc43cbb41e7c34001e5559a0ba2673e5eb615a8071b5bdbc
                                                    • Instruction ID: 73af3a5c65b005e7c9ff8609c62d92f700d049dd5b9d827a3871b5381c4c8b2c
                                                    • Opcode Fuzzy Hash: ad18d15887186570dc43cbb41e7c34001e5559a0ba2673e5eb615a8071b5bdbc
                                                    • Instruction Fuzzy Hash: 4EF0C435B40218CFC714EB75E598B6C77B2EF88215F1544A8E506DB3A4DB35AD02CB40
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD8F18 Relevance: .0, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 977369bef906995fef603391963ce566a4149a1e93e4141140bc5959aedef1d7
                                                    • Instruction ID: 5abee8e9c3835e7922cd592e01996ebb1e2f17d456e84b181ebd521fbf68e1bb
                                                    • Opcode Fuzzy Hash: 977369bef906995fef603391963ce566a4149a1e93e4141140bc5959aedef1d7
                                                    • Instruction Fuzzy Hash: 2BF0317491010DEFCB41FFB8F844A9D7BB6EB44304F214A6AD409DB294DF316E558B91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions

                                                    Function 06685650 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4453229486.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_6680000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                    • API String ID: 0-2843079600
                                                    • Opcode ID: 0e9c8c12bedee3b28773fbe3d9dcc61e9b5fb641ebdd3e1aef60b2c02f5ba705
                                                    • Instruction ID: 0baad35f459878bd3ff565151d819a694cac95d0c98b0a28e6e37922909f7124
                                                    • Opcode Fuzzy Hash: 0e9c8c12bedee3b28773fbe3d9dcc61e9b5fb641ebdd3e1aef60b2c02f5ba705
                                                    • Instruction Fuzzy Hash: 82120E70A01219CFDBA4EF79C894A9DB7F2BF88304F248669D40AAB355DB349D45CF41
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06683C8F Relevance: 2.9, Strings: 2, Instructions: 417COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4453229486.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_6680000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: XPbq$\Obq
                                                    • API String ID: 0-409418754
                                                    • Opcode ID: 1fcd8454b4b7e2db101d165b5db519bb96168987e19b8108fec6e47a4a0ba027
                                                    • Instruction ID: 1154d8212e3868e01c6d9a612fa40fbddefc196e0baefa353d1454ddb604e2cb
                                                    • Opcode Fuzzy Hash: 1fcd8454b4b7e2db101d165b5db519bb96168987e19b8108fec6e47a4a0ba027
                                                    • Instruction Fuzzy Hash: E6E11531B101148FCB54EBB8D494AAEBBF6FF88710F25856AE546EB391CA71DC41C7A0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD41C8 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4450426874.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_fd0000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \Vl
                                                    • API String ID: 0-682378881
                                                    • Opcode ID: df65cfa6ec61d49a4a8ae191cee3c92f7c65fe16e8f97b7d56e0a8a95210ba94
                                                    • Instruction ID: 0bd2a10035e260d0c60a5eac6851cfd0a40f90c0aa15bb92625cf9df7177fdb2
                                                    • Opcode Fuzzy Hash: df65cfa6ec61d49a4a8ae191cee3c92f7c65fe16e8f97b7d56e0a8a95210ba94
                                                    • Instruction Fuzzy Hash: 00B14071E00209CFDF10CFA9D98579DBBF2BF88314F18852AE815A7354EB74A845EB81
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0668C618 Relevance: .4, Instructions: 358COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.4453229486.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_6680000_Eaton PO-45150292964.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1d53926fc8560e018512a62ed345c76ce552e4ae5ed44246e0e3f4bead0383f8
                                                    • Instruction ID: 45825a40ca35c223250cb83752ed1b2c0a6e494b43c762aa20539256d8b1775f
                                                    • Opcode Fuzzy Hash: 1d53926fc8560e018512a62ed345c76ce552e4ae5ed44246e0e3f4bead0383f8
                                                    • Instruction Fuzzy Hash: 5EC1B530F101099FDB64EB78C494BAEB7E2EB85310F258626D419DB381DB35EC82C7A1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%